Creating Offline Freeze rules

The following conditions apply to a frozen device:

• A full screen Freeze message, configured by the user who requested the Freeze, shows on the device. For Windows and Mac devices, if the device user is logged in when the request is launched, they are immediately logged out and the message shows instead of the Login page. If the device is powered off or in sleep mode, the Freeze is launched immediately after the device restarts or awakes.

  When a frozen Mac device that is encrypted by FileVault is restarted, the Freeze message is not shown until the device user logs in to the device and the file system is decrypted. Although the user is logged in, the device is inaccessible.

• A device user can't dismiss, minimize, or bypass the full-screen message.

• If the device is connected to a network when it's frozen, it remains connected.

• The device's peripheral displays are disabled.
• Remote login to the device is disabled.
• The device's file system is inaccessible via network file sharing (for example, AFP, NFS, or SMB).

Note that the Freeze feature is persistent. The frozen state persists even when the device is restarted, even if it's restarted in safe mode. If a user re-installs the operating system, the device freezes again when the agent self-heals If the Secure Endpoint Agent on a Windows device is damaged, tampered with, or removed, the Absolute Persistence module embedded in the device's firmware makes a self healing call to the Absolute Monitoring Center, which restores the agent..

You can configure an Offline Freeze rule to automatically freeze a device if it moves to one of the following countries that are sanctioned by the US government:

How it works

If the device's most recent IP location indicates that it has moved to a sanctioned country, the rule automatically freezes the device, logs a Device frozen event in Event History, and sends an email notification to the users specified in the rule configuration. Shortly after, a Connection blocked event is logged to indicate that the device's connection to the Absolute Monitoring Center is now is blocked.

The device remains frozen until it leaves the sanctioned country, re-establishes an Internet connection, and is unfrozen by either a Remove Freeze request or the device's unfreeze code.

You'll know that a device is frozen by this rule if on the device's History page in Device Details, a Device frozen event is followed by a Connection blocked event, and the associated status alert banners show near the top of the page.

If the device is already frozen by an On-demand or Scheduled Freeze, it is not replaced by the Offline Freeze.

Important implications

Before enabling this option, carefully consider the following implications:

• After the device enters a sanctioned country , it may take up to 24.5 hours for the device to freeze and log a Device frozen event.
• While the device is in the sanctioned country, attempts to unfreeze it will fail for the following reasons:
  • Without an Internet connection, a Remove Freeze request cannot reach the device.
  • Attempts to unfreeze the device using the unfreeze code will automatically refreeze it after 20 seconds.

• After the device leaves the sanctioned country , it may take up to 24.5 hours for the device to report that it has exited the country and a Connection unblocked event to be logged to Event History. At that time, you can unfreeze the device by submitting a Remove Freeze request or by entering the device's unfreeze code locally on the device.

  Note that to unfreeze the device, an Internet connection must be established in one of the following ways:

  • The device connects to a Wi-Fi network it has connected to before

  • An ethernet cable is used to connect to a wired network

Offline Freeze rules are supported on Windows and Mac devices with an active Secure Endpoint Agent. They are not supported on devices with an open theft report.

If the Absolute product license assigned to a policy group does not include support for Freeze actions, the policy group is ineligible for the Offline Freeze rule.

Your account may include a default Offline Freeze rule that is preconfigured as follows:

• Assigned to the Global Policy Group
• Freezes a device if it is offline for more than 30 days
• Displays a system default Freeze message on the frozen device

The default Offline Freeze rule is inactive. You can activate it as is, or you can edit it to suit your needs and then activate it. Alternatively, you can delete this rule if it's not needed.

To create an Offline Freeze rule, you need to log in to the Secure Endpoint Console as a user with the Perform permission for both Freeze Device and Remove Freeze, and the Manage permission for Rules.

You can configure and activate an Offline Freeze rule to automatically freeze devices that remain offline for a specified number of days.

To configure an Offline Freeze rule:

1. Log in to the Secure Endpoint Console as a user with the required permissions.
2. On the navigation bar, click Policies > Rules.
3. Click Create rule and click Freeze when device is offline for too long.
4. Click the title and edit the name of the rule.
5. [Optional] Click Add description and enter a description for this rule.

6. In the If a device doesn't check in for more than <x> days… field, enter the length of the timer in days. The default value is 30 days, but any value from 4 to 2000 days is supported. If a device does not contact the Absolute Monitoring Center before the timer elapses, the Secure Endpoint Agent freezes the device.

