Wiping devices

NOTE  Depending on the Absolute product licenses associated with your account, the Wipe feature may not be available.

You can use the Wipe feature to remotely remove all sensitive data from your Windows and Mac devices before you reuse, resell, or dispose of them. This process is known as data sanitization The process of permanently removing or destroying the data stored on a device. A sanitized device is left with no usable data, and advanced forensic tools can't recover the removed or destroyed data..

NOTE  To remove individual files or folders from a device, submit a File Delete request.

The Wipe feature uses two types of data sanitization processes to wipe devices:

  • Cryptographic Wipe

  • Delete All Files

IMPORTANT  The Wipe feature is very destructive, and a request can't be canceled or undone after it is deployed to a device. To limit the impact of a Wipe request submitted in error or with malicious intent, a request can include a maximum of 100 devices only. To wipe additional devices, submit another request.

To learn more about wiping devices, visit the Learning Hub. To access the Learning Hub, click on the quick access toolbar and then click Resources > Learning Hub.

You can perform a Cryptographic Wipe on the following devices:

  • Windows devices encrypted by BitLocker Drive Encryption (BitLocker)
  • Mac devices encrypted by FileVault

A Cryptographic Wipe employs the cryptographic erase The process of permanently removing or destroying the data stored on a device. A sanitized device is left with no usable data, and advanced forensic tools can't recover the removed or destroyed data. data sanitization process, which removes all encryption keys, effectively making all data on a device irretrievable, including the operating system.

A Cryptographic Wipe conforms to the Purge standard defined in NIST Special Publication 800-88, Guidelines for Media Sanitization, and it is HIPAA compliant. Although a Purge does not perform any data overwrites, it is recognized as a quick and effective method of data sanitization.

To learn more about how Cryptographic Wipe works, see the Absolute Device Wipe datasheet.

IMPORTANT  If your devices' encryption keys are backed up remotely, do not use Cryptographic Wipe as a data sanitization method unless you are certain that these keys have already been sanitized, or they are protected from future use. For more information about what to consider before using Crypto Erase, see section 2.6 Use of Cryptography and Cryptographic Erase in NIST Special Publication 800-88, Guidelines for Media Sanitization.

When a Cryptographic Wipe request is deployed to a device:

  • the device's encryption keys are removed. The ciphertext remains on the device, but without an encryption key the encrypted data is unreadable.
  • a Certificate of Sanitization is generated and made available in Action History after the Cryptographic Wipe is completed.
  • Depending on the device, one of the following pages show when a user powers on a wiped device:
    • Windows: BitLocker recovery page

    • Mac: Login page showing one of the following:

      • "Device Wiped" as the username

      • The cached username of a deleted user profile

      In both cases, users cannot log in.

Also see Reusing a wiped device.

The Full-Disk Encryption Status policy is activated on your devices.

Cryptographic Wipe requests are supported on the following devices:

NOTE  If a device does not meet these requirements, the Cryptographic Wipe option is not available. Use the Delete All Files option to wipe the device.

Note that devices must be regularly connecting to the Absolute Monitoring Center using Absolute agent version 7.17 or higher.

Cryptographic Wipe requests are not supported on the following devices:

You can perform a Delete All Files wipe of your encrypted and unencrypted devices.

The Delete All Files wipe option is a data sanitization process that overwrites all file content with a series of zeros and ones, essentially making the files unreadable and unrecoverable. It then renames and deletes the files, and deletes all non-OS and user profile data. For Windows devices, you can also disable the operating system.

A Delete All Files wipe conforms to the Clear standard defined in NIST Special Publication 800-88, Guidelines for Media Sanitization, and it is HIPAA compliant. After the action is processed on a device, a log file is uploaded to the console. You can then download the log file from Action History to demonstrate compliance.

Also see Reusing a wiped device.

