Data Sanitization for Apple Devices

Data Sanitization for Apple Devices

Introduction

Purdue University’s academic and administrative data are important university resources and assets. Data used by the University can often be sensitive or restricted in nature, or may be subject to various regulatory compliance bodies with stringent data management and privacy rules. Protecting such information is driven by a variety of considerations, including legal, academic, financial, and other business requirements. For these reasons, Data Sanitization procedures must be carried out before an Apple device is repurposed for further University use or before it leaves the University's possession for resale or disposal.

Download the entire document on the right under "Attachments".

Table of Contents


Process Overview

Purpose/Objective

Data Sanitization is the irreversible and permanent elimination of data from a storage device, rendering it unable to be recovered or reconstructed. The process is typically carried out before disposing of or repurposing a device to prevent unauthorized access or retrieval of sensitive data.

Modern Apple devices automatically provide cryptographic erasure operations that meet NIST 800-88 requirements for Data Sanitization. Older Apple devices can also meet these requirements using a combination of cryptographic erasure and/or data erasure (overwrite) methods. Steps to determine which scenario is appropriate for a specific device, as well as sanitization procedures for each scenario, are detailed in this document.

This process defines the procedures that must be completed for a device each time it changes users, is being reused for a new purpose within the University, or is leaving University ownership.

Scope

Hardware

This documented process applies to all Apple computers and devices. This includes all device hardware running Apple's macOS, iOS, iPadOS, tvOS, visionOS, and watchOS operating systems. There are no device models that are not covered by the documented instructions.

Procedures

The erasure procedures detailed here, including the generation of a "Certificate of Sanitization", apply to all Purdue campuses.

Services

Salvaging and public resale through Purdue West Lafayette Materials Management's disposal and university surplus offerings are specific to the Purdue West Lafayette campus. Regional campuses should utilize the services and offerings specific to their campuses.

Data

The procedures provided here ensure data is unrecoverable via either cryptographic erasure or multi-pass overwrite when crypto-erase is unavailable. These procedures align to the NIST SP 800-88 Rev. 1 specifications for media sanitization. As such, these methods are appropriate for use on computers and devices that were previously used for controlled research, HIPAA, and other controlled or regulated data purposes.

Exclusions

Devices used in Controlled Unclassified Information (CUI), Cybersecurity Maturity Model Certification (CMMC), or Classified environments are explicitly excluded from this standard disposal process. These devices must follow a separate custody and disposal stream with additional controls, including US persons requirements where applicable. While these devices are still subject to NIST 800-88 sanitization requirements, they must not enter the normal disposal workflows described in this document. Contact the appropriate security personnel for guidance on handling CUI, CMMC, or Classified device disposal.


Process Steps

Before You Begin

Before beginning, ensure that any data that the user requires has been either moved to their new computer or backed up. All the procedures detailed in further sections will result in complete and unrecoverable loss of all data on the device.

Additionally, you will need to determine which erasure scenario will be appropriate for the specific Apple device that is being sanitized. Currently, there are four possible erasure scenarios for Apple devices:

  • macOS Device with Apple Silicon or T2 Security
  • macOS Device with Intel (no T2 Security) and SSD or Fusion Storage
  • macOS Device with Intel (no T2 Security) and HDD Storage
  • iOS Device (also includes iPadOS, tvOS, visionOS, and watchOS)

Determine Device Type

If the device is an iPhone, iPod Touch, iPad, Apple TV, Vision Pro, or Apple Watch product, it will be running an operating system derived from iOS (includes iPadOS, tvOS, visionOS, and watchOS). Proceed to the "iOS" section under Procedures.

If the device is a Mac product, such as an iMac, MacBook, or Mac Mini, it will be running macOS. Proceed to the next test to determine the type of Mac you are working with.

Determine Apple Silicon

To determine if the Mac has Apple Silicon:

  1. Choose Apple menu  > About This Mac.
  2. On Mac computers with Apple Silicon, About This Mac shows an item labeled "Chip", followed by the name of the chip, which will begin with "Apple". On Mac computers with an Intel processor, About This Mac shows an item labeled "Processor", followed by the name of an Intel processor, which will begin with "Intel".

If the computer has an Apple Silicon chip, proceed to the "macOS – Apple Silicon or T2 Security" section under Procedures.

If the computer has an Intel processor, proceed to the next test to determine if the Mac has T2 Security.

