End User Device Guidance: Factory reset and reprovisioning



1. Introduction

This guidance is for public sector organisations to follow when deploying or redeploying mobile devices onto their networks. It describes the ways in which individual platforms can be restored from a misconfigured or potentially compromised state to a known-good state using their in-box functionality.

These methods are not data sanitisation methods; in general they will not result in the secure erasure of data. For policy and guidance on how to achieve secure erasure, eligible organisations should refer to HMG IA Standard No. 5 (IS5), available from the IA Policy Portfolio.

1.1 Structure and Scenarios

This document is split into sections for each platform, then each platform follows the same structure. For each platform, a summary of the reset methods available on that platform is given. Each reset method is then discussed in detail, explaining how to perform the method and what risks are associated with that method. Finally, recommendations are given for which reset method to use for four key scenarios.

The four scenarios discussed are:

Sanitising device believed to be compromised with malware

A user has reported their device behaving strangely, or has executed potentially malicious code on the device. The department wishes to remove any malware from the device so that it can be reused.

Preparing a device which has not previously been managed

A used device is to be provisioned onto the corporate network, but the history of the device is unclear. The department wishes to restore the device to an out-of-box state so that it can be provisioned as per existing guidance on deploying new devices.

Reissuing device to a different user in the same security environment

A device is to be transferred between different employees, and is to be proactively reset to factory settings so that the provisioning steps for that platform can be followed as if the device was new again.

Sanitising device for release to lower security domain or sale

The device is to be transferred out of a secure environment and the department wishes to perform a best-endeavours sanitisation of the device. Note that this scenario does not cover the secure erase of protectively marked data (OFFICIAL, RESTRICTED or above). IS5 should be followed in these circumstances.

2. Android 4.3

This guidance was developed from testing on Nexus 4 devices running Android 4.3.

2.1 Summary of factory reset for platform

Android devices have no official method to securely restore a device to factory settings

The official factory reset option will remove the current user’s applications and data. This is not considered a secure delete and malware could persist elsewhere.

The other method is a more advanced method that restores all partitions on the device to their factory states. This second option, although offering a more complete reset, varies per device and in some cases will void the manufacturer’s warranty.

2.2 Methods of factory resets for platform

According to Google’s documentation, a device can be restored to factory settings, from the settings menu, remotely with Google Device Manager or from the device’s recovery menu. In either case it is only the data partition that is altered; the user’s data can be recovered using simple forensics tools and malware could persist in other partitions

A more advanced method is to flash the device with stock firmware. This will ensure that all partitions only use the manufacturer’s default data. The steps for flashing firmware can vary depending on manufacturer, and in some cases can void the device’s warranty. Google make no guarantees that either method will securely wipe user data from a device

In all cases, the device’s settings will be returned to their initial, unconfigured state

Method 1 – Factory reset from Android Settings menu

The option available from Settings -> Back up and Reset -> Factory data reset allows a user to delete all data from the data partition. This reboots the device and wipes the user data partition and is sometimes called a factory reset. This name is something of a misnomer because the system partition is not restored to its factory state.

If the device has a pre-boot recovery menu, then the user may also use this to perform a factory reset. This performs the same underlying actions as the factory reset option from the settings menu – it will reset the data partition to its factory state, removing any client applications and data, whilst leaving the system partition intact.

Finally, if the user has Google Sync configured, or has the Google Apps Device Policy app installed, then this method can be called remotely using Google’s remote wipe.

What happens

The factory reset function is performed by the MasterClear activity which calls theMasterClearReceiver. The MasterClearReceiver usesRecoverySystem.rebootWipeUserData function to restart the device in recovery mode.

Files in the data partition are then marked as deleted and the stock application’s files are written over the top with the default settings

Device Security settings

With this method, the data partition is overwritten. The data partition holds all application data, including device settings. After performing a factory reset, the device returns to default settings. This will mean no advanced security features will be enabled including:

no device lock PIN/password/Pattern
no data encryption
no SD card encryption
Malware removal

This method will remove all apps installed by the previous user, including any malicious Java based apps.

If a malicious application was previously able to elevate its privileges to root, it would be able to place malicious root binaries on the system partition. If this has occurred, then this method would fail to remove the malware.

Rooted devices

If a device had been rooted, then it would have a suid root binary on the system partition to maintain root between handset resets. As this method does not touch the system partition, it would be likely that the device would remain rooted.

If the bootloader of a device was unlocked, it would remain so after this method was used.

Risks

This method does not delete data outside the /data partition folder so data may remain in that location

The external SD card is not wiped during the factory reset

The data removed can often be recovered using forensics tools

Method 2 – Reinstallation of stock firmware

The most comprehensive method for assuring all partitions contain only original files is to reinstall the stock firmware. The method to perform this action differs per manufacturer. For Nexus devices, a guide is available athttps://developers.google.com/android/nexus/images#instructions.

This method is the only option that will overwrite the system partition. Any device that has been rooted, or infected with malware running as root would likely have altered the system partition.