Delete All Files wipe requests are supported on devices that are running:

  • A supported version of the Windows or Mac operating system
  • Absolute agent version 7.17 or higher

These devices must also be regularly checking in to the Absolute Monitoring Center.

Delete All Files wipe requests are not supported on the following devices:

The following system files cannot be deleted using the Delete All Files security action.

Windows

Mac

\WWANSVC\

\WLANSVC\

*.PAC

*.DocumentRevisions-V*

*.fseventsd

*.Spotlight-V*

/bin

/Darwin

/dev

/etc

/home

/net

/private/Developer

/System

/tmp

/Users/Shared/.rpc

/usr

/var

mach_kernel

Before you submit a Delete All Files wipe request, consider the following limitations:

  • In addition to the files listed above, the Delete All Files security action can't delete files/folders that are:

    • encrypted or locked by a third party tool.

    • stored in a volume that is encrypted or locked by a third party tool.

    • stored in a hidden partition.

    • inaccessible because inherited permissions have been disabled.
    • created by a user after the area has already been scanned. 

    • recreated automatically by the Windows operating system.

  • For Mac devices, if a file's file size is very large (> 1 GB) and it exceeds the device's free space, the file can't be deleted.

Before you submit a Delete All Files wipe request, note the following considerations:

Also see Reusing a wiped device.

To enable the Delete All Files wipe feature to be supported on your Mac devices that are running macOS 10.14 or higher, you first need to configure a custom profile and deploy it to the devices using your Mobile Device Management (MDM) application. Specifically, you need to complete the following key steps to be able to delete files in the Desktop, Documents, and Downloads folders on these devices:

Step 1: Download the custom profile. Ensure that you save the file (FileDelete_MDMProfile_v1_0.mobileconfig) with the .mobileconfig file extension.

Step 2: Upload the custom profile and configure it on your MDM server. For more information, refer to MDM documentation.

Step 3: On the MDM server, assign the profile to the applicable Mac devices for deployment. For more information, refer to MDM documentation.

Before you submit a Wipe on a Windows device, you can run a Reach script to get a list of the device's files. You can then upload files that you want to retrieve.

NOTE  Depending on the Absolute product licenses associated with your account, Reach scripts may not be available.

To get a list of the files stored on a Windows device, run the following Reach script:

Retrieve a list of files from a device

This script generates a report file containing details about each file, including its full file path, creation time, last write time, and file size. You can use this information to run a file upload script.

For more information about this script, go to Settings > Script Library and search for the script name. Detailed information is provided in the script.

To retrieve files from a Windows device, you can run one of the following scripts:

Script name

Description
Upload files to Dropbox

Uploads files from a Windows device to Dropbox using the permissions of a custom Dropbox app.
Upload files to FTP server

Uploads files from a Windows device to a FTP server.
Upload files to network shared folder

Uploads files from a Windows device to a network shared folder using a UNC path.

These scripts generate a report file that is uploaded to the same location as the uploaded files. It contains the number of successful file uploads, along with details about any errors that occurred, such as duplicated file, file not found, and file failed to upload.

For more information about each script, go to Settings > Script Library and search for the script name. Detailed information is provided in each script.

To submit a request:

  1. Log in to the Absolute console as a user with Perform permissions for Wipe Device.

  2. Do one of the following:

    On the device's Device Details page, click Wipe.

    If the device does not meet the eligibility requirements, a message shows indicating that the device is ineligible for the Wipe action. Click Cancel.

    1. From the navigation bar, open a page that supports the Wipe action. For example, click to open the Devices > All Devices page.
    2. In the work area, use the search field or filters to find the devices you want to wipe.

    3. In the results grid, select the check box next to each device that you want to wipe. You can select up to 100 devices only. To wipe more devices, submit another request.

    4. Depending on the page you're on, click either Wipe or Device Actions > Wipe. The Wipe devices dialog opens.

    NOTE  Any devices that do not meet the eligibility requirements have been removed from the request.

  3. [Optional] To help identify this request in reports, enter a Description.

