- Adobe Enterprise & Teams: Administration guide
- Plan your deployment
- Basic concepts
- Deployment Guides
- Deploy Creative Cloud for education
- Deployment home
- K-12 Onboarding Wizard
- Simple setup
- Syncing Users
- Roster Sync K-12 (US)
- Key licensing concepts
- Deployment options
- Quick tips
- Approve Adobe apps in Google Admin Console
- Enable Adobe Express in Google Classroom
- Integration with Canvas LMS
- Integration with Blackboard Learn
- Configuring SSO for District Portals and LMSs
- Add users through Roster Sync
- Kivuto FAQ
- Primary and Secondary institution eligibility guidelines
- Set up your organization
- Identity types | Overview
- Set up identity | Overview
- Set up organization with Enterprise ID
- Setup Azure AD federation and sync
- Set up Google Federation and sync
- Set up organization with Microsoft ADFS
- Set up organization for District Portals and LMS
- Set up organization with other Identity providers
- SSO common questions and troubleshooting
- Manage your organization setup
- Manage users
- Overview
- Administrative roles
- User management strategies
- Assign licenses to a Teams user
- In-app user management for teams
- Add users with matching email domains
- Change user's identity type
- Manage user groups
- Manage directory users
- Manage developers
- Migrate existing users to the Adobe Admin Console
- Migrate user management to the Adobe Admin Console
- Overview
- Manage products and entitlements
- Manage products and product profiles
- Manage products
- Buy products and licenses
- Manage product profiles for enterprise users
- Manage automatic assignment rules
- Entitle users to train Firefly custom models
- Review product requests
- Manage self-service policies
- Manage app integrations
- Manage product permissions in the Admin Console
- Enable/disable services for a product profile
- Single App | Creative Cloud for enterprise
- Optional services
- Manage Shared Device licenses
- Manage products and product profiles
- Get started with Global Admin Console
- Adopt global administration
- Select your organization
- Manage organization hierarchy
- Manage product profiles
- Manage administrators
- Manage user groups
- Update organization policies
- Manage policy templates
- Allocate products to child organizations
- Execute pending jobs
- Explore insights
- Export or import organization structure
- Manage storage and assets
- Storage
- Asset migration
- Reclaim assets from a user
- Student asset migration | EDU only
- Manage services
- Adobe Stock
- Custom fonts
- Adobe Asset Link
- Adobe Acrobat Sign
- Creative Cloud for enterprise - free membership
- Deploy apps and updates
- Overview
- Create packages
- Customize packages
- Deploy Packages
- Manage updates
- Adobe Update Server Setup Tool (AUSST)
- Adobe Remote Update Manager (RUM)
- Troubleshoot
- Manage your Teams account
- Renewals
- Manage contracts
- Reports & logs
- Get help
Applies to enterprise.
Introduction
Adobe's enterprise offerings let your organization, create, collaborate, and deliver on the web, mobile, or desktop with the latest Adobe apps and services. With centralized license management tools and enterprise-level technical support, your IT function is fully equipped to support creative teams at scale.
If you are planning a Creative Cloud or Document Cloud deployment, take some time and consider how to deploy and manage applications, storage, and services. This article covers all the information you require for planning purposes. There are several topics that must consider when you plan your deployment.
- License deployment
- Identity management
- Applications and updates
- Storage and services
- Users, product profiles, and licenses
- Migrating existing users
License management
When you purchase a product from Adobe, a license represents your right to use Adobe software and services. Licenses are used to authenticate and activate the products on the end user's computers.
For more information, see Licensing overview.
Licensing methods
Named user license
Named licensing is useful in the following scenarios:
- If you want to provide access to Adobe-hosted services.
- If you want to use Adobe Admin Console for centralized license and compliance management.
- If you require flexible licensing over time, for example, a designer moving from a video product profile to a web product profile.
- If you want to enable self-service workflows for users to acquire apps and updates.
Automatically created packages are readily available for download from the Admin Console. Packages are created based on default settings and purchased products and can be downloaded and deployed as is. For more information, see Packaging apps using the Admin Console.
Shared device licensing
Shared Device Licensing is a licensing method targeted at educational institutions where software is assigned to a device instead of an individual. Anyone who logs onto the device will have access to Adobe's products and services.
Shared Device Licensing is ideal for desktop computer labs and classrooms. For example, you can install Creative Cloud apps in your computer labs to allows students and teachers, with access to these computers, to use the apps and services that are available as part of your license agreement with Adobe.
Serial number licensing
Serial Number licensing is a historical method of licensing that is not tied to an individual user but to a particular computer. This licensing method is suitable for a very small number of customers and, as with named licensing, can be used to create pre-licensed packages that are deployed remotely. However, when using serial number licensing, customers do not receive the complete value from their Adobe Cloud subscription.
