Malware can sometimes come in the form of a PDF that contains embedded scripting language. Luckily, Apple’s Preview.app, which is the default PDF reader on macOS, does not support most of Acrobat’s features that can enable this type of malware. It is also much lighter than Acrobat Reader, and a great application.
Making sure Preview.app is the default PDF reader for users that do not really need anything more advanced for everyday use, is a good security precaution – even for users that need the full version of Acrobat for specific purposes.
On Mojave and Catalina, you can use SwiftDefaultApps to change the default PDF reader. You can deploy it to a custom location in a package created with an app like Packages, and use a Jamf Extension Attribute in combination with a daily policy to make sure it stays default.
From my testing so far, Adobe Reader and Acrobat will not prompt the user with a pop-up to change it back, though they will passively advertise switching in a box in their application (please let me know in the comments below if you know of a way to disable this).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| export PATH=/usr/bin:/bin:/usr/sbin:/sbin | |
| # | |
| # Check if Preview.app is the default PDF reader and change it back if it isn't | |
| # | |
| # Get OS version and logged in user | |
| osVersion=$(/usr/bin/sw_vers -productVersion | awk -F. '{print $2}') | |
loggedInUser=$(scutil <<<"show State:/Users/ConsoleUser" | awk '/Name  && ! /loginwindow/ { print $3 }') |
|
| # Check if Preview.app is the default PDF reader, exit gracefully if it is | |
| if [[ ! $(/usr/bin/sudo -u "$loggedInUser" /usr/local/orgutils/swda getUTIs | grep com.adobe.pdf | grep Preview) ]]; then | |
| echo "Preview.app is not the default PDF reader." | |
| else | |
| echo "Preview.app is the default PDF reader" | |
| exit 0 | |
| fi | |
| # Check OS version and change PDF reader to Preview.app (in a new location on Catalina) | |
| if [[ "$osVersion" -ge 15 ]]; then | |
| /usr/bin/sudo -u "loggedInUser" /usr/local/orgutils/swda setHandler –UTI com.adobe.pdf –app /System/Applications/Preview.app | |
| else | |
| /usr/bin/sudo -u "loggedInUser" /usr/local/orgutils/swda setHandler –UTI com.adobe.pdf –app /Applications/Preview.app | |
| fi |
Here is an Extension Attribute you can use with a Jamf smart group to run a daily policy on non-compliant machines.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| export PATH=/usr/bin:/bin:/usr/sbin:/sbin | |
| # Check if Preview.app is the default PDF reader | |
| loggedInUser=$(scutil <<<"show State:/Users/ConsoleUser" | awk '/Name && ! /loginwindow/ { print $3 }') |
|
| if [[ ! $(/usr/bin/sudo -u "$loggedInUser" /usr/local/orgutils/swda getUTIs | grep com.adobe.pdf | grep Preview) ]]; then | |
| echo "<result>No</result>" | |
| else | |
| echo "<result>Yes</result>" | |
| fi |
In addition, you should make sure Acrobat DC and Reader are updated for those who do have them installed. Patches can be downloaded from Adobe.
Depending on your organization’s needs, you could exempt users that actually need Acrobat to be default from the policy, or constrain it to those that have Reader and not the full version of Acrobat installed.
SoundSnw 