macOS

The Magic of ObliterationBehavior

ObliterationBehaviore is a set of instructions, coded into the macOS kernel, that dictates how data is deleted and overwritten when the system is prompted by a user or a remote management command.

5 min read
The Magic of ObliterationBehavior

A new feature in the most recent Intune service release (2305) is the ability to use the Wipe device command for macOS devices. Additionally, we can also configure the Obliteration Behavior setting as part of the Wipe action. This new key allows you to control the wipe fallback behavior on Macs that have Apple Silicon or the T2 Security Chip.

The updates in the service release were quite short and simple. Let me help you understand how this setting works and why it's important.

What is ObliterationBehaviour?

Imagine a macOS world where developers have granular control over the data deletion process. That's where ObliterationBehavior comes in.

ObliterationBehavior can be interpreted as a behavior trait of macOS to handle file or data deletion processes more effectively. It’s a set of instructions, coded into the macOS kernel, that dictates how data is deleted and overwritten when the system is prompted by a user or a remote management command.

Why is ObliterationBehavior important?

ObliterationBehavior is important for several reasons, foremost among being security and privacy issues. Usually, the data isn't immediately wiped from the disk when a file is deleted from a system. Instead, the system merely marks the space that the file occupied as available for future use. Until that space is overwritten by new data, the original file can potentially be recovered using special software.

As an IT admin, you can control how data deletion is handled with ObliterationBehavior, making sure that when a file is removed, it truly gets obliterated—hence the name. The process practically renders the data unrecoverable and gives users an extra layer of security.

What's new with ObliteationBehavior with macOS?

iOS and iPadOS both had the ability to erase all content and settings without requiring a full reinstall of the OS. Macs, on the other hand, have not fared as well. Wiping out all user data and apps from a Mac has been a time-consuming task that required a reinstallation of macOS. But only with Macs with Apple silicon or with the Apple T2 Security Chip using macOS 12.0.1 or later which allows a local administrator—or, if enrolled in Intune, you can simply trigger Erase All Content and Settings command exactly similar to the behavior permitted on iPhone, iPad, Apple TV, and Apple Watch devices.

The process makes handing over a Mac to another user simpler from the user's standpoint. All settings, data, and programs can be securely erased by selecting Erase All Contents and Settings from the System Preferences menu. This might really come in handy for administrators when it comes to offboarding users and confirming enrollment operations.

Understanding "Erase All Content and Settings"

"Erase All Content and Settings" commonly referred to as EACS is a feature provided by Apple that allows administrators to remotely wipe data from managed devices, restoring them to their factory settings. It is particularly useful in scenarios where a device needs to be repurposed, sold, or returned, ensuring that all sensitive information is completely removed. Benefits and Significance of EACS:

On the device, erasing (or wiping) obliterates all the keys in effaceable storage and renders all user data cryptographically inaccessible.

How does ObliterationBehaviour Work With macOS

To begin with, you can now initiate a remote wipe command through Intune admin center, regardless of the Apple device you want to wipe (whether it is iOS, iPadOS, or macOS-based).

Using mobile device management solutions like Intune, iCloud, or Microsoft Exchange ActiveSync, you can initiate a remote wipe command on any Apple device, including iPhone, iPad, and Mac. The Apple device sends an acknowledgment back to Intune after receiving a remote wipe instruction and then carries out the wipe.

Example of this request:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Command</key>
    <dict>
        <key>DisallowProximitySetup</key>
        <false/>
        <key>PreserveDataPlan</key>
        <true/>
        <key>RequestType</key>
        <string>EraseDevice</string>
    </dict>
    <key>CommandUUID</key>
    <string>EraseDevice</string>
</dict>
</plist>

Response from device to MDM:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CommandUUID</key>
    <string>EraseDevice</string>
    <key>Status</key>
    <string>Acknowledged</string>
    <key>UDID</key>
    <string>00008020-000915083C80012E</string>
</dict>
</plist>

The device sends back an acknowledgment to the MDM platform and the wipe is performed. Everything seems to be in order here; the device gets the wipe command and it is wiped and then it sends back the acknowledgment also. But it's never that simple with Mac.

The macOS operating system has some quirks. It will fall back to the behavior of macOS 11, which is "obliteration," and necessitate a time-consuming reinstall of macOS before the hardware can be used if an EraseDevice command is sent to a Mac that does not support it.

The Fall Back Plan

The default behavior and the ObliterationBehavior command option configured in Intune will govern the system's actions in the case that EACS does not complete as planned. During EACS, there is a preflight conducted on the system, and that preflight can succeed, or it can fail, which will conduct the assigned ObliterationBehavior. The following values define the device’s fallback behavior:

The screenshot below shows the new feature with OblietrationBehavior that you have to choose while initiating a wipe command to macOS devices.

Obliteration Behavior Keys

Conclusion

With the latest service release of Microsoft Intune, you now have the option to configure ObliterationBehavior for more enhanced control and security over data managed on your corporate Mac devices. This would mean that when you as an Intune admin initiate the wipe command for the corporate enrolled Macs, the configuration defined in Intune would dictate the level of obliteration. This feature is incredibly useful in scenarios requiring high levels of data security and regulatory compliance.

Stay tuned for more exciting journeys into the realm of macOS management, and until then, keep learning, exploring, and pushing the boundaries of what's possible. #intuneinspired #alwaysintune

Share This Post

Check out these related posts

Early Bird Gets the Worm: Testing iOS 18 & macOS 15 (Beta) Devices with Intune

Platform SSO for macOS: A Deep Dive into Configuration & Troubleshooting

Application Inventory: The Unsung Hero of macOS Security