Deleting files from devices

Depending on the Absolute product licenses associated with your account, the Delete File feature may not be available.

The Delete File feature lets you remotely delete files and folders from your Windows and Mac devices to protect your organization's confidential and sensitive data. Depending on the criteria you enter in a request, you can delete individual files, folders, or file types, or you can use patterns to delete items in multiple locations.

Delete File requests are supported on devices that are running a supported version of the Windows or Mac operating system. These devices must also be regularly connecting to the Absolute Monitoring Center.

Also see Special instructions for Mac devices.

This action is not supported on:

To submit Delete File requests, your user role must be granted the Perform permission for Delete File. The System Administrator, Security Administrator, and Security Power User default user roles are granted this permission.

To track the status of your request and view and download log files, your user role must be granted the View permission for Delete File. All default Administrator roles and the Security Power User role are granted this permission.

You can create a Delete File request to delete specific files and folders from one or more devices.

The Delete File security action performs one or more data overwrites before it deletes a file. When a device is scanned and a file matches the criteria set in the Delete File request, the Secure Endpoint Agent overwrites all content in the file with a unique pattern of data values for each overwrite, essentially making the file unreadable and unrecoverable. It then deletes the file, freeing up disk space.

The Delete File security action conforms to the Clear standard defined in NIST Special Publication 800-88, Guidelines for Media Sanitization, and it is HIPAA compliant. After the action is processed on a device, a Certificate of Sanitization and a log file are uploaded to the console. You can then download these files from Action Requests to demonstrate compliance.

If you want to remove all sensitive data from devices before you reuse, resell, or dispose of them, submit a Wipe request instead of a Delete File request.

Before you submit a Delete File request, familiarize yourself with the following considerations:

  • Deleting a folder deletes all files in the folder before deleting the folder.
  • If hidden files match the criteria set in the Delete File request, the files are deleted.
  • Removable media and network drives are not scanned.
  • A device can have multiple Delete File requests outstanding at the same time.
  • Delete File requests run silently in the background, but a device that is processing a request will not enter sleep mode.

The following system files are always ignored, regardless of whether they match a file pattern specified in a Delete File request. These system files cannot be deleted using the Delete File security action.

Windows Mac

\WWANSVC\

\WLANSVC\

*.PAC

*.DocumentRevisions-V*

*.fseventsd

*.Spotlight-V*

/bin

/Darwin

/dev

/etc

/home

/net

/private/Developer

/System

/tmp

/Users/Shared/.rpc

/usr

/var

mach_kernel

To enable the Delete File feature to be supported on your Mac devices, you first need to configure a custom profile and deploy it to the devices using your Mobile Device Management (MDM) application. Specifically, you need to complete the following key steps to be able to delete files in the Desktop, Documents, and Downloads folders on these devices:

Step 1: Download the custom profile. Ensure that you save the file (FileDelete_MDMProfile_v1_0.mobileconfig) with the .mobileconfig file extension.

Step 2: Upload the custom profile and configure it on your MDM server. For more information, refer to MDM documentation.

Step 3: On the MDM server, assign the profile to the applicable Mac devices for deployment. For more information, refer to MDM documentation.

This section applies to Windows devices only.

If you are unsure which files reside on a particular Windows device, you can run a Reach script to get a list of the device's files. You can also upload files that you want to retrieve.

Depending on the Absolute product licenses associated with your account, Reach scripts may not be available.

To get a list of the files stored on a Windows device, run the following Reach script:

Retrieve a list of files from a device

This script generates a report file containing details about each file, including its full file path, creation time, last write time, and file size. You can use this information to run a file upload script.

For more information about this script, go to Settings > Script library and search for the script name. Detailed information is provided in the script.

To retrieve files from a Windows device, you can run one of the following scripts:

Script name Description
Upload files to Dropbox Uploads files from a Windows device to Dropbox using the permissions of a custom Dropbox app.
Upload files to FTP server Uploads files from a Windows device to a FTP server.
Upload files to network shared folder Uploads files from a Windows device to a network shared folder using a UNC path.

These scripts generate a report file that is uploaded to the same location as the uploaded files. It contains the number of successful file uploads, along with details about any errors that occurred, such as duplicated file, file not found, and file failed to upload.

For more information about each script, go to Settings > Script library and search for the script name. Detailed information is provided in each script.

To submit a Delete File request to delete files or folders from your devices:

  1. Log in to the Secure Endpoint Console as a user with the Perform permission for Delete File.

  2. Do one of the following:

    • To delete files or folders from a single device:

      1. On the device's Device Details page, click > Delete file.
      2. If the device does not meet the system requirements, the device is ineligible for the action. Click Cancel.

