Enterprise Toolkit | Macintosh Plist Reference

Privileged (Protected Mode)

Sandboxing is a technique for confining the execution environment of untrusted programs and processes. In the context of Adobe's PDF products, an 'untrusted program' is any PDF and the processes it invokes. With sandboxing enabled, Acrobat and Reader assume all PDFs are potentially malicious and confines any processing they invoke to the sandbox.

For additional security-related details, refer to the Application Security Guide.


This preference category contains the following subfeature(s):

Protected Mode

Protected Mode is a key Reader and Acrobat security feature and should be enabled to protect user systems and data. Note: While Reader has supported Protected Mode since 10.x, Protected Mode is gradually being extended via a phased rollout to Acrobat's DC/Continuous track beginning June, 2020. Classic track versions will likely see similar support later this year.

Summary table
BrokerLogfilePath Specifies the path and log file name for the Protected Mode log.
ProtectedMode Enables Protected Mode which sandboxes Acrobat and Reader processes.
UseWhitelistConfigFile Allows the user of policy whitelist to allow behavior that Protected Mode would otherwise prevent.
Security hardeningSupported on WindowsSupported on MacSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 10.0+; Acrobat: June, 2020
User Path Privileged
Lock Path FeatureLockDown
Summary Enables Protected Mode which sandboxes Acrobat and Reader processes.
Details Protected Mode should be enabled to protect user systems and data. Possible values include:
  • 0: Don't enable protected mode.
  • 1: Do enable protected mode.
GUI mapping Preferences > Security (Enhanced) > Sandbox Protections > Enable Protected Mode at startup
Supported on WindowsSupported on MacSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 10.0+
User Path Privileged
Lock Path Not lockable
Summary Specifies the path and log file name for the Protected Mode log.
Details The value should be path + log filename. Logging is available for users who need to troubleshoot problems where a workflow or plugin does not work when Protected Mode is enabled. The log may provide guidance as to whether a custom policy file should be used to re-enable broken workflows or plugins.
  • Any valid path.
GUI mapping Preferences > Security (Enhanced) > Sandbox Protections > Create Protected Mode log file
Security hardeningSupported on WindowsSupported on MacSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 10.0+
Lock Path FeatureLockDown
Summary Allows the user of policy whitelist to allow behavior that Protected Mode would otherwise prevent.
Details This preference just toggles the ability of the application to read policy files. For additional security-related details, refer to the Application Security Guide.
GUI mapping N/A

AppContainer

The AppContainer requires that Protected Mode is enabled, and both features are designed to be transparent to end users. Together these provide multiple layers of protection from malicious attacks that might try to access your system and data. Like Protected Mode, AppContainer has an HKCU preference as well as an HKLM preference which you can lock.

Summary table

File migration

This preference is only used during an upgrade from 11.x products to 12.x and later products. The preference is used once by the application to determine whether or not the recent files list has been migrated.

Summary table
OldRecentFilesMigrated Indicates whether the recent files list has been migrated.
Not modifiableSecurity hardeningSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # DC
User Path Privileged
Lock Path
Summary Indicates whether the recent files list has been migrated.
Details Admins should not change the preference value.
GUI mapping N/A