What happens

The exact process to flash a device with the official firmware will vary per device and may, in some cases void the warranty. For example the Samsung Galaxy S III can be flashed with official firmware using the Odin application without unlocking the bootloader, however the Nexus series requires the user to unlock the bootloader first.

Overwriting the partitions with the stock firmware means that the user can guarantee that any data including malware will be overwritten regardless of the partition it is on.

For security, it is strongly recommended that if the user needed to unlock the bootloader for this process, that the bootloader is re-locked on completion.

Device Security settings

As part of this method, the data partition is overwritten. The data partition holds all application data, including device settings. After performing a factory reset in this way, the device returns to default settings. This will mean no advanced security features will be enabled including:

No device lock PIN/password/Pattern
No data encryption
No SD card encryption
Malware removal

This method will remove all apps installed by the previous user, including all Java based malware.

If a malicious application was able to elevate its privileges to root, it would be able to place malicious root binaries on the system partition. If this has occurred, then this method would be effective in removing malware from the device.

Rooted devices

This method would overwrite the system partition, removing the suid root binary. If the bootloader of a device was unlocked, the only way to relock it is to install a signed firmware. If the device was left unlocked, then an attacker would in theory be able to load the device in recovery mode and bypass any lockscreen the user had placed on the device.

Risks

This method will vary per manufacturer and device in terms of method, difficulty, availability of resources and effect on warranty. It is strongly recommended that official guidance is sought from the manufacturer before attempting, as incorrect methodology could lead to permanent damage to a device.
All flashing relies on trusting at least one component of the device to correctly install the firmware. This means that sufficiently advanced malware on a device could manipulate the process and persist in spite of the factory reset.
No formal testing has been performed regarding this method, and Google make no guarantees that this method will work in all cases

2.3 Factory reset scenarios

For this device, the following actions are recommended for the scenarios detailed in the introduction to this document.

Sanitising device believed to be compromised with malware

Malware within malicious APKs can be removed using Method 1

Malware with root exploits that have compromised the system partition can be removed using Method 2 Advanced malware cannot be removed as the wiping process must rely on code held on the boot sector of the device itself

Risks

Sufficiently advanced malware cannot be removed from a device
It is unlikely that a user will be able to determine how advanced the malware is, and which partitions are compromised. Therefore, in high security environments, a device with suspected malware should not be used even after a full factory reset.
Reissuing device to a different user in the same security environment

Method 1 is sufficient to transfer a device in which personal data is not presented to the new user, but the new user would be able to recover the data using forensic software

If the new user should in no way be able to recover personal data from the device, then method 2 should be used

Risks

Method 2 may void the warranty and relies on stock firmware images being made available by the manufacturer
Method 1 would allow application malware to persist on the device
Method 2 would allow advanced malware to persist on the device
Method 1 assumes that the new user will not use forensic tools to recover and restore the previous data, or would not benefit from doing so
Preparing a device which has not previously been managed

The device should be assumed to be carrying malware. The only guarantee for removing this is to use method 2 Method 1 will remove all Android application based malware, and all user data from the previous user

Following either method, the device will need to be configured with appropriate security settings

Risks

Method 2 may not remove malware that has infected the boot partition
Method 1 will not remove malware that has infected any partition other than the data partition
Method 2 may void warranty and relies on stock firmware images being made available by the manufacturer
Sanitising device for release to lower security domain or sale

As Android does not offer an official method to securely remove data from a device, it is recommended that an Android device is never released to lower security domain or sale

Risks

Google has made no guarantees that either method can securely wipe a device
Method 2 could wipe the user’s data partition so that it could not be recovered with forensics tools, but it is thought that this is device dependant and therefore should not be relied upon

3. Windows 8.1

This guidance was developed from testing on Surface Pro devices running Windows 8.1.

3.1 Summary of factory reset for platform

This guidance applies to Windows 8 (x86 and x64). Some of this guidance may apply to Windows RT, but the extent to which is does apply and implementations of the features have not been tested. This is important to note as some features are not available or possible to switch off on Windows RT.

There are a number of options for restoring system state in Windows. Each of these is outlined below:

Refresh is a new Windows feature that allows a user to refresh their system without losing all of their files and data. During this process, user data, files, personalisation settings and Windows store applications are retained while the operating system is re-installed. This data is then added back into the system and applications reinstalled, providing the user with a fresh operating system installation whilst retaining their data and settings.

Reset is like a full re-image. During this process the disk is formatted and the operating system is reinstalled. The user is offered the options of ‘quick’ or ‘thorough’ when wiping the drive, in which data is simply deleted, or thoroughly removed respectively. ‘Quick’ mode does not include Windows recovery partitions, hidden user partitions or other areas such as the boot sector of the drive. For this reason, a manual re-installation of the Windows operating system has been covered as an additional method for factory reset. While it performs the same actions as Windows “Reset” functionality, it provides certainty and adaptability.

