Creating Offline Freeze rules

Depending on your Absolute product licenses, Offline Freeze rules may not be available.

An Offline Freeze is a security action that freezes a device if it goes offline and doesn't contact the Absolute Monitoring Center for a specified number of days. If you want to ensure that your devices are protected, even when they are powered off or a network connection is unavailable, configure an Offline Freeze rule and assign it to one or more policy groups.

To freeze a device immediately (the next time it checks in to the Absolute Monitoring Center), submit a Freeze request.

The following conditions apply to a frozen device:

  • A full screen Freeze message, configured by the user who requested the Freeze, shows on the device. For Windows and Mac devices, if the device user is logged in when the request is launched, they are immediately logged out and the message shows instead of the Login page. If the device is powered off or in sleep mode, the Freeze is launched immediately after the device restarts or awakes.

    When a frozen Mac device that is encrypted by FileVault is restarted, the Freeze message is not shown until the device user logs in to the device and the file system is decrypted. Although the user is logged in, the device is inaccessible.

  • A device user can't dismiss, minimize, or bypass the full-screen message.

  • If the device is connected to a network when it's frozen, it remains connected.

  • The device's peripheral displays are disabled.
  • Remote login to the device is disabled.
  • The device's file system is inaccessible via network file sharing (for example, AFP, NFS, or SMB).

Note that the Freeze feature is persistent. The frozen state persists even when the device is restarted, even if it's restarted in safe mode. If a user re-installs the operating system, the device freezes again when the agent self-heals If the Secure Endpoint Agent on a Windows device is damaged, tampered with, or removed, the Absolute Persistence module embedded in the device's firmware makes a self healing call to the Absolute Monitoring Center, which restores the agent..

Offline Freeze rules are supported on Windows and Mac devices with an active Secure Endpoint Agent. They are not supported on devices with an open theft report.

If the Absolute product license assigned to a policy group does not include support for Freeze actions, the policy group is ineligible for the Offline Freeze rule.

The DFZ component of the Secure Endpoint Agent is responsible for freezing a policy group's devices. After the rule is activated on the devices, the component triggers a timer to start counting down on each device. With each successful agent check-in, the timer resets. If a device does not check in to the Absolute Monitoring Center before the timer expires, the device freezes and an email notification is sent to the users specified in the rule configuration.

A frozen device remains frozen until you submit a Remove Freeze request, or an unfreeze code is entered locally on the device.

Your account may include a default Offline Freeze rule that is preconfigured as follows:

  • Assigned to the Global Policy Group
  • Freezes a device if it is offline for more than 30 days
  • Displays a system default Freeze message on the frozen device

The default Offline Freeze rule is inactive. You can activate it as is, or you can edit it to suit your needs and then activate it. Alternatively, you can delete this rule if it's not needed.

To create an Offline Freeze rule, you need to log in to the Secure Endpoint Console as a user with the Perform permission for both Freeze Device and Remove Freeze, and the Manage permission for Rules.

You can configure and activate an Offline Freeze rule to automatically freeze devices that remain offline for a specified number of days.

To configure an Offline Freeze rule:

  1. Log in to the Secure Endpoint Console as a user with the required permissions.
  2. On the navigation bar, click Policies > Rules.
  3. Click Create rule and click Freeze when device is offline for too long.
  4. Click the title and edit the name of the rule.
  5. [Optional] Click Add description and enter a description for this rule.
  6. In the If a device doesn't check in for more than <x> days… field, enter the length of the timer in days. The default value is 30 days, but any value from 4 to 2000 days is supported. If a device does not contact the Absolute Monitoring Center before the timer elapses, the Secure Endpoint Agent freezes the device.

  7. The Send email field is prepopulated with your email address. Do one of the following:

    • To send email notifications to other users:

      1. Click Edit and click the field to open a selection list of email addresses associated with your account.

      2. Begin entering each email address and then select it from the list. To send alerts to individuals that are not console users, enter their full email address, pressing Enter after each one. To remove an address, click its icon. When you're done, click Close.

    • To disable email notifications entirely, click Edit and remove all email addresses from the field. When you're done, click Close.

      When the rule is triggered, an event is logged to the Events page in the History area, but no emails are sent. You may prefer this option if Absolute is integrated with a SIEM application.

  8. Click Edit next to Freeze to show the Freeze configuration fields.

    1. Frozen devices show a full screen message to inform the user that their device is frozen and it can't be used.

      Click the field under Freeze Message and select a message from the list. The list contains all Freeze message templates stored in the Settings > Messages area.

      You can't edit the text in a message template. If you need to update it, you'll need to go to the Messages area.

      If you need to create a new Freeze message:

      1. Close the dialog.

      2. On the navigation bar, click Settings > Messages and create a new message. Your new message will be added to the rule's Freeze Message field so you can select it.

    2. Click the Unfreeze Code field and select one of the following options:

      • Generate a random unfreeze code for each device (default option)

        After a randomly generated unfreeze code is used to unfreeze a device, the code becomes invalid. Therefore, to ensure that the device can be unfrozen again in the future, the system generates a new code and assigns it to the device.

      • Create a numeric unfreeze code for all devices

    3. Define the format of the code by doing one of the following:

      • If you selected Generate a random unfreeze code for each device, click the Code Length field and select the length of the numeric code. You can select any value between 4 and 8 (default) digits.
      • If you selected Create a numeric unfreeze code for all devices, a random 8 digit code shows in the Custom Passcode field. [Optional] Click the field and enter a custom 4-8 digit value.

  9. To select the policy groups A collection of devices to which a set of policies are applied. to assign the rule to:

    If the activation slider near the top of the page is set to Off (gray), you can save the rule without assigning it to any policy groups.

    1. Click Edit next to Apply to.
    2. Click the field and select each policy group. Any policy groups that are already assigned an Offline Freeze rule are excluded from the list. To remove a policy group, click its icon. When you're done, click outside the field.

    If any of the selected policy groups include devices that do not meet the system requirements, those devices are ineligible and will be excluded from the rule.

    If the Apply to field isn't visible, you aren't granted sufficient permissions to work with policy groups. To proceed, save the rule and then ask a user with Manage permissions for Policies to edit your rule and assign the applicable policy groups.

  10. To activate the rule now, leave the activation slider near the top of the page set to On (green). To activate it later, click the slider to turn it Off (gray).

  11. Click Save. The rule is created. If you activated the rule:

    • A Device freeze requested event is logged to Event History for each device.

    • The rule is activated on each device on its next successful connection to the Absolute Monitoring Center, which is typically within 15 minutes, assuming the devices are online. At this time, an Offline freeze set event is logged to Event History, and the device's Freeze status is set to Set.

Going forward, if the device remains offline for the number of days specified in the timer, the Secure Endpoint Agent freezes the device and it's status is set to Frozen - Timer Expired. After the device comes back online and connects to the Absolute Monitoring Center, its status is updated to Frozen. Note that each status change logs a corresponding event to Event History.

To see the Device Freeze status of an individual device, go to the device's Device Details page.

To view a summary of all devices with an active Offline Freeze rule, including each device's unfreeze code, go to the Device Freeze Status report and add the following filter: Type is Offline.

To see the expected freeze date for devices with an active Offline Freeze rule, view the Upcoming Offline Device Freeze report.

A notification is displayed in the console if at least five percent of your active devices are expected to be frozen by an Offline Freeze rule within the next 14 days. The notification contains a link to a Knowledge Base article that provides information about next steps. Note that if five percent equates to less than 10 devices, no notification is shown.