1

I have a bunch of apple hardware at work that is to be destroyed, because the security guys claim it can't be wiped to NIST PURGE compliance.

All the PC hardware can achieve this level, and we have a specific piece of licenced software authorised to do this, and provide reports. The cleared PC kit gets donated onward to local charities, minimising waste and all that good stuff.

If the macs get destroyed instead of reused, then there's no way for those users to experience a mac environment, and they get stuck with windows or maybe a linux distro.

To be clear - the minimum requirement is "NIST Purge" compliance. I've managed to boot the authorised software on minis and achieved "NIST Clear" levels, which is insufficient.

There's a halfway house of removing the M2 cards from mac minis and onward-donating the remains, but that's sub-optimal. And for many of the MBP and Air laptops, they are "un- upgradeable" suggesting the storage is soldered to the mainboard leaving destruction as the only option.

What can I do to achieve PURGE status on mac hardware?

Specifically for me, the hardware is

  • a1347, 2014 mac mini (about 30 of these)
  • a1502, 2014 13" MBP
  • a1398, 2015 MBP retina
  • a1286, 2011 unibody 15" MBP
  • a1707, 2017 MBP
  • a1418, 2017 imac 21"

Although ideally this question should have generic answers.

Criggie
  • 508
  • Please don't suggest "photoshop the results" I do want to keep my job, such as it is. – Criggie Mar 09 '22 at 22:57
  • Related, but doesn't provide anything useful https://security.stackexchange.com/questions/37662/what-method-of-secure-erase-is-sufficient-for-macbook-pro-ssd-drives – Criggie Mar 09 '22 at 23:02
  • @Criggle what model Macs are these? – Ezekiel Mar 09 '22 at 23:20
  • 1
    From BitRaser FAQ: "BitRaser Drive Eraser specializes in securely erasing Apple Mac machines of all models. Our software is an OS independent and works seamlessly across any OS platforms. We also have a dedicated version for wiping Mac T2 devices." Or is that only Clear? (You did mean T2, not M2 didn't you?) – Gilby Mar 09 '22 at 23:23
  • 1
    If these are T2 or newer Macs, then you can perform a Cryptographic Erase by using the system provided erase option in Recovery Mode. https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/1/web/1

    The NIST standards for PURGE leave evaluation of the vendor-provided erase function to you. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf

     – Ezekiel Mar 09 '22 at 23:31
  • 1
    For non-T2 machines, which many of these are, you can't rely on the Cryptographic Erase unless you've already had Filevault enabled - I believe. However, you may be able to issue an ATA command directly to the disk, but I'm not sure – Ezekiel Mar 10 '22 at 16:41
  • @Ezekiel yeah its hard to get a clear answer from anyone authoritative hence asking here. We're required to use "WipeDrive" which is pay-per-use commercial software, and it boots and runs fine on all the intel Macs, but never gives the required PURGE status. I don't want to destroy ~40 macs - even not new they're still an introduction to something other than windows, – Criggie Mar 11 '22 at 00:56
  • @Criggie Can you reach out to the vendor to understand whether it should be saying "PURGE," and if not do they know why? – Ezekiel Mar 11 '22 at 14:59

0 Answers0