License migration
Device license to Shared device license
For more information, see Migrate from Device Licensing to Shared Device Licensing.
Serial number license to named user license
Named licensing provides several advantages as compared to anonymous or Serial number licensing. Administrators can closely track and monitor the usage of licenses. They can also centrally manage licenses assigned to a user and revoke access to apps and services, without a need to redeploy packages. Named license can also enable self-service workflows to let customers download and install products and updates. Named licenses also enable end users to use cloud services, such as add fonts from Adobe Fonts, choose file sync locations, and share and gather feedback on Behance.
For more information, see Migrate from Serial number licenses to named licenses.
Identity management
Adobe uses an underlying identity management system to authenticate and authorize users. If you're using named licensing or are planning to provide access to services, using identities is a requirement. Adobe supports three identity or account types; they use an email address as the user name. These identity types are:
- Federated ID: Created, owned, and managed by an organization and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 Identity Provider (IdP).
- Enterprise ID: Created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID.
- Adobe ID: Created, owned, and managed by the end user. Adobe performs the authentication, and the end user manages the identity.
Based on your organizational needs, you can select the most appropriate identity model to implement and use.
You can use Federated IDs, Enterprise IDs, and Adobe IDs in the same enterprise deployment. Remember, when you set up an account using Adobe ID, end users retain complete control over files and data associated with this account. When you use a Federated ID or an Enterprise ID, it is the enterprise that owns and controls this content.
Adobe recommends admins to migrate Adobe ID users to Federated and Enterprise IDs to provide organizations complete control over users and application assets.
Adobe Licensing Website does not support Enterprise or Federated IDs. If you are planning to use serial number licensing, set up all administrator accounts using Adobe IDs. For user accounts, Adobe recommends using Federated and Enterprise IDs.
Set up a directory
A directory in the Admin Console is an entity that holds resources such as users and policies like authentication. These directories are similar to LDAP or Active Directories.
For more information, see Set up identity.
Set up domains
User identities are verified against an authorization source. To use Federated ID or Enterprise ID, set up your own authorization source by adding a domain. For example, if your email address is john@example.com, example.com is your domain. Adding a domain permits the creation of Federated IDs or Enterprise IDs with email addresses on the domain. A domain can be used either with Federated IDs or Enterprise IDs, but not both. You can however add multiple domains.
An organization must demonstrate their control over a domain. An organization can also add multiple domains. However, a domain can be added only once. Known public and generic domains, such as gmail.com or yahoo.com cannot be added at all.
For more information, see Set up domains.
Configure Single Sign-On
The Adobe Admin Console offers a method for enterprise users to authenticate using their existing corporate identity. Adobe Federated IDs enable integration with a Single Sign-On (SSO) identity management system. Single Sign-On is enabled using SAML, an industry-standard protocol that connects enterprise identity management systems to cloud service providers like Adobe.
When you add users with Federated IDs, automatic emails are not sent to the users. You must plan and communicate with users when you create Federated IDs. If users already have Adobe IDs that use the same email address, see Sign in with an enterprise ID to understand the sign-in procedure and the impact it has on their existing content and application.
If your organization wants to test the SSO integration, you can claim a test domain that you own. Your organization must have an Identity Provider with identities set up in that test domain. This process allows you to test the integration before you claim the main domains, until you feel comfortable with the domain claim and configuration process.
For more information, see Configure Single-Sign On.
Users, product profiles, and licenses
For Named licenses, Product Profiles are used to associate licenses with individual users. To assign licenses, add users to a Product Profile. A user can be a member of multiple Product Profiles, and each Product Profile can confer different licenses to the user. The final eligibility of a user is the union of all licenses conferred by each Product Profile.
Consider how to deliver sets of licenses in a way that fits how users are assigned responsibilities in your organization. For example, if all the users in a department need Photoshop, you can create a department Product Profile which confers Photoshop Single App. However, if in a department, web designers need Photoshop and Dreamweaver, while video editors need Premiere Pro and After Effects, use two Product Profiles- one for the Web Designer role, and one for the Video Editor role.
Some users play multiple roles. A user who performs both web design and a video editing can be added to both Product Profiles, conferring the union of licenses from each Product Profile, that is Photoshop, Dreamweaver, Premiere Pro and After Effects.
Product Profiles also make it easy to manage licenses. When users move from a web design role to a video editing role, add the users to the video editing Product Profile and remove them from the web design Product Profile. This changes the activated products for the user and frees up licenses. When Product Profile requirements change - for example, when the video editing Product Profile needs to use Adobe Premiere Rush, it can be added to the video editing Product Profile and all users immediately get access to Adobe Premiere Rush.
A license is consumed when a user is added to a Product Profile. If a user is a member of two Product Profiles and both confer a license to Photoshop Single App, the user consumes two licenses. To eliminate redundant consumption of licenses, design your Product Profiles. Identify each Product Profile that needs a particular application or set of applications to do their job.
