Restrict access to your account using IP address ranges - New version

Search
Adobe Acrobat Sign

Adobe Acrobat Sign

Open on web
Alert

This article contains prerelease information. Release dates, features, and other information are subject to change without notice.

Deny-by-default. Allow only known networks for both the web app and APIs—at the account level or per group. 

Allowed IP Ranges is a gate in front of Acrobat Sign. A user or integration can sign in or call the API only when the request originates from an IP address within your allowlist. Requests from other IPs are denied. Use this to enforce "trusted network only" access for regulated environments or critical roles. 

When an IP address that isn't on the allow list contacts the Acrobat Sign service, they are presented with an error: 
Your account cannot be accessed from this computer. Please contact your support staff.

Error message when the IP address is denied

Why use IP allowlists

  • Reduce unauthorized access by limiting logins to known corporate networks.
  • Enforce a consistent access policy across all users in the account.
  • Pair with SSO and MFA for layered security. 

Before you start

  • Work with your network team to collect the exact IP ranges you need. Use CIDR notation (for example, 203.0.113.0/24).
  • Plan to add administrator networks first so you don't lock yourself out.
  • Consider remote, emergency, or partner access and include those ranges as required.

Configuration

Availability:

  • Acrobat Standard and Acrobat Pro: Not Supported
  • Acrobat Sign Solutions: Supported
  • Acrobat Sign for Government: Not Supported

Access scope

  • Web UI: Requests from IPs outside the allowlist are denied with: “Your account cannot be accessed from this computer. Please contact your support staff.”
  • API: Allowed only when the “Allow these IP addresses to access the system via API” setting is on; if it’s off, API calls are denied—even from listed IPs.
  • Integrations: Major integrations (for example, Microsoft, Salesforce) are allowed by default. Contact Acrobat Sign Support to make integrations respect your allowlist at the account or group level.

Configuration scope:

  • Allowed IP Ranges can be configured at the account and group level. Learn more about admin access controls.
    • Access this feature's controls by navigating the administrator's configuration menu to Send Settings > Allowed IP Ranges
    • User access is defined by their primary group when group-level settings are applied.
  • Integrations (Microsoft Dynamics, Salesforce, and the like) are allowed by default.

 

The Security Settings page highlighting the "Allowed IP Ranges" set of controls.

There are two settings that can be enabled:

  1. Only allow access to the system from IP addresses that are listed below - Enables IP Address limits and unlocks the configuration for the list of IP ranges.
    • If no IP ranges are listed and the page configurations are saved, this option automatically unselects, and the feature is disabled.  
    • If this option remains unchecked, IP address restrictions are not enabled, and any IP can attempt to access the account through user authentication.
  2. Allow these IP addresses to access the system via API - Enabling this option explicitly grants access to the API service.
    • This setting requires Only allow access to the system from IP addresses that are listed below to be enabled.
    • If this option remains unchecked, API requests to the service are denied, even if the requesting IP address is in the allowed list.

How to configure an allowed IP range

Coordinate with your network team to get the proper CIDR IP Ranges before you attempt to configure the allow list.
Be sure to allow the IP range you are currently working from first.

  1. Log in to the Acrobat Sign portal as an administrator and navigate to Security Settings > Allowed IP Ranges.

  2. Enable the Only allow access to the system from IP addresses that are listed below option by checking the box.

    The Security Settings page with the Allow IP Ranges controls highlighted.

  3. Select the plus icon to the right of the Search field.

  4. Enter the CIDR notation for the IP range to be explicitly allowed.

    The control for "Allow IP Ranges" displaying the input field.

  5. Save the CIDR notation configuration.

  6. Repeat steps 3 - 5 for all subnet masks that are required.

    All configured IP ranges are listed under the control set in a scrolling list. Only up to two CIDR notations are exposed at once unless you select a new pagination option through the hamburger icon.

    Allow IP Address controls highlighting the exposed two CIDR notations.

  7. When all IP ranges have been included, Save the page configuration.

Best practices

  • Treat the allowlist as a deny-by-default policy: only known ranges should be added.
  • Include contingency ranges for critical roles, if permitted by policy.
  • If implementing after deployment to end-users, communicate the change in advance so they know how to request access if blocked.

Manage and maintain

  • Review and update ranges when networks change (new offices, VPN changes, ISPs, or cloud egress).
  • Keep a documented source of truth for approved ranges.
  • Test with a small set of users before broad rollout.
  • If users are blocked, verify their current public IP and add the correct range, or temporarily turn off the control and re-enable it after correction.

Impact and limitations

  • Restricting access to specific IPs severely limits support for remote users unless their networks or VPN egress ranges are included.
  • This control affects login access for account users through the user interface and API.
  • Integrations (Microsoft, Salesforce, etc.) are automatically granted access without including the service's IP ranges in the customer interface. 
    • An account administrator can contact Acrobat Sign support to disable the automatic access of integrations at the account or group level.

Manage the allowed IP ranges:

To search for a specific CIDR notation in the list of configured ranges, type the CIDR notation into the Search field.
As you type, the exposed IP ranges are filtered to show only ranges that match the string as you type it in. 

The Allowed IP Ranges controls with the search field filled, and the resultant IP ranges displayed.

To edit a CIDR notation:

  1. Search and find the CIDR notation.

  2. Select the notation to be edited to expose the available actions above the notation list.

  3. Select the Edit action.
    The Edit interface opens, with the current CIDR notation highlighted.

    The IP Range list with the Edit link exposed, and the Edit panel inset.

  4. Enter the new CIDR notation.

  5. Save the notation when done.
    There is no challenge to saving the edit.

To delete a CIDR notation:

  1. Search and find the CIDR notation.

  2. Select the notation to be edited to expose the available actions above the notation list.

  3. Select the Delete action.

    The Allowed IP Ranges control with the Delete action highlighted

    Alert

    There is no challenge to deleting the notation.

    Double-check that you are deleting the correct notation, and be sure you aren't deleting the notation allowing you to connect to the Acrobat Sign service.
    It's entirely possible to configure the application in such a way as to deny all access from external sources.

Adobe, Inc.

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links

Legal Notices    |    Online Privacy Policy