Determine T2 Security

To determine if the Mac has T2 Security:

  1. Press and hold the Option key while choosing Apple menu  > System Information.
  2. In the sidebar, select either Controller or iBridge, depending on the version of macOS in use.
  3. If you see "Apple T2 chip" on the right, your Mac has the Apple T2 Security Chip.

If the computer has T2 Security, proceed to the "macOS – Apple Silicon or T2 Security" section under Procedures.

If not, proceed to the next test to determine the type of storage the Mac uses.

Determine Storage Type

To determine the storage type:

  1. Press and hold the Option key while choosing Apple menu  > System Information.
  2. In the sidebar, select Storage.
  3. In the upper pane, choose Macintosh HD.
  4. In the lower pane, locate the Physical Drive section.
  5. On Mac computers with SSD storage, a single physical drive will be listed with a device name that begins with "APPLE SSD". On Mac computers with HDD storage, a single physical drive will be listed with a device name that begins with "APPLE HDD". On Mac computers with Fusion storage, two physical drives will be listed – one with a device name that begins with "APPLE SSD", and one with a device name that begins with "APPLE HDD".

If the computer has SSD or Fusion storage, proceed to the "macOS – Intel (no T2 Security) and SSD or Fusion Storage" section under Procedures.

If the computer has HDD storage, proceed to the "macOS – Intel (no T2 Security) and HDD Storage" section under Procedures.


Procedures

Using the information that you determined in the "Before You Begin" section above, locate and execute the appropriate erasure procedure below.

macOS – Apple Silicon or T2 Security

Primary Method

  1. From the Apple menu  in the corner of your screen, choose System Settings.
  2. Click General in the sidebar.
  3. Click Transfer or Reset on the right.
  4. Click Erase All Content and Settings.
  5. An erase assistant then opens. Follow the onscreen instructions to erase the Mac.
    1. When asked to sign in with administrator credentials, enter the credentials for an administrator on the Mac.
    2. You might be asked to enter the user's Apple ID password to sign out of Find My. If the user is present, they can enter the needed password. If the user is not present, submit a TDX ticket to have PAE remove the activation lock.
    3. On the last prompt, you will be asked to click Erase All Content & Settings to confirm that you want to proceed with the erasure.

Alternate Method for Managed Macs

  1. Log in to Jamf Pro.
  2. Click Computers in the sidebar, and then Search Inventory.
  3. Search for and open the computer record for the Mac.
  4. In the Computer record screen, choose the Management tab.
  5. Under the Management Commands payload, click the button for the "Wipe Computer" command.
  6. Confirm that you want to send the Wipe command.
  7. After a few moments, confirm that the screen on the target device goes black, resets with an Apple logo, and a progress bar.

macOS – Intel (no T2 Security) and SSD or Fusion Storage

  1. From the Apple menu  in the corner of your screen, choose System Settings.
  2. In System Settings, click Privacy & Security.
  3. Scroll down to the Security section and click FileVault.
  4. Click Turn On.
  5. Enter an administrator's username and password, then click Unlock.
  6. Select "Create a recovery key and do not use my iCloud account," then click Continue.
  7. Verify that FileVault is turned on and monitor until encryption is finished.

Note: This will likely take an extended amount of time, but it is extremely important to ensure that the encryption process has fully completed before proceeding on to the next steps.

  1. Once the disk encryption has fully completed, proceed with completing the steps listed above for "macOS – Apple Silicon or T2 Security".

macOS – Intel (no T2 Security) and HDD Storage

  1. Press and release the power button to turn on the Mac, then immediately press and hold these two keys on your keyboard: Command (⌘) and R. Keep holding the keys until you see an Apple logo or spinning globe.
  2. You might be asked to select a Wi-Fi network or attach a network cable. To select a Wi-Fi network, use the Wi-Fi menu.
  3. If you're asked to select a user you know the password for, select the user. Then click Next and enter the administrator password for that user.
  4. When you see a utilities window that includes Disk Utility, select Disk Utility, then click Continue.
  5. Select Macintosh HD in the sidebar of the Disk Utility window.
  6. Click the Erase button in the toolbar, then enter the requested details:
    • Name: Macintosh HD
    •  Format: APFS
  7. Click the Security Options button.
  8. In the Security Options window, move the slider to Most Secure, then click "OK".
  9. Back on the Erase window, click the Erase button.