System Image Recovery is a now-deprecated advanced recovery feature that allows the entire system to be reverted to a previous state. This method requires that a backup image was taken when the device was known to be clean. When the system is recovered, the entire system will be identical to when the image was taken. This includes user data, applications and settings.

Traditional manual re-install is not a built in Windows function, but rather a common method of reinstallation for desktop PC’s. During this process, the hard drive is manually wiped, and the system is built from scratch. This includes formatting, partitioning and OS installation.

System Restore allows an administrator to automatically take periodic backups so that if installing a driver or other piece of software breaks the OS, the user can revert to a last known good version. The default behaviour is not to restore to a completely default setting. However this functionality can be used to set a custom restore point with custom configuration. This can then be used as the recovery image when using ‘restore’.

On a drive enabled with BitLocker or ‘drive encryption’ full disk encryption, the computer’s TPM containing the relevant encryption keys could be cleared. This would make retrieving data from the drive impossible. However, this has not been included as a method, as ‘Reset’ performs a similar function on Windows installations on drives using BitLocker or ‘drive encryption’, whilst automating the deletion and re-installation process.

Within this section, the possibility of malware persistence when using the above ‘factory reset’ techniques is discussed. It should be noted that malware exists with the ability to infect the firmware of components, such as the BIOS of a motherboard. While the persistence of such malware is beyond the scope of this guidance, it is known to exist and its removal cannot be guaranteed with any of the methods discussed in this report.

3.2 Methods of factory resets for platform

Method 1 – Refresh (your PC without affecting your files)

PC Settings -> General -> Refresh your PC without affecting your files

This system refresh functionality is primarily aimed at fixing a Windows 8 installation that no longer functions properly, or has slowed down significantly since initial installation, without affecting the user’s data.

What happens

When performing a system refresh through the provided interface, user files and personalisation settings such as wallpapers and themes are left unchanged.

During the refresh, the PC first boots into the Windows Recovery Environment. From here, user files and applications to be retained are marked for exclusion from the refresh process. A new copy of Windows is then installed, after which the retained data is restored.

Some system settings are maintained, however some are intentionally reset back to the system default. The settings that are intentionally reset, are those deemed by Microsoft to be commonly misconfigured and therefore could potentially cause issues.

The following table shows some examples of which settings are kept and which are deleted.

Settings kept
Settings deleted
Wireless network connections
Mobile Broadband connections
BitLocker and BitLocker To Go settings
Drive Letter assignments
Personalisation settings such as lock screen background, and wallpaper
File Type associations
Display Settings
Windows Firewall Settings
Microsoft approved applications from the Windows store are retained. All third party applications however are removed. This includes applications installed from removable media and non-Microsoft locations on the internet. After the refresh, a list of removed applications is created on the desktop to inform the user.

Further details can be found athttp://blogs.msdn.com/b/b8/archive/2012/01/04/refresh-and-reset-your-pc.aspx

The program ‘recimg.exe’ allows users to create a custom image for use with ‘Refresh’. This takes an image of the current system state, allowing the user to retain their desktop applications, settings and configuration options through the refresh process. It should be noted that this does not affect user data. Further information can be found athttp://blogs.technet.com/b/mspfe/archive/2012/11/06/backing-up-your-pc-or-physical-to-virtual.aspx.

Device Security settings

Some security related settings are retained; however some settings are reset and will require reconfiguration.

Settings regarding wireless network connectivity are kept, as are all BitLocker settings.

Firewall settings are removed and will require reconfiguration.

Malware removal

Unless an image is used, this method will remove all third party applications, including any malicious applications that may have been previously installed by the user. These will be backed up into the Windows.old folder which can then be removed manually.

If a piece of malware were able to be distributed through the Microsoft app store could persist through the reinstallation of that application.

All user files are retained and malicious files on the disk will persist through this process.

Risks

This method does not alter or remove any user data, which could allow malicious files to persist.
Malicious files and malware could persist in various areas untouched by the refresh process.
This method only selectively removes configurations and settings. To ensure all settings are subsequently set to their expected values, the machine should have a full set of policies applied to it though Active Directory or other mechanism.
This process relies on the integrity of the recovery environment. Malware which had compromised the recovery partition could persist into the new environment.
Method 2 – Reset (Remove everything and reinstall Windows)

Settings -> Change PC Settings -> Update and Recovery -> Recovery -> Remove Everything and Reinstall Windows

What happens

The Reset method provides a simple ‘one click’ method of erasing user data and reinstalling the operating system from scratch. The user is provided with two options for the reformatting of the drive.

Quick mode

This mode removes data in the traditional sense of deletion. This means that all references to files are removed and the files are marked as deleted (and therefore may be overwritten in future). However the data for the actual file is not removed until it is overwritten. This makes it possible for forensic software to recover the previously deleted files.

Thorough mode

In order to remove data in a more secure way, this thorough mode writes data over every sector of the drive before formatting it for use. This makes it much more difficult to recover files from the drive.

With both modes, all user data and files are removed. Additionally, all installed applications are removed, including official Microsoft applications and any software installed from the Microsoft app store. Only default or stock applications are reinstalled.