Identify the following:
- Products: The licenses for a product govern which applications and services are conferred to each member of an associated Product Profile.
- Product Profile name: Identify each Product Profile. The labels you choose to identify the Product Profiles are for your own use only. They are not included anywhere in the deployment package, so there are no restrictions on how you name them. In practice, it is better to create Product Profiles based on function, rather than departments or teams.
- Services: Choose from the available list of services for a selected product. For example, Creative Cloud for enterprise includes services such as Adobe Fonts and PDF services.
- Users: Identify the users to add to each Product Profile.
Read more about how to manage products and product profiles.
Deploy apps and updates
Adobe delivers continuous innovation in the form of features and updates. IT admins can decide how and when these updates are applied. Decide how to deliver these apps and updates to your end users. At this stage, also consider the hardware and software requirements of client computers. Adobe enterprise offerings provide several levels of control on deploying apps and updates. IT admins can choose between empowering users via a self-service workflow or they can opt for a more managed environment where admins can decide what, when, and how products and features get installed.
Apps
Self-service
Like millions of Adobe users, you can allow your users to download and install apps themselves. Users can sign in to www.adobe.com and download and install the desktop apps and access services. Self-service workflows require admin privileges, Internet connections, and Named licensing. Include the Creative Cloud desktop app in the software package that you deploy.
Self-service workflows enable users to download and install apps as and when required. Apps that a user is entitled to get, are provisioned when the user signs in. Other apps can be used as a trial for a limited time. This also frees up admins from creating and deploying multiple packages and updates. For example, self-service workflows are efficient in the following scenarios:
- You have diverse and changing requirements of apps by different users.
- Your users have several hardware and operating system combinations.
- You have remote workers in your organization.
- Different teams and users upgrade at different times, because of ongoing projects.
- You want to reduce the initial footprint on a machine by allowing a user to install only the applications they require, and for as long as they require.
Managed delivery
You can create and download pre-configured packages from the Admin Console. These packages can then be deployed to the client machines in your organization. You can perform silent and custom installations. No inputs are required from end users during installation. The deployment packages can be distributed using industry-standard tools:
- Microsoft System Center Configuration Manager (SCCM)
- Apple Remote Desktop (ARD)
- JAMF Pro
- Munki
- Microsoft Intune
You can create two types of packages: self-service package and managed delivery package. The self-service package contains the Creative Cloud desktop app, which users can use to download and install software. If end users do not have admin privileges on their computers, you can create a Creative Cloud desktop app package with elevated privileges. Or you can create a managed delivery package that contains specific apps and updates.
For more information, see Packaging apps using the Admin Console.
For example, you can use managed delivery of apps for the following:
- To exercise strict control over installed apps on client machines.
- To reduce Internet bandwidth consumption, by preventing multiple self-service downloads.
- When there is no Internet access on client computers.
- To strictly control the versions of installed apps across your organization.
- To modify the update behavior in installed applications.
Updates
There are several mechanisms to deliver app updates available to end users. Choose one of the following based on your organization's need.
Self-service
Users can download and install updates directly from Adobe. This method ensures that your end users have access to the latest updates when they become available. Updates can be downloaded and installed using the Creative Cloud desktop app or using the Adobe Updater included with the apps. For these workflows, the client machines require access to the Adobe servers and admin privileges.
This option is available for both self-service and managed app delivery.
Managed delivery
When you create packages, you can choose a managed update delivery mechanism.
- Have client machines install updates via an internal update server.
- Trigger updates remotely using Remote Update Manager. Use this option when client machines don't have admin privileges.
- Create and deploy Update only packages.
For more information on managed delivery, see Applying updates.
Storage and services
Storage and services are available for all Creative Cloud for enterprise plans. Storage and services are tied to individual users. Access to storage and services requires using either Federated IDs, Enterprise IDs, or Adobe IDs.
When you assign a user to a Product Profile that includes storage and services, you can choose to enable/disable individual services for that Product Profile. Enabling and disabling services defines what the users of the Product Profile can or cannot access.
For more information, see Manage enterprise storage.
Several Creative Cloud services, rely on the availability of storage with the product. If a product does not include storage, these services are also unavailable. Some services are mandatory, and cannot be switched off. For more information, see Enable or disable services.
You can even select restrictive Asset Settings that limit employees from using specific sharing features within Creative Cloud and Document Cloud.
Proxy and firewall settings
For Creative Cloud for enterprise plans, access to named licensing, storage, and services require the client computers to access Adobe servers. For these features to work, ensure that your firewall and proxy setup allows access to Creative Cloud service endpoints. See Creative Cloud for enterprise - Network Endpoints and ensure that users can access the required web services endpoints.