Note: This will take an extended amount of time, but it is extremely important to ensure that the erase process has fully completed before proceeding on to the next steps.

  1. Once the erase operation has fully completed, quit Disk Utility to return to the utilities window in Recovery.
  2. To reinstall the operating system, select Reinstall macOS in the utilities window, then click Continue and follow the onscreen instructions.

iOS

Primary Method

  1. Go to Settings > General > Transfer or Reset iPad.
  2. Tap Erase All Content and Settings.

Alternate Method for Managed Devices

  1. Log in to Jamf Pro.
  2. Click Devices in the sidebar and then Search Inventory.
  3. Search for and open the device record for this device.
  4. In the Device record screen, choose the Management tab.
  5. Under the Management Commands payload, click the button for the "Wipe Device" command.
  6. Confirm that you want to send the Wipe command.
  7. After a few moments, confirm that the screen on the target device goes black, resets with an Apple logo, and a progress bar.


Verification and Certificate of Sanitization

Required as the final step for all erasure procedures above

Two-Party Verification Requirement

To ensure compliance with risk management requirements and support audit readiness, devices leaving University ownership for public resale require separation of duties between the staff member who performs the initial erasure and the staff member who verifies the sanitization was successful. This two-party verification approach significantly reduces the risk of devices being released to the public without proper sanitization.

Verification Pathways

  1. Devices destined for reuse at Purdue: A Purdue IT staff member performs the sanitization and verifies that the sanitization was successful before the device may be redeployed. A second verifier is not required for devices remaining within University ownership.
  2. Devices destined for sale or disposal through MMDC: A Purdue IT staff member performs the initial sanitization and completes a Certificate of Sanitization. Materials Management and Distribution Center (MMDC) staff verify the sanitization was successful and complete a separate Certificate of Sanitization before the device is placed for sale or proceeds through the disposal process. For devices exiting the University, there will be two Certificates of Sanitization on file: one from Purdue IT documenting the initial sanitization, and one from MMDC documenting the verification.

Verification Procedure

  1. Following erasure, the verifying staff member must confirm that the sanitization was successful and that previous data is no longer present or accessible. Whenever possible, manually navigate to multiple areas of the device (such as browser history, files, photos, etc.) to verify that no personal information has been retained on the device.

Note: Booting into Recovery mode provides the most straightforward method for verifying disk erasure, as it offers access to both Disk Utility and Terminal. When verifying models equipped with a Fusion Drive or a hard disk drive (HDD), use Disk Utility to also confirm that all custom, user-created partitions have been successfully removed.

  1. Once the sanitization or verification results have been confirmed, the employee who performed the sanitization or verification must complete and submit a "Certificate of Sanitization" form. In two-party verification scenarios, both the staff member who performed the initial sanitization and the staff member who verified the sanitization must each complete and submit their own Certificate of Sanitization form.

Form submission link: https://purdue.link/computer-wipe

Note: A "Certificate of Sanitization" form must be completed for a device each time it changes users, is being reused for a new purpose within the University or is leaving University ownership. For devices going to resale, use the "External Reuse" option under "Media Destination". For devices being destroyed, use the "Destruct (destroy)" option under "Method Type".


Roles and Responsibilities

These procedures are to be completed by either PUIT Staff, Materials Management Staff, or a combination of the two.  

PUIT Staff

University Re-Use

Before any device is reassigned to a new primary user or repurposed for a different University function, PUIT Support Technicians must perform Data Sanitization procedures as defined here. Sanitization is to be conducted immediately upon the technician's return to the unit's workspace, with physical access to the device strictly limited to authorized IT personnel throughout the process. The technician performing the sanitization must verify that the sanitization was successful and complete the Certificate of Sanitization. Only after this certificate has been finalized and properly recorded may the device be reassigned or redeployed for active use in its new role.

Salvage or University Surplus

When computers and devices reach end-of-life status and are scheduled for decommissioning, PUIT Support Technicians are responsible for collecting the hardware, performing the initial Data Sanitization, completing a Certificate of Sanitization, and preparing it for transfer. All decommissioned equipment is temporarily stored in the designated PUIT Support work area until it is retrieved by Materials Management. While awaiting pickup, physical access to the stored hardware is strictly limited to authorized IT personnel to ensure security and compliance with data protection standards. Once picked up, the Materials Management Staff is responsible for verifying the Data Sanitization and completing the Certificate of Sanitization.


