Malware can sometimes come in the form of a PDF that contains embedded scripting language. Luckily, Apple’s Preview.app, which is the default PDF reader on macOS, does not support most of Acrobat’s features that can enable this type of malware. It is also much lighter than Acrobat Reader, and a great application.
Making sure Preview.app is the default PDF reader for users that do not really need anything more advanced for everyday use, is a good security precaution – even for users that need the full version of Acrobat for specific purposes.
On Mojave and Catalina, you can use SwiftDefaultApps to change the default PDF reader. You can deploy it to a custom location in a package created with an app like Packages, and use a Jamf Extension Attribute in combination with a daily policy to make sure it stays default.
From my testing so far, Adobe Reader and Acrobat will not prompt the user with a pop-up to change it back, though they will passively advertise switching in a box in their application (please let me know in the comments below if you know of a way to disable this).
Here is an Extension Attribute you can use with a Jamf smart group to run a daily policy on non-compliant machines.
In addition, you should make sure Acrobat DC and Reader are updated for those who do have them installed. Patches can be downloaded from Adobe.
Depending on your organization’s needs, you could exempt users that actually need Acrobat to be default from the policy, or constrain it to those that have Reader and not the full version of Acrobat installed.