    • To delete files or folders from multiple devices:

      1. From the navigation bar, open a page or report that supports the Delete File action.

        For example, click Devices to open the Devices > All Devices page, or click Reports to open the Reports page and click Data Risk Assessment under Data Visibility.

      2. In the work area, use the search field or filters to find the devices with the files you want to delete.

      3. In the results grid, select each device you want to include in the request. To select all devices, select the Select All checkbox in the result grid header. To select consecutive devices, select the first device and then hold down the Shift key and select the last device. You can select up to 350,000 devices. To remove all selections, click Clear all.

      4. Click > Delete file.

    Alternatively, you can upload a file of device identifiers and submit a request.

  3. [Optional] At the top of the dialog, click Delete file - <date> and enter a request name that will help you identify and track this request in Action Requests.
  4. [Optional] Click Add description (optional) and enter a description for the request.

  5. Click the field under Filename, folder and path and enter the files and folders that you want to delete, pressing Enter on your keyboard after each item. If you selected both Windows and Mac devices, a separate field shows for each platform.

    You can delete a specific file, file type, or folder, in any location or a specific location. You can also use wildcard characters in file names and file paths to delete multiple files, but use caution to avoid deleting unintended files.

    For more information about supported syntax and glob patterns, and to view use cases and examples, click Learn more.

    The "delete all files" (*.*) glob pattern is not supported. Consider submitting a Wipe request.

  6. Under Options, click the field and select how many times you want the file content to be overwritten with non-sensitive data (series of zeros and ones). You can select 1 (default), 3, or 7 data overwrites.

    To comply with the Clear standard defined in NIST Special Publication 800-88, Guidelines for Media Sanitization only one data overwrite is required. Other data erasure standards may require more overwrites.

  7. The generated log file can include the file's creation date and time, and the date and time it was last modified or accessed. If you want to include this information in the log file, select the checkbox next to Include File Date Attributes in the log file.
  8. Under Confirmation, select the checkbox to acknowledge that after this request is deployed to a device, you can't cancel the action.
  9. Click Delete from x devices.

The Delete File request is submitted, its status is set to Pending in Action Requests, and a File delete requested event is logged to Event History.

The request is deployed to each device on its next successful connection to the Absolute Monitoring Center, which is typically within a few minutes for Absolute Resilience accounts, or within 15 minutes for Absolute Control accounts, assuming the devices are online. If the request requires dual approval, the request remains in the Pending Approval section in Action Requests. The action isn't sent to the device until the request is approved.

After you submit your request, you can go to the History area to do the following:

  • Track the status of your Delete File request.
  • View the log file after the files are deleted.

  • Cancel a request for devices with a status of Pending.

    Requests with a status of Pending have not been deployed to the device yet, so they can be canceled.

  • View the events associated with the submitted request

You can submit a File Delete request to remove an at-risk file detected during an Endpoint Data Discovery (EDD) scan. For example, you may discover that a device has one or more files with exceptionally high Match Scores and you determine that the content should not reside on the device. You can delete each at-risk file from the device.

Depending on the Absolute product licenses associated with your account, the Endpoint Data Discovery feature may not be available.

To submit a File Delete request for an at-risk file:

  1. Log in to the Secure Endpoint Console as a user with the Perform permission for Delete File.
  2. On the navigation bar, click Reports.
  3. Click Data Visibility, and then click a report, such as Reporting Data or Match Score Summary.
  4. In the work area, use the search field or filters to find the device with the at-risk file that you want to delete.
  5. Click the device. The device's EDD Summary page opens.
  6. In the File name column, click the file that you want to delete.
  7. On the dialog that opens, click Delete file from this device. The Delete File dialog opens to show the file path of the selected file.
  8. [Optional] At the top of the dialog, click Delete file - <date> and enter a request name that will help you identify and track this request in Action Requests.
  9. [Optional] Click Add description (optional) and enter a description for the request.
  10. Complete steps 6 to 9 in Deleting files and folders.
If the request requires dual approval, the request remains in the Pending Approval section in Action Requests. The action isn't sent to the device until the request is approved.

After you submit your request, you can go to the History area to do the following:

  • Track the status of your Delete File request.
  • View the log file after the files are deleted.

  • Cancel a request for devices with a status of Pending.

    Requests with a status of Pending have not been deployed to the device yet, so they can be canceled.

  • View the events associated with the submitted request