You cannot make an Acrobat Pro subscription fully sovereign. Identity, licensing, and the Admin Console rely on Adobe IMS services with data stored in the U.S. You can harden it to “desktop-only, no cloud, minimal egress,” and run it for long offline windows. Below is a possible deployable plan with controls.

Baseline

1. Identity: Use Federated ID with SAML SSO. Do not use Adobe IDs. Enforce domain claims and profile separation.

2. Track: Package Acrobat Classic via Named User Licensing to reduce service exposure by design.

3. Services: Disable Acrobat Studio services, Acrobat AI, and cloud storage at the product-profile level.

4. Desktop policy: Lock services off with registry keys via the Customization Wizard or GPO.

5. Network: Block all Acrobat/CC endpoints except the small set you allow during controlled sign-in and update windows. Explicitly block AI endpoints.

6. Updates: Use internal update flows. Prefer RUM plus a maintenance window. If you need a mirror, stand up AUSST.

7. Offline windows: Plan for 30 days offline plus a 99-day grace if needed. After that, devices must phone home.

Options

A. NUL + Classic track (recommended)

• Services reduced by default; then disable the rest in Admin Console and via registry. Least network surface while keeping subscription entitlements.

B. NUL + Continuous track

• More frequent updates and features. Lock down services with the same Admin Console and registry controls. Larger test burden.

C. Replace e-sign

• If you require e-sign with Canadian residency, use a Canadian-resident e-sign service in place of Acrobat Sign. OneSpan Sign offers Canadian data centres and on-prem options; Syngrafii operates Canadian instances.

Configuration “How”

1) Admin Console

• Identity: create Federated ID directory and enable SSO with your IdP. Disable Adobe ID use for org domains.
• Package: create Named User Licensing package for Acrobat Classic.
• Services: for the Acrobat product profile set:
  
  • PDF Services = Off, Acrobat AI = Off, Adobe Express = Off for “desktop-only” posture.
• Self-service: disable self-service install and updates. You will push updates.

2) Desktop hardening (deploy via RMM tool)

Set these registry keys (Acrobat Pro “DC” shown; adjust version path as needed):
HKLM\SOFTWARE\Policies\Adobe\Acrobat\DC\FeatureLockdown

• bUpdater=0 (disables in-product updates)
  HKLM\SOFTWARE\Policies\Adobe\Acrobat\DC\FeatureLockdown\cServices
• bToggleAdobeDocumentServices=1 (disable Document Cloud services)
• bToggleAdobeSign=1 (disable Send for Signature)
• bTogglePrefsSync=1 (disable preference sync)
• bToggleFillSign=1 (disable Fill & Sign if required)
• bToggleSendAndTrack=1 (disable Send & Track)
• bToggleWebConnectors=1 (disable Dropbox/Google Drive/OneDrive connectors)
  Optional: bDisableSharePointFeatures=1 under …\cSharePoint.

3) Network controls

• Permit only during maintenance windows:
  
  • Licensing activation: *.licenses.adobe.com
  • IMS auth and Admin Console set you allow temporarily per window. Keep AI and “sensei” endpoints blocked. Endpoints change; re-baseline on each release.

4) Updates

• Use Remote Update Manager (RUM) to push security updates on schedule from your admin host. Pair with WSUS/SCCM/Intune as you prefer.
• If you need zero egress during patch windows, host packages internally and run RUM against that mirror or deploy prebuilt packages. AUSST provides an internal update server pattern.