Materials Management Staff

Salvage or University Surplus

Materials Management follows an already defined and actively implemented process for managing salvage and surplus operations. This process includes providing required documentation, coordinating hardware pickup procedures, and managing the scheduling of equipment collection. All transfers must comply with these established protocols.

Materials Management personnel are responsible for verifying the Data Sanitization performed by PUIT on any computers or devices collected through the salvage or surplus programs. During this process, physical access to the equipment is strictly limited to authorized Materials Management staff to ensure data security and compliance. Upon successful verification of Data Sanitization, staff must complete and document a separate Certificate of Sanitization, distinct from the certificate completed by PUIT. Devices may only proceed through the salvage or surplus process once both certificates have been finalized and properly recorded.

To perform verification work, MMDC staff will be provided access to Jamf Pro and Apple School Manager. This access enables verification of device status and removal of salvaged machines from enrollment systems.


Training Requirements

All personnel performing sanitization or verification procedures must be authorized through completion of training on the procedures and tools (including Jamf Pro and Apple School Manager, where applicable). Training certification is valid until any of the following occur:

  • Change in sanitization procedures or tools
  • The individual has not performed the procedures in more than one year
  • Errors in performance are identified for the individual

Retraining must be completed before the individual may resume sanitization or verification duties.


Exceptions

Devices that are non-functioning or otherwise ineligible for the standard Data Sanitization for Apple Devices process must be excluded from these workflows. In such cases, the devices must be physically destroyed in accordance with University-approved hardware destruction procedures to ensure that all data is rendered completely irretrievable. These devices are not to be processed through standard data sanitization channels and must be routed directly to secure destruction. The Certificate of Sanitization should still be submitted utilizing the "Destruct" option for the Method Type.


Data Record & Retention

All Data Sanitization activities performed on University-owned devices must be documented using the official Certificate of Sanitization submission form. This certificate must be completed by the staff member responsible for verifying the sanitization procedures.

The Certificate of Sanitization includes, but is not limited to:

  • The device's serial number or other unique identifier
  • The name of the employee who performed the sanitization
  • The name of the employee who verified the sanitization
  • The date the sanitization was completed

Additional required data elements are recorded in accordance with the standards outlined in NIST Special Publication 800-88 Revision 1, ensuring comprehensive documentation and traceability of the sanitization process. The full standard is available at: https://doi.org/10.6028/NIST.SP.800-88r1

Certificate data is submitted via a TDX form, and the resulting record is stored in the TDX service management system. These records must be retained for a minimum of five (5) calendar years to support audit readiness and compliance requirements.

Each device's serial number serves as a persistent, unique identifier throughout its lifecycle at the University. This identifier is referenced across multiple University systems, including:

  • Procurement and Ordering (Ariba)
  • Service Management (TeamDynamix)
  • Asset Management (Sassafras)
  • Automated Device Enrollment (Apple School Manager)
  • Endpoint Management (Jamf Pro)
  • Vulnerability Management (Rapid7)
  • Endpoint Security (Defender)

This cross-system traceability ensures that all devices remain accounted for and verifiable during the sanitization process, minimizing the risk of loss or mismanagement.


Best Practices

  • When erasing any Apple device, it is always best to assist the previous owner in turning off Find My and signing out of their Apple ID on the device prior to executing the erasure. This helps to ensure a smooth, out-of-box experience for its next user.
  • When enabling FileVault or executing a disk erase, be sure to allow the operations to fully complete before moving on to any following steps. This is extremely important in ensuring that all data is rendered unrecoverable.
  • For devices with HDD or Fusion Drive storage, always verify that all custom, user-created partitions have been successfully removed during the verification step.

 

 

Authoritative Use Statement

This document constitutes the official and authoritative standard for data sanitization procedures applicable to Purdue University–owned Apple devices.

All procedures, controls, and requirements contained herein have been developed in coordination with and are fully endorsed by Purdue Systems Security Services (PSS), the University’s governing authority for information security.

No alternative processes, modifications, or deviations from the procedures defined in this document are permitted unless explicitly authorized in writing by Purdue Systems Security Services (PSS).

All University personnel, units, and affiliates responsible for the handling, reassignment, or disposal of Apple devices must adhere strictly to the standards and procedures defined herein.

100% helpful - 1 review
Print Article