When using the Reset function on a drive with BitLocker full disk encryption or ‘Device Encryption’ enabled, instead of deleting all files or writing data to all sectors of the drive, the process will simply delete the decryption key, making recovery of the encrypted data impossible. BitLocker can also provide protection against boot sector malware, by using the TPM to verify the integrity of boot files. (See references for additional information).

Device Security settings

The operating system is returned to a completely default state, all configurations and settings are cleared.

Any post-installation system hardening or security configuration will need to be re-applied.

Malware removal

The ‘thorough’ mode of operation will write data to all sectors of the drive. This includes all partitions, destroying all data on the disk, preventing any malware persisting the reset process.

The ‘quick’ mode may not wipe all sectors of the disk and could allow malware to persist the process. For example, if malware were to infect the boot sector of the drive, it may not be sanitised using ‘quick’ mode and therefore may persist. The Secure Boot feature on supported devices should mitigate this.

Risks

All PC settings are removed and changed back to default – any security settings would have to be re-applied. To ensure all settings are subsequently set to their expected values, the machine should have a full set policies applied to it though Active Directory or other mechanism.
Quick mode will not securely remove all data, allowing basic forensic tools to recover many of the files.
Quick mode may not encompass the entire drive, which could allow malware to reside in areas such as the boot sector.
This process relies on the integrity of the recovery environment. Malware which had compromised the recovery partition could persist into the new environment.
Method 3 – System Image recovery

This method is deprecated in Windows 8 and above, though may still be of some use to organisations that are doing device reprovisioning on a small scale.

Making a backup image:

Windows 8:

Settings -> Windows 7 File Recovery -> Create a system image

Windows 8.1:

Search -> File History -> System Image Backup

Restoring from the backup:

(Inside Windows recovery options) Troubleshoot -> Advanced Options -> System Image Recovery

What happens

Windows ‘System Image Recovery’ is a feature that allows users to restore their computer to a previously backed up state. In addition to Microsoft’s functionality, there are a number of other ways to achieve this. For example, third party software could be used, or exact copies could be taken as backups using the Linux tool ‘dd’. However Microsoft provide their own functionality within Windows 8.

An image is taken as described above when the operating system is in a known clean state. When the disk requires Image recovery, the process is started and the following things happen:

The disk is formatted and re-partitioned.
All user data, customisation and settings revert back to their state at the point the backup image was taken.
Any changes since the backup image was taken are lost.
It should be noted that Microsoft have announced that “Backup and Restore” functionality is now deprecated and they will no longer develop this feature set. This suggests that the functionality exists for legacy purposes, as they move people towards the new ‘Refresh’ and ‘Reset’ features (Methods 1 and 2 respectively). See the references below for additional information.

Device Security settings

All security settings assume the same configuration they had at the time of backup.

This allows a securely configured OS image to be taken when the machine is first set up, retaining all security settings when the OS is restored from that image.

Malware removal

All user data and installed applications revert to the state they were in when the backup image was taken.

If no malware was present when the backup image was taken, this process will remove all malware.

The recovery wizard provides the option for formatting and re-partitioning the drives in question. This would remove any malware residing in the boot sector of the drive.

Risks

If there is any malware present when the backup image is taken, this will persist the recovery process.

Any security settings, configuration options or programs installed after the image was taken will be lost during the recovery process.

Updates are lost during this process. Any security patches applied post-backup will be lost, resulting in the PC recovering into a vulnerable state. However, any critical security updates will soon be installed by the Microsoft Windows Update.

Microsoft has announced some of these features as deprecated, so they will no longer be developed. Compatibility with future versions of the Windows operating system may be limited.

Method 4 – Traditional manual re-install

To reinstall Windows manually, follow these steps:

Manually wipe hard drive using a tool such as ‘dd’
Format and partition drive (options available within Windows setup)
Re-install Windows from installation media
What happens

The traditional method of returning a computer to its original state involves manually removing all data from the drive, generating a new partition table, formatting those partitions and freshly installing the operating system from external installation media.

This is in many ways similar to the ‘Reset’ Method offered through the OS by Microsoft. The ‘Reset’ method essentially automates this process and presents it in a way that allows non-technical users to perform these tasks.

Doing this manually however does provide some benefit over the automated process. By manually wiping the drive, steps such as writing the drive with random data can be performed or omitted as necessary. This can save a large amount of time if the secure removal of data is not an issue. While this is offered by the ‘quick’ mode of the ‘Reset’ method, manually performing these tasks also provides certainty that all sectors of the drive have been overwritten.

Device Security settings

All operating system settings will return to the default state, and require configuration.

Malware removal

This method would ensure that all malware is removed. However, this is only true if care is taken to ensure that all sectors of the drive are wiped before formatting and installation.

