15

Does anyone know of a good tool for managing updates to Acrobat Reader?

I've just noticed that there is yet another security update, and I'd love to find something as good as WSUS to manage it.

Do the third-party tools like Shavlik do the trick?

Richard Gadsden
  • 3,696
  • 4
  • 28
  • 58
  • Is it possible to tweak a proxy server, in the enterprise, to aggressively cache this? – Pure.Krome Jun 05 '09 at 11:36
  • Bumping this back up for some additional ideas, since Adobe will start releasing quarterly patches for Acrobat Reader. http://blogs.adobe.com/psirt/2009/06/adobe_security_bulletin_advanc.html – Doug Luxem Jun 09 '09 at 14:50
  • I think it's bounty time on this one. – Richard Gadsden Jun 10 '09 at 09:52
  • 1
    I got a proxy server that actually cache adobe update... Made with IPCop, Advanced Proxy and Update Accelerator plugins... Very cheap, but does the job just right. Also caching all windows update download on the network so the next time it's requested, it download @ 100 mbits right out of the proxy cache, very usefull and time saver! – Marc-Andre R. Jun 10 '09 at 12:01

7 Answers7

6

I install Adobe Reader via Group Policy and software assignment. I've been applying MSP-based patches to my Adobe Reader installation points and then instructing client computers to reinstall via the "Redeploy..." functionality in Group Policy. I don't particularly like doing things this way, but it's the least labor-intensive method I can see.

This recent Adobe Reader patch (9.1.2) is MSP-based, so I'm able to deploy it in my usual manner. If Adobe decides to start distributing EXE-based patches, then I've got a problem and have to begin writing scripts. (Hopefully they'll stick to a Windows Installer based patching regime from here on out. We'll see...)

If they do go to EXE-based updates, I'll write scripts to deploy them silently via computer startup scripts. (If you've got the money to pony-up for Microsoft's System Center Configuration Manager, you can use the built-in System Center Update Publisher to deploy these types of updates.)

Having the client computers download patches themselves via the built-in updater functionality in Adobe Reader is useless to me. I need to be able to centrally control the deployment of updates such that I can test the update prior to deployment. Users don't have "Administrator" rights on their computers and can't install any updates themselves anyway. I disable the updater as a transform to the MSI for Adobe Reader.


I've never used a third-party patch management tool, so I can't comment. Patch management tools that claim to automate the patching process have always given me a bit of pause. Tools that do "snapshotting" aren't actually capturing the logic in an installer, and could do the wrong thing under circumstances different than when the snapshot was taken. Tools that "silently install" patches often require the same amount of work that I'd put into writing a script to install the patch anyway. As such, I'm dubious of the effectiveness and reliablity of "patch management" tools over using software assignment, "Redeploy...", and hand-written scripts to deploy patches.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
4

This article was very useful to me in deploying Adobe Acrobat Reader:

Deploying Adobe Reader 9 for Windows.

There are two sections which could be interesting for you. This one:

What To Do About Adobe Updater

Reader 9 continues to include the Adobe Updater application which has been updated to version 6. While I haven’t seen it misbehave for some time and it no longer drops an Updater folder in your Documents folder, you might still want to disable it.

There are a few ways to do this. You can disable Updater by running it (click Help / Check for Updates) then click the Preferences link. You will then see the Preferences dialog, where you can choose to disable Updater.

and the following section

Updating Reader

Updating Adobe Reader can be a bit of a challenge, especially for smaller environments using only Group Policy Software Installation. For Reader 8, Adobe released updates as a complete download of the installer rather than patches. I recommend updating using the full installer as updates for version 9 are released.

If you would really prefer to use the Updater to keep Reader current, you could use the following command in a task using Windows Task Scheduler:

 "%CommonProgramFiles%\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1
 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
squillman
  • 37,618
  • 10
  • 90
  • 145
splattne
  • 28,348
  • 19
  • 97
  • 147
4

Adobe supply a tool to customise the MSI installation of Acrobat, the Adobe Customization Wizard. What we do is to deploy Acrobat/Reader through Group Policy, having first used this tool to customise the MSI to disable all updating, update prompts, etc.

Having done this, we can roll out updated to Acrobat via GP as they're released.

Sadly no, I don't know of any centralised tool that will do this. The above approach will at least let you manage the updates, and stop users complaining about the Adobe Updated popups!

Oliver Salzburg
  • 4,505
  • 16
  • 53
  • 80
Keith Williams
  • 243
  • 2
  • 6
2

What about using SMS or the new System Center Configuration Manager? I can't afford to play with SCCM but from what I understand it is much easier to deploy / update software than SMS was. It might be worth looking into anyways.

Ultimately I think the best solution is to toss out the idea of 'patching' update and do a remove/re-install with each new update/version. If you want to take the time to wrap the adobe installer as a MSI installer then you could deploy it using GPSI.

GNUix
  • 480
  • 1
  • 5
  • 13
1

If when you say "manager", you're really after update caching, there's a free, open, passive plug-in to the linux-based firewall IPCop called Update Accelerator. You'll not only get your Adobe updates; you'll also get update caching for Apple, Avast, Linux (.deb and .rpm), Microsoft, Symantec, and Trend Micro if you want them. It also supports the ability to add custom sources.

A branch of my organization has been using it for about a quarter with great results (and, may I add, much needed results, as there isn't a ton of bandwidth available to us in Africa). If you like the plug-in but could care less about IPCop, I would just implement IPCop with Update Accelerator, yet neuter the IPCop configuration to the point where it doesn't do anything except direct updates through Update Accelerator.

Merchako
  • 121
  • 4
0

You mean something like Adobe Update Manager?

Xn0vv3r
  • 101
  • 3
  • Isn't that for CS2 only? And it's not really patch management in the sense of WSUS or something like that is it? – Rob Moir Jun 05 '09 at 10:43
  • "The Adobe Update Manager 4.0.5 update requires that Adobe Creative Suite 2 software or an Adobe Creative Suite 2 level product such as Adobe Photoshop® CS2 software is installed on your system." Acrobat Reader 9 isn't a CS2 product. – Richard Gadsden Jun 05 '09 at 11:16
  • not to beat a dead horse, but you would still have to install adobe update manager on each system you want to keep up to date. Now you still sit in the same boat you were in before, but with one more piece of software to manage (even if it did only work for Adobe Reader) – Matt Jun 05 '09 at 18:08
0

A manual/homegrown approach may work:

  • Whenever a new update is available, throw it in a shared folder (can be scripted via FTP-Lookup to Adobe-Server I think)
  • At a user logon script, check that folder and drive the update, if a new file is there

Greetz, GHad

Edit: I friend of mine recommended the site http://wpkg.org/Adobe_Reader_9 for more information. I didn't read details though (no time), but wanted to share this link

GHad
  • 109
  • 4
  • The only problem here is that you gonna make your user waiting for the update completion, you got a lot of chance that the user just press Cancel over and over everytime he login so your update will never be applied... But if there's a way to do it unattended, this is a go way. – Marc-Andre R. Jun 10 '09 at 11:58
  • /q on the msiexec line would do it unattended. – Richard Gadsden Jun 10 '09 at 12:05
  • Running it in a logon script means that your as Administrator rights, and that you're doing something wrong. – Evan Anderson Jun 10 '09 at 16:32
  • But you could do it with a startup script, which runs as SYSTEM without having a user with administrator rights. – Richard Gadsden Dec 16 '09 at 14:59