Absolute DDS vs MDM Wipe Computer command

jacob_edwards
New Contributor II

Due to compliance requirements and internal requirements, I'm asked to provide a certificate of destruction (COD) for the data when we erase a Mac and send it for recycling. Absolute DDS provides a COD though I have demonstrated to my manager that at least in certain scenarios, Absolute produced a COD and afterward I was still able to login to the Mac and view files. I've also demonstrated that the MDM Wipe Computer command is generally easier to use, quicker, and more reliable. My manager is just hung up on the COD--he wasn't satisfied with seeing the Management History > Complete Commands on the inventory record.

Has anyone else dealt with a request like this? My preference is to keep all of this in Jamf Pro.

2 REPLIES 2

brockwalters
Contributor II

1st, Certificate Of Destruction™ is my new band name.

2nd, I found useful info on page 230 of the the Absolute User Guide.

○ Request Name: the name of the Data Delete request (this could be the name of a script you ran to get the info...)
○ Identifier: the device’s Identifier (the UDID or serial number of the computer)
○ Make: the name of the device manufacturer (Apple)
etc.

Use the Jamf Pro API to pull the record of the computer you are deleting. It has all the information you need:

<?xml version="1.0" encoding="UTF-8"?>
  <computer>
    <general>
      <id>1</id>
      <name>foo</name>
      <network_adapter_type>Ethernet</network_adapter_type>
      <mac_address>CA:CA:CA:CA:CA:CA</mac_address>
      <alt_network_adapter_type>IEEE80211</alt_network_adapter_type>
      <alt_mac_address>77:77:77:77:77:77</alt_mac_address>
      <ip_address>10.11.12.123</ip_address>
      <last_reported_ip>12.34.56.78</last_reported_ip>
      <serial_number>XYZ123ABC456</serial_number>
      <udid>AF3B4F06-487D-66F4-979E-32D5205977A</udid>
...
<storage>
        <device>
          <disk>disk0</disk>
          <model>APPLE HDD HTS541010A9E632</model>
          <revision>JA0AB5N0</revision>
          <serial_number>KE9113E9FMA5XF</serial_number>
          <size>1000204</size>
          <drive_capacity_mb>1000204</drive_capacity_mb>
          <connection_type>NO</connection_type>
          <smart_status>Verified</smart_status>
          <partitions>

etc.

To get the Mac's UDID as a variable in a script from Jamf Pro, e.g.

/usr/bin/curl -ksS -X GET -H "accept: application/xml" -u username:password "https://yourJamfPro.domain.com:8443/JSSResource/computers/id/1" -o ~/Downloads/foo.xml
udidstr="$(/usr/bin/xmllint -format -xpath "//computer/general/udid/text()" ~/Downloads/foo.xml)"

For each field in the Absolute Certificate Of Destruction example use the matching key / value in the Jamf Pro computer record XML to make a readable document. You can include the action in Jamf Pro you used to actually erase the thing as a field with a time stamp.

If you're really feeling fancy save it as a .pdf & add some ribbons & clip art!

a13a38f18e30484392ffc2cfbdfe1677

But perhaps it could be just a script that writes it out as a here file, e.g.

#!/bin/sh

...some code stuff...

/bin/cat << EOF > ~/Desktop/cod.txt
REQUEST NAME: $(/usr/bin/basename "$0")
IDENTIFIER: $udidstr
MAKE: Apple

etc.

EOF

...additional code stuff...

NOTE: I am not quoting variables & command substitutions because inside the here file tags they will expand correctly. (Bonus! When the top EOF tag is unquoted (as above) variable expansion in a here file works. If the top EOF tag is quoted (i.e., "EOF") variable expansion is prevented.)

What about signing? Any Certificate Authority will do.

I am going to use the Jamf Pro CA & assume Java keytool is available but you could use the CA in /Applications/Utilities/Keychain Access on your Mac or make a self-signed cert with OpenSSL: Sign and verify files using OpenSSL

Run the following command:

keytool -genkeypair -alias cod -keyalg RSA -keysize 4096 -validity 2100 -keystore ~/Desktop/cod.jks

This will prompt the interactive mode. Answer the questions to make it "super official":

Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  cod
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  Awesome
What is the name of your City or Locality?
  [Unknown]:  San Jose
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=cod, OU=IT, O=Awesome, L=San Jose, ST=CA, C=US correct?

Type "yes", then, create the certificate signing request (CSR):

keytool -certreq -alias cod -keyalg RSA -keystore ~/Desktop/cod.jks

You will get output like this:

-----BEGIN NEW CERTIFICATE REQUEST-----
zzCCArcCAQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQH
EwhTYW4gSm9zZTEQMA4GA1UEChMHQXdlc29tZTELMAkGA1UECxMCSVQxDDAKBgNV
BAMTA0NPRDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ0UUiWdmtrK
j/oUJ5A1H9txRPdRz8ksIryBdXEk3wn7rhjVWKsgeQivV6dCl4Mg0PTayc9grv/g
8PgR3vZ/DLnLUsyNBAfof6ujRlZtT4TtQSscW+JLal58aWQ5QXykWLAfDWsA6w5o
-----END NEW CERTIFICATE REQUEST-----

Select all of the text including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags) and copy it. On your Jamf Pro server:

  • Login with credentials for a full admin Jamf Pro user
  • In the top-right corner of the page click Settings (the gear...)
  • Click PKI Certificates
  • Click on the Manage Certificate Template tab
  • Click the Create Certificate from CSR button
  • Paste all of the text generated above into the CSR window
  • Select Web Server Certificate from the Certificate Type pulldown
  • Click Create to download the signed certificate

Change the name of the downloaded file to "reply.pem" just to make things a bit easier, then, run the following:

keytool -import -trustcacerts -alias cod -file ~/Downloads/reply.pem -keystore ~/Desktop/cod.jks

You now have a .jks containing the signature of your Jamf Pro Certificate Authority. Put it somewhere safe & don't lose the password. (You only have to do this part again when the certificate you just created expires, i.e., 2100 days in this case...)

Extract the private key from the .jks, sign / hash the cod.txt file & delete the private key. Do this each time you want to make a new "Certificate Of Destruction":

sudo openssl pkcs12 -info -in ~/Desktop/cod.jks -nodes -nocerts -out /private/tmp/private.key
sudo openssl dgst -sha256 -sign /private/tmp/private.key -out ~/Desktop/cod.txt.sha256 ~/Desktop/cod.txt
sudo rm -rf /private/tmp/private.key

Verify the signature (i.e., the public key):

openssl x509 -in ~/Downloads/reply.pem

Verify the hash using the public key:

openssl dgst -sha256 -verify <(openssl x509 -in ~/Downloads/reply.pem -pubkey -noout) -signature ~/Desktop/cod.txt.sha256 ~/Desktop/cod.txt

If it's good you will see:

Verified OK

For fun, change the contents of ~/Desktop/cod.txt then run the command above again. You will see this instead because the hash doesn't match:

Verification Failure

Last, make a workflow for all of this. Make a "Certificate Of Destruction" folder containing all the files, hashes & the reply.pem file used to sign them. Make the boss happy. This (theoretically) will make you happy. Good luck!!

jacob_edwards
New Contributor II

Whoa! Thanks for the detailed response.

I especially like this sentence from page 230 of the Absolute User Guide:

Such certificates are useful in proving that the device that was retired or taken out of circulation does not contain sensitive information.

Based on my experience, maybe proving should be in quotes or something.