Risks

All PC settings are removed and changed back to default.
Any security settings have to be re-applied.
Potential for certain configuration settings to be forgotten or missed.
All partitions must be wiped to ensure that no malware persists.
Method 5 – System Restore

The ‘System Restore’ functionality in Windows allows an administrator to restore the machine’s files and programs to a previous state. Windows automatically creates restore points on a regular basis and this functionality is primarily aimed at fixing OS issues and crashes caused by bad programs or driver installations. However, the system restore feature can also be used to create a restore point on demand. This would allow the user to create a restore point shortly after installing and configuring Windows, in a state that is known to be safe and clean.

To set a restore point on-demand:

Control panel -> System -> System Protection -> Create

To restore from previously set restore point:

Control panel -> System -> System Protection -> System Restore

-OR-

System Recovery Options -> Advanced options -> System Restore

What happens

System Restore will only change applications, programs (and other executable files such as scripts and batch files), system files and registry settings.
System restore does not affect personal files and documents.
It should be noted that while the majority of available documentation on this feature was written for Windows 7, this feature is still available in Windows 8.

Device Security settings

System restore will restore settings from a given restore point. Any security settings made after the restore point was created could potentially be lost. To ensure all settings are subsequently set to their expected values, the machine should have a full set of policies applied to it though Active Directory or other mechanism.

Any security settings and features associated with removed or altered programs have the potential to be changed also.

Malware removal

Any malware that had been installed as a program or application since the restore point was created will be removed.

User files and documents are not affected by this method, therefore it would be possible for malicious files to persist the process.

Additionally, the drive is not formatted during this process, allowing malware to persist in more advanced ways.

Risks

System restore does not affect user data. This could allow any malicious files to remain on the disk.
Settings and configurations made after the restore point was set will be lost.
The drive is not formatted during the System Restore process. If a piece of malware had infected the boot sector of the drive, it would remain present after the System Restore process.

3.3 Factory reset scenarios

For this device, the following actions are recommended for the scenarios detailed in the introduction.

Reissuing device to a different user in the same security environment

If an image has been previously taken, Method 3 (restore from a known safe image) would be the best option. This would allow the user to revert back to a safe build with relevant applications for the organisation installed, and all security settings in-tact.

If imaging is not a possibility or a clean image is unavailable, then reset (Method 2) is recommended.

If the secure removal of data is required, ‘thorough’ mode of Method 2, or Method 4 should be used.

Only method 3 will maintain all relevant configurations and settings which were set prior to the image being taken.

Risks

When using Method 3, if malware was present when the image was taken, malware would persist across to the new user’s machine

Making individual backups is less scalable – Microsoft deployment software can be used to manage this, however the methodology for this is different and requires an experienced systems administrator familiar with Windows and MS tools.

Quick mode of Method 2 will not attempt to securely wipe data, allowing it to be recovered using forensic tools and techniques.

Method 4 is the most customisable; however the manual nature of this method presents more opportunity for mistakes to be made.

Preparing a device which has not previously been managed

When preparing a device that has not been managed, the device should be treated as hostile regardless of its origin, as its current state is unknown.

It is recommended that the device be treated as if it were infected, and the advice given in the below scenario (Sanitising device believed to be compromised with malware) is followed first.

Once this procedure has been followed, a ‘base build’ image of the device should be taken once it has been configured securely for use.

This image will enable the device to be sanitised or re-purposed more efficiently in the future.

Risks

Method 4 provides the most certainty with regards to malware removal, but also takes more time and effort.

The manual nature of Method 4 presents the opportunity for mistakes to be made, or steps to be missed.

Method 2 must be used in ‘thorough’ mode, as ‘quick’ mode may not clear the boot sector of the drive.

Sanitising device believed to be compromised with malware

When removing malware it is recommended that each sector of the hard drive is completely overwritten to ensure no malicious files may persist. This is because some advanced malware has the ability to infect the boot sector.

Both Method 2 and Method 4 offer the above functionality.

Method 2 will only provide comprehensive protection when using the ‘thorough’ mode of operation, as this mode wipes all sectors of the drive.

Method 4 will provide additional certainty when removing malware, as steps can be performed and verified manually.

Risks

Method 4 provides the most certainty with regards to malware removal, but also takes more time and effort.
The manual nature of Method 4 presents the opportunity for mistakes to be made, or steps to be missed.
Method 2 must be used in ‘thorough’ mode, as ‘quick’ mode may not clear the boot sector of the drive.
Sanitising device for release to lower security domain or sale.

Microsoft recommend their ‘Reset’ functionality (Method 2 above) for use when sanitising a device for sale.

The ‘Reset’ function may be used for this purpose only if the ‘thorough’ formatting method is chosen, in which case each sector of the drive will be entirely written with data, making forensic file recovery difficult.

If the drive is using BitLocker encryption, Method 2 is also recommended, as encryption metadata will be deleted making data recovery impossible.

In the case that sensitive data resides on the hard drive of the machine, a Manual re-install (Method 4 above) is recommended. This allows the number of random data passes to be customised, providing additional protection against advanced data recovery techniques.

Method 2 requires significantly less time and effort to perform, as Microsoft have automated the majority of this process. However Method 4 provides additional security surrounding the secure removal of sensitive data.