7. Do one of the following:

   • To automatically freeze devices that move to a sanctioned country, select the Device enters a restricted country checkbox.
   • To not freeze these devices, leave the Device enters a restricted country checkbox cleared.

8. The Send email field is prepopulated with your email address. Do one of the following:

   • To send email notifications to other users:

     1. Click Edit and click the field to open a selection list of email addresses associated with your account.

     2. Begin entering each email address and then select it from the list. To send alerts to individuals that are not console users, enter their full email address, pressing Enter after each one. To remove an address, click its icon. When you're done, click Close.

   • To disable email notifications entirely, click Edit and remove all email addresses from the field. When you're done, click Close.

     When the rule is triggered, an event is logged to the Events page in the History area, but no emails are sent. You may prefer this option if Absolute is integrated with a SIEM application.

9. Click Edit next to Freeze to show the Freeze configuration fields.

   1. Frozen devices show a full screen message to inform the user that their device is frozen and it can't be used.

      Click the field under Freeze Message and select a message from the list. The list contains all Freeze message templates stored in the Settings > Messages area.

      You can't edit the text in a message template. If you need to update it, you'll need to go to the Messages area.

      If you need to create a new Freeze message:

      1. Close the dialog.

      2. On the navigation bar, click Settings > Messages and create a new message. Your new message will be added to the rule's Freeze Message field so you can select it.

   2. Click the Unfreeze Code field and select one of the following options:

      • Generate a random unfreeze code for each device (default option)

        After a randomly generated unfreeze code is used to unfreeze a device, the code becomes invalid. Therefore, to ensure that the device can be unfrozen again in the future, the system generates a new code and assigns it to the device.

      • Create a alphanumeric unfreeze code for all devices

   3. Define the format of the code by doing one of the following:

      • If you selected Generate a random unfreeze code for each device, click the Code Length field and select the length of the alphanumeric code. You can select any value between 4 and 20 characters. The default value is 10 alphanumeric characters.
      • If you selected Create a alphanumeric unfreeze code for all devices, a random 10 character code shows in the Custom Passcode field. [Optional] Click the field and enter a custom 4-20 character value. The following characters are supported: [0-9], [a-z], and [A-Z}.

10. To select the policy groups A collection of devices to which a set of policies are applied. to assign the rule to:

    If the activation slider near the top of the page is set to Off (gray), you can save the rule without assigning it to any policy groups.

    1. Click Edit next to Apply to.
    2. Click the field and select each policy group. Any policy groups that are already assigned an Offline Freeze rule are excluded from the list. To remove a policy group, click its icon. When you're done, click outside the field.

    If any of the selected policy groups include devices that do not meet the system requirements, those devices are ineligible and will be excluded from the rule.

    If the Apply to field isn't visible, you aren't granted sufficient permissions to work with policy groups. To proceed, save the rule and then ask a user with Manage permissions for Policies to edit your rule and assign the applicable policy groups.

11. To activate the rule now, leave the activation slider near the top of the page set to On (green). To activate it later, click the slider to turn it Off (gray).

12. Click Save. The rule is created. If you activated the rule:

    • A Device freeze requested event is logged to Event History for each device.

    • The rule is activated on each device on its next successful connection to the Absolute Monitoring Center, which is typically within 15 minutes, assuming the devices are online. At this time, an Offline freeze set event is logged to Event History, and the device's Freeze status is set to Set.

Going forward, the following events may occur:

• If a device remains offline for the number of days specified in the timer, the Secure Endpoint Agent freezes the device and its status is set to Frozen - Timer Expired. After the device comes back online and connects to the Absolute Monitoring Center, its status is updated to Frozen. Note that each status change logs a corresponding event to Event History.
• If the device enters a sanctioned country, the Secure Endpoint Agent automatically freezes the device, its status is set to Frozen, and a Device frozen event is logged.

To see the Device Freeze status of an individual device, go to the device's Device Details page.

To view a summary of all devices with an active Offline Freeze rule, including each device's unfreeze code, go to the Device Freeze Status report and add the following filter: Type is Offline.

To see the expected freeze date for devices with an active Offline Freeze rule, view the Upcoming Offline Device Freeze report.

A notification is displayed in the console if at least five percent of your active devices are expected to be frozen by an Offline Freeze rule within the next 14 days. The notification contains a link to a Knowledge Base article that provides information about next steps. Note that if five percent equates to less than 10 devices, no notification is shown.