  4. Depending on the eligibility of the selected devices, do one of the following:

    The Cryptographic Wipe option is selected by default. Do one of the following:

    • To perform a cryptographic erase on the encrypted devices:

      1. Leave the Cryptographic Wipe option selected.

      2. If the Administrator authorization section shows, you selected one or more Mac devices. Enter the Admin user and Admin password of a user with administrative rights. These credentials are required to wipe a Mac device.

      3. If you selected one or more Windows devices and you want to unenroll the devices from your Absolute account after each device is wiped, select the Unenroll devices after the Wipe is complete check box.

        NOTE  This option is available only if your user role is granted Perform permissions for Unenroll Device. Note that Mac devices are always unenrolled after the Wipe request is processed, regardless of the configuration of this option and your user permissions.

    • To overwrite all files on the encrypted devices, select the Delete All Files option and do the following under Options:

      1. Select the Overwrite the data <#> time(s) checkbox and then click the field and select how many times you want the file content to be overwritten with non-sensitive data (series of zeros and ones). You can select 1, 3, or 7 data overwrites.

        NOTE  To comply with the Clear standard defined in NIST Special Publication 800-88, Guidelines for Media Sanitization only one data overwrite is required. Other data erasure standards may require more overwrites.

      1. If you selected one or more Windows devices, configure the following settings:

        • Disable the Windows OS:

          • To delete all non-OS and user profile data on each device, leave this check box unselected.
          • To delete all non-OS and user profile data, and disable each device's operating system, select this check box. In this case, system files are deleted and Windows cannot be rebooted.

          Also see Reusing a wiped device.

        • Unenroll devices after the Wipe is complete:

          To unenroll the devices from your Absolute account after each device is wiped, select this check box.

          NOTE  This option is available only if your user role is granted Perform permissions for Unenroll Device. Note that Mac devices are always unenrolled after the Wipe request is processed, regardless of the configuration of this option and your user permissions.

    Delete All Files is the only option available. Under Options, configure the settings for the Wipe request by doing the following:

    1. Select the Overwrite the data <#> time(s) checkbox and then click the field and select how many times you want the file content to be overwritten with non-sensitive data (series of zeros and ones). You can select 1, 3, or 7 data overwrites.

      NOTE  To comply with the Clear standard defined in NIST Special Publication 800-88, Guidelines for Media Sanitization only one data overwrite is required. Other data erasure standards may require more overwrites.

    1. If you selected one or more Windows devices, configure the following settings:

      • Disable the Windows OS:

        • To delete all non-OS and user profile data on each device, leave this check box unselected.
        • To delete all non-OS and user profile data, and disable each device's operating system, select this check box. In this case, system files are deleted and Windows cannot be rebooted.

        Also see Reusing a wiped device.

      • Unenroll devices after the Wipe is complete:

        To unenroll the devices from your Absolute account after each device is wiped, select this check box.

        NOTE  This option is available only if your user role is granted Perform permissions for Unenroll Device. Note that Mac devices are always unenrolled after the Wipe request is processed, regardless of the configuration of this option and your user permissions.

    Two sections show on the dialog: Encrypted devices and Other devices. The Other devices section refers to the devices included in the request that are unencrypted, partially encrypted, or encrypted by a product other than BitLocker Drive Encryption or FileVault

    1. In the Encrypted devices section, do one of the following:

      • To perform a cryptographic erase on the encrypted devices:

        1. Leave the Cryptographic Wipe option selected.

        2. If the Administrator authorization section shows, you selected one or more Mac devices. Enter the Admin user and Admin password of a user with administrative rights. These credentials are required to wipe a Mac device.

      • To overwrite all files on the encrypted devices, select the Delete All Files option.

    2. Under Options, configure the settings for the Wipe request by doing the following:

      1. Select the Overwrite the data <#> time(s) checkbox and then click the field and select how many times you want the file content to be overwritten with non-sensitive data (series of zeros and ones). You can select 1, 3, or 7 data overwrites.