Risks

If using method 2, care must be taken to ensure that the ‘thorough’ mode is chosen over the ‘quick’ mode. This is because the ‘quick’ mode does not securely remove data from the drive, making it easy to recover using forensic tools.

Even when using the ‘thorough’ mode of operation for method 2, it should be acknowledged that only one pass of data will be written to the drive. While this makes it much more difficult to recover any meaningful data from the drive, a process of 3 passes of random data to each sector of the drive is recommended for the secure removal of data.

4. iOS 7

This guidance was developed from testing on iPhone 5 devices running iOS 7.0.

4.1 Summary of factory reset for platform

The underlying procedure performed when restoring an iOS device is not fully publicly documented, so assurance cannot be provided that by restoring a device to factory settings using some of the procedures explained in this section may completely remove all malicious software.

Apple only explicitly states that a device will be restored to a known good state with the certainty that only unmodified Apple-signed code is present by recovering the device using DFU mode. For this reason, even though most reset methods correctly erase all user data and settings, there is no guarantee that these will safely delete every kind of root level exploit or malware.

Tests were performed in order to verify what the vendor documentation states regarding each of the available reset mechanisms, and to document the results of such mechanisms on a jailbroken device. The version of the iOS system used was 7.0.4, the latest at the moment of this research.

4.2 Methods of factory reset for platform

Many of the security-related features in iOS, including erase methods, are discussed in detail in the iOS Security Whitepaper.

Method 1 – The “Erase all Content and Settings” Feature

Erase all Content and Settings can be performed by tapping on Settings >General >Reset >Erase all Content and Settings. If the version in use is iOS 7 and the “Find My iPhone” setting is turned on, the user’s Apple ID and password will be required. If the Restrictions options are in use, the Restrictions PIN will also be required.

What Happens

Devices supporting hardware encryption will delete the key used to encrypt data. This applies to all devices that support iOS 7. Deleting this key makes the encrypted data no longer accessible, effectively deleting all user data and settings. After performing this reset method, the device requires to be set up. Apple recommends this method before selling or giving away an iOS device.

Device Security Settings

By performing this action all existing settings on the device will be removed, including any security settings previously configured.

Malware Removal

Any malware from apps executing at user-level will be deleted by this method.

Malware exploiting a root-level vulnerability to achieve persistence (like a Jailbreak would do) may persist by using this reset method.

Rooted Devices

The Apple Users community report that previous versions of iOS in a jailbroken device may hang the device and may not delete all content.

This procedure was performed on a jailbroken device running iOS 7, and the device hung during the procedure, requiring a forced shutdown. When the device was booted again, all personal data was still present and it remained jailbroken, therefore this procedure did not succeed in this scenario.

Risks

Malware exploiting a root-level vulnerability to achieve persistence may persist by using this reset method.
A root level exploit or malware may change system functionality, including that used to reset a device.
Method 2 – Restore iOS to Factory Settings Through iTunes

It is required to use the latest version of iTunes, as well as turning off the “Find my iPhone” feature in Settings > iCloud on the device (if active), in order to disable Activation Lock.

To restore the device through iTunes, the device should be connected to a computer running iTunes, which will display the device. In the device’s Summary pane, click Restore. This will display a confirmation window, which will require the user to confirm the action.

What Happens

The device is restored to factory settings, deleting all data and content from the device. This method also installs the latest version of iOS if not already in use.

After the device has been restored, it can be set as new or can recover previous content by restoring a backup.

The technical procedure to restore a device to factory settings by this method has not been disclosed, so it is not publicly known if every component of the system is completely restored to a trusted state or if malware may circumvent this procedure by any means.

Therefore, it cannot be guaranteed that any high privileged malware will not persist after performing this reset method.

Device Security Settings

By performing this method and setting the device as new, all existing settings on the device will be removed, including any security settings previously configured.

By performing this method and restoring a previous backup, security settings may also be recovered.

Malware Removal

Any malware from apps executing at user-level will be deleted by this method.

Rooted Devices

This method successfully deletes all content, including any exploits used to jailbreak the device.

Risks

It cannot be completely guaranteed that malware exploiting a root-level vulnerability to achieve persistence will be removed by following this method.
Errors may occur if an older version of iTunes is used to perform this restore procedure.
Method 3 – Recovery Mode

To perform a recovery mode erase, the device needs to be turned off. If this is not possible, the “Sleep/Wake” and “Home” buttons need to be pressed simultaneously for a few seconds until it turns off. The device’s USB cable needs to be plugged into a computer, without connecting the device to it. The device’s “Home” button has to be pressed as it is connected to the USB cable. When the “Connect to iTunes” screen is displayed, the “Home” button needs to be released. After this procedure, the steps described in Method 2 need to be followed in order to complete the recovery process.

What Happens

This is automatically performed by a device when any stage of its boot process fails, but it can also be set up manually following the process described above. After setting the device in recovery mode, it finishes the recovery process by following the iTunes restore process described in Method 2. As in Method 2, it cannot be guaranteed that any high privileged malware will not persist after performing this reset method.

Device Security Settings

By performing this action all existing settings on the device will be removed, including any security settings previously configured.

Malware Removal

Any malware from apps executing at user-level will be deleted by this method.

Rooted Devices

This method successfully deletes all content, including any exploits used to jailbreak the device.

Risks

It cannot be completely guaranteed that malware exploiting a root-level vulnerability to achieve persistence will be removed by following this method.
Errors may occur if an older version of iTunes is used to perform this restore procedure.
Method 4 – DFU mode

To enter Device Firmware Upgrade (DFU) mode, connect the device to a computer and hold down both the “Home” and “Sleep/Wake” buttons. After 8 seconds, release the “Sleep/Wake” button while continuing to hold down the “Home” button. In DFU mode the screen will be black. Seeing the Apple logo or other signs indicating the device is on will mean that the process was not performed correctly.

What Happens

This procedure is similar to the Recovery Mode explained in Method 3. It allows setting a device in DFU mode if it is not possible to start it by other means, with the difference that it occurs automatically when not even the first stage of the boot process can be started. This method can also be set manually. After setting the device in DFU mode, it finishes the recovery process by following the iTunes restore process described in Method 2. Following this method, Apple provides certainty that only unmodified Apple-signed code will be present on the device.

Device Security Settings

By performing this action all existing settings on the device will be removed, including any security settings previously configured.

Malware Removal

Only unmodified Apple-signed code is present on the device, malware may not persist by using this reset method.

Rooted Devices

This method successfully deletes all content, including any exploits used to jailbreak the device.

Risks

Errors may occur if an older version of iTunes is used to perform this restore procedure.
Method 5 – Passcode Lock “Erase Data”

iOS provides a mechanism to reset the device data after a number of unsuccessfulpasscode input attempts.

Go to Settings > General > Passcode Lock > set Erase Data.

What Happens

As stated by Apple, the iOS interface enforces escalating time delays after the entry of an invalid passcode, dramatically reducing the effectiveness of brute-force attacks via the Lock screen. Users can choose to have the device automatically wiped after 10 failed passcode attempts. This setting is available as an administrative policy and can also be set to a lower threshold through MDM (Mobile Device Management) and Exchange ActiveSync.

The iPhone 5s allows setting up Touch ID – a technology that allows using a fingerprint as a passcode. If Touch ID doesn’t recognise the user’s fingerprint after five attempts, the user must enter their device password instead.

Device Security Settings

All security settings on the device are deleted by this method.

Malware Removal

Any malware executing at user-level will be deleted by this method.

Malware exploiting a root-level vulnerability to achieve persistence may persist by using this reset method.

Rooted Devices

This method was used to reset a jailbroken device running iOS 7. Similarly to the “Erase all content and data” method, it started the reset process, however hung while shutting down the device, requiring to force a shutdown. When turning on the device again, there was one attempt to enter a passcode. Entering a wrong passcode started the reset process, hanging again the device while shutting down. Entering a valid passcode allowed to unlock the screen; all personal data was still on the device and it remained jailbroken, therefore this procedure did not succeed in this scenario.

Risks

Malware exploiting a root-level vulnerability to achieve persistence may persist by using this reset method.

A root level exploit or malware may change system functionality, including that used to reset a device.

Method 6 – Remote Wipe

There are three methods to remotely wipe an iOS device: resetting from a Mobile Device Management (MDM) server, Microsoft ActiveSync, or using an iCloud account. Any of these methods will send a remote wipe command to the device.

An MDM server allows the management of iOS devices enrolled to an enterprise environment. Such server can be built in-house by an organisation or purchased to another third party.

Microsoft ActiveSync allows resetting a device through Microsoft Exchange Server. With Microsoft Exchange Server 2003, users can initiate Remote Wipe using the Exchange ActiveSync Mobile Administration Web Tool. With Microsoft Exchange Server 2007 and 2010, it can also be performed with the Exchange Management Console and Outlook Web Access.

Remote Wipe through iCloud is an option available for non-corporate users to reset their devices in case these get lost or stolen. In order to reset the device with this method, it is required to link the device with an iCloud account, and enable the “Find My iPad” feature. The device can be reset by going to icloud.com, and logging in with the Apple ID linked to the device. Clicking on the “Find My iPhone” icon and then “All Devices” lists all the devices linked to that Apple ID with the “Find My [device]” option set. Clicking “Erase [device]” deletes all data and settings. This also allows entering a phone number and a message that are displayed on the screen after the device is erased.

After resetting through iCloud, the device’s lock screen displays the phone number and message entered when erasing the device, and requires activation with the same Apple ID used to erase the device. This activation cannot be bypassed by restoring the device with any of the mechanisms defined in this report.

What Happens

The effects of this method are similar to the “Erase all contents and settings” procedure. It deletes all user data and settings by deleting the key used to encrypt such data. It is then required to either set up the device as new, or restore from a backup.

Device Security Settings

By performing this action all existing settings on the device will be removed, including any security settings previously configured.

Malware Removal

Any malware executing at user-level will be deleted by this method.

Malware exploiting a root-level vulnerability to achieve persistence may persist by using this reset method.

Rooted Devices

A jailbroken device was reset by this method, however it turned to an unstable state. The device performed the procedure, however it hung while rebooting, requiring the device to be forcibly shut down. When turning on the device again, the device started the reset procedure again, hanging and requiring again a forced shut down. This could only be solved by either resetting the device through Recovery Mode or DFU mode.

Risks

Malware exploiting a root-level vulnerability to achieve persistence may persist by using this reset method.
A root level exploit or malware may change system functionality, including that used to reset a device.
A root level exploit or malware may remove configuration profiles enforced by enterprise policies and prevent the reset.

4.3 Factory reset scenarios

For this device, the following actions are recommended for the scenarios detailed in the introduction.

Reissuing Device to a Different User in the Same Security Environment

None of the reset methods allow settings to be kept. The only way to restore settings are from a backup, downloading a configuration profile, or manually re-entering them.

Method 1 can be used and does not require the device to be connected to a computer.

Method 2 can also be used but requires connecting the device to a computer with iTunes installed.

In both cases, the new user will have to activate the device through the network, either using a wireless connection or connecting to a computer and using iTunes.

The device can either be set up as new, or previous settings can be restored by restoring a backup, in which case the passcode is not restored.

In an enterprise environment, the device will have to be re-enrolled with the MDM service. Methods 3 and 4 are intended for restoring a device that cannot be booted, however these methods can also be used.

Methods 5 and 6 are intended for scenarios where a device is lost or stolen, however these methods can also be used.

Risks

Methods 1, 5 and 6 may not correctly reset the device if it is jailbroken.
If the device is affected by a root-level exploit or malware without knowledge of the user, this may persist by using methods 1, 5 and 6.
Although they successfully recover a jailbroken device, there is no complete guarantee that methods 2 and 3 will delete all kind of root exploits or malware on the device.
Preparing a Device Which has not Previously Been Managed

Method 1 can be used and does not require the device to be connected to a computer.

Method 2 can also be used but requires the device to be connected to a computer with iTunes installed. In both cases, the new user will have to activate the device through the network, either using a wireless connection or connecting to a computer and using iTunes.

The device can either be set up as new, or previous settings can be restored by restoring a backup, in which case the passcode is not restored.

In an enterprise environment, the device will have to be enrolled with the MDM service.

Methods 3 and 4 are intended for restoring a device that cannot be booted, however these methods can also be used.

Methods 5 and 6 are intended for scenarios where a device is lost or stolen, however these methods can also be used.

Risks

Methods 1, 5 and 6 may not correctly reset the device if it is jailbroken.
If the device is affected by a root-level exploit or malware without knowledge of the user, this may persist by using methods 1, 5 and 6.
Although methods 2 and 3 successfully recover a jailbroken device, it cannot be completely guaranteed that malware exploiting a root-level vulnerability to achieve persistence will be removed by following these methods.
Sanitising a Device Believed to be Compromised with Malware

If malware is believed to reside in an application installed from an Apple-approved source:

Method 1 can be used and does not require the device to be connected to a computer.
Method 2 can also be used but requires the device to be connected to a computer with iTunes installed.
Methods 3 and 4 are intended for restoring a device that cannot be booted, however these methods can also be used.
Methods 5 and 6 are intended for scenarios where a device is lost or stolen, however these methods can also be used.
If malware is believed to reside in an application installed from a jailbreak source:

Use Method 2.
Methods 3 and 4 are intended for restoring a device that cannot be booted, however these methods can also be used.
Methods 5 and 6 are intended for scenarios where a device is lost or stolen, however these methods can also be used.
If malware is believed to execute at root level:

Use Method 4.
Methods 2 and 3 may successfully remove a root level exploit or malware, however this cannot be guaranteed.
Risks

If the device is affected by a root-level exploit or malware without knowledge of the user, this may persist by using methods 1, 5 and 6.
Although methods 2 and 3 successfully recover a jailbroken device, it cannot be completely guaranteed that malware exploiting a root-level vulnerability to achieve persistence will be removed by following these methods.
Sanitising a Device for Release to Lower Security Domain or Sale

Method 1 can be used and does not require the device to be connected to a computer.

Method 2 can also be used but requires the device to be connected to a computer with iTunes installed.

Methods 3 and 4 are aimed at restore a device that cannot be booted, however these methods can also be used.

Methods 5 and 6 are intended for scenarios where a device is lost or stolen, however these methods can also be used.

Risks

Methods 1, 5 and 6 may not correctly reset the device if it is jailbroken.
If the device is affected by a root-level exploit or malware without knowledge of the user, this may persist by using methods 1, 5 and 6.
Although methods 2 and 3 successfully recover a jailbroken device, it cannot be completely guaranteed that malware exploiting a root-level vulnