Posted on 10-08-2020 07:47 AM
Due to compliance requirements and internal requirements, I'm asked to provide a certificate of destruction (COD) for the data when we erase a Mac and send it for recycling. Absolute DDS provides a COD though I have demonstrated to my manager that at least in certain scenarios, Absolute produced a COD and afterward I was still able to login to the Mac and view files. I've also demonstrated that the MDM Wipe Computer command is generally easier to use, quicker, and more reliable. My manager is just hung up on the COD--he wasn't satisfied with seeing the Management History > Complete Commands on the inventory record.
Has anyone else dealt with a request like this? My preference is to keep all of this in Jamf Pro.
Posted on 10-09-2020 01:09 AM
1st, Certificate Of Destruction™ is my new band name.
2nd, I found useful info on page 230 of the the Absolute User Guide.
○ Request Name: the name of the Data Delete request
(this could be the name of a script you ran to get the info...)
○ Identifier: the device’s Identifier (the UDID or serial number of the computer)
○ Make: the name of the device manufacturer (Apple)
Use the Jamf Pro API to pull the record of the computer you are deleting. It has all the information you need:
<?xml version="1.0" encoding="UTF-8"?> <computer> <general> <id>1</id> <name>foo</name> <network_adapter_type>Ethernet</network_adapter_type> <mac_address>CA:CA:CA:CA:CA:CA</mac_address> <alt_network_adapter_type>IEEE80211</alt_network_adapter_type> <alt_mac_address>77:77:77:77:77:77</alt_mac_address> <ip_address>10.11.12.123</ip_address> <last_reported_ip>220.127.116.11</last_reported_ip> <serial_number>XYZ123ABC456</serial_number> <udid>AF3B4F06-487D-66F4-979E-32D5205977A</udid> ... <storage> <device> <disk>disk0</disk> <model>APPLE HDD HTS541010A9E632</model> <revision>JA0AB5N0</revision> <serial_number>KE9113E9FMA5XF</serial_number> <size>1000204</size> <drive_capacity_mb>1000204</drive_capacity_mb> <connection_type>NO</connection_type> <smart_status>Verified</smart_status> <partitions>
To get the Mac's UDID as a variable in a script from Jamf Pro, e.g.
/usr/bin/curl -ksS -X GET -H "accept: application/xml" -u username:password "https://yourJamfPro.domain.com:8443/JSSResource/computers/id/1" -o ~/Downloads/foo.xml udidstr="$(/usr/bin/xmllint -format -xpath "//computer/general/udid/text()" ~/Downloads/foo.xml)"
For each field in the Absolute Certificate Of Destruction example use the matching key / value in the Jamf Pro computer record XML to make a readable document. You can include the action in Jamf Pro you used to actually erase the thing as a field with a time stamp.
If you're really feeling fancy save it as a .pdf & add some ribbons & clip art!
But perhaps it could be just a script that writes it out as a here file, e.g.
#!/bin/sh ...some code stuff... /bin/cat << EOF > ~/Desktop/cod.txt REQUEST NAME: $(/usr/bin/basename "$0") IDENTIFIER: $udidstr MAKE: Apple etc. EOF ...additional code stuff...
NOTE: I am not quoting variables & command substitutions because inside the here file tags they will expand correctly. (Bonus! When the top EOF tag is unquoted (as above) variable expansion in a here file works. If the top EOF tag is quoted (i.e., "EOF") variable expansion is prevented.)
What about signing? Any Certificate Authority will do.
I am going to use the Jamf Pro CA & assume Java keytool is available but you could use the CA in /Applications/Utilities/Keychain Access on your Mac or make a self-signed cert with OpenSSL: Sign and verify files using OpenSSL
Run the following command:
keytool -genkeypair -alias cod -keyalg RSA -keysize 4096 -validity 2100 -keystore ~/Desktop/cod.jks
This will prompt the interactive mode. Answer the questions to make it "super official":
Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: cod What is the name of your organizational unit? [Unknown]: IT What is the name of your organization? [Unknown]: Awesome What is the name of your City or Locality? [Unknown]: San Jose What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=cod, OU=IT, O=Awesome, L=San Jose, ST=CA, C=US correct?
Type "yes", then, create the certificate signing request (CSR):
keytool -certreq -alias cod -keyalg RSA -keystore ~/Desktop/cod.jks
You will get output like this:
-----BEGIN NEW CERTIFICATE REQUEST----- zzCCArcCAQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQH EwhTYW4gSm9zZTEQMA4GA1UEChMHQXdlc29tZTELMAkGA1UECxMCSVQxDDAKBgNV BAMTA0NPRDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ0UUiWdmtrK j/oUJ5A1H9txRPdRz8ksIryBdXEk3wn7rhjVWKsgeQivV6dCl4Mg0PTayc9grv/g 8PgR3vZ/DLnLUsyNBAfof6ujRlZtT4TtQSscW+JLal58aWQ5QXykWLAfDWsA6w5o -----END NEW CERTIFICATE REQUEST-----
Select all of the text including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags) and copy it. On your Jamf Pro server:
Change the name of the downloaded file to "reply.pem" just to make things a bit easier, then, run the following:
keytool -import -trustcacerts -alias cod -file ~/Downloads/reply.pem -keystore ~/Desktop/cod.jks
You now have a .jks containing the signature of your Jamf Pro Certificate Authority. Put it somewhere safe & don't lose the password. (You only have to do this part again when the certificate you just created expires, i.e., 2100 days in this case...)
Extract the private key from the .jks, sign / hash the cod.txt file & delete the private key. Do this each time you want to make a new "Certificate Of Destruction":
sudo openssl pkcs12 -info -in ~/Desktop/cod.jks -nodes -nocerts -out /private/tmp/private.key sudo openssl dgst -sha256 -sign /private/tmp/private.key -out ~/Desktop/cod.txt.sha256 ~/Desktop/cod.txt sudo rm -rf /private/tmp/private.key
Verify the signature (i.e., the public key):
openssl x509 -in ~/Downloads/reply.pem
Verify the hash using the public key:
openssl dgst -sha256 -verify <(openssl x509 -in ~/Downloads/reply.pem -pubkey -noout) -signature ~/Desktop/cod.txt.sha256 ~/Desktop/cod.txt
If it's good you will see:
For fun, change the contents of ~/Desktop/cod.txt then run the command above again. You will see this instead because the hash doesn't match:
Last, make a workflow for all of this. Make a "Certificate Of Destruction" folder containing all the files, hashes & the reply.pem file used to sign them. Make the boss happy. This (theoretically) will make you happy. Good luck!!
Posted on 10-09-2020 05:48 AM
Whoa! Thanks for the detailed response.
I especially like this sentence from page 230 of the Absolute User Guide:
Such certificates are useful in proving that the device that was retired or taken out of circulation does not contain sensitive information.
Based on my experience, maybe proving should be in quotes or something.