        NOTE  To comply with the Clear standard defined in NIST Special Publication 800-88, Guidelines for Media Sanitization only one data overwrite is required. Other data erasure standards may require more overwrites.

      2. If you selected one or more Windows devices, configure the following settings:

        • Disable the Windows OS:

          This setting applies to the Delete All Files wipe only.

          • To delete all non-OS and user profile data on each device, leave this check box unselected.
          • To delete all non-OS and user profile data, and disable each device's operating system, select this check box. In this case, system files are deleted and Windows cannot be rebooted.

          Also see Reusing a wiped device.

        • Unenroll devices after the Wipe is complete:

          To unenroll the devices from your Absolute account after each device is wiped, select this check box.

          NOTE  This setting is only available if your user role is granted Perform permissions for Unenroll Device. Note that Mac devices are always unenrolled after the Wipe request is processed, regardless of the configuration of this option and your user permissions.

  5. Under Review the devices, review the list of devices to confirm that you want to wipe them. Any devices that did not meet the eligibility requirements have been removed from the list.

  6. Under Confirmation, select the check box to acknowledge that the Wipe action can't be stopped or canceled after it's in progress on a device.
  7. Click Wipe Device.

The system automatically creates a Cryptographic Wipe request, a File Delete request, or both. The type of requests created is determined by the number of devices in the request, the encryption status of the devices, and the Wipe configurations you set. Learn more

The status of each request is set to Pending. Requests are deployed to devices on their next agent connection, which is typically within the next 15 minutes. The status of the request is then updated to Processing. If the request requires dual approval, the request remains in the Pending Approval section in Actions History. The action isn't sent to the device until the request is approved.

After you submit your request, you can go to the History area to do the following:

  • Track the status of the requests

  • View the Certificate of Sanitization after the request is processed

  • View the log file after the request is processed (applies to Delete File requests only)

  • Cancel a request for devices with a status of Pending

    NOTE  Requests with a status of Pending have not been deployed to the device yet, so they can be canceled.

  • View the events associated with the submitted request

Your request will appear in the History area as follows:

  • If the Cryptographic Wipe option was selected:

    • a Cryptographic Wipe request is shown in Action History with a status of Pending.
    • a Cryptographic wipe requested event is logged to Event History.

  • If the Delete All Files option was selected, or this option was automatically applied to some devices:

So if both options were applied in the same request, the system automatically creates two separate requests: a Cryptographic Wipe request and a Delete File request. You can navigate between these requests using the link provided in each request's header.

Example

You submit a Wipe request that includes 10 devices. Based on your configurations and the encryption status of the devices, you see two separate requests in Action History: Cryptographic Wipe 7 devices and Delete file on 3 devices. You can click the link in the header of each request to navigate between them.

After a device is wiped, you may want to prepare the device for reuse. The steps required depend on the Wipe type, the device platform, and the options selected in the Wipe request.

Wipe type

Platform

Details

Cryptographic Wipe

 Windows or Mac

Reimage the device.

Delete All Files

 

 Windows

Do one of the following, depending on whether the operating system was disabled:

  • If you selected the Disable the Windows OS option:

    The following data was deleted:

    • All non-OS and user profile data

    • System files used to boot the operating system

    The Windows operating system is unbootable. Reimage the device.

  • If you did not select the Disable the Windows OS option:

    All non-OS and user profile data was deleted. Note that in some cases, a cached user profile may still exist, but the user cannot log in.

    To reuse the device, you may be able to use Windows System File Checker to restore any missing system files, and then create a new user profile. If the system is not functioning as expected after these steps are completed, reimage the device.

    NOTE  If you try to reinstall some applications after the device is wiped, you may be presented with an error stating that the application wasn't uninstalled correctly.
Mac Create a new user profile. You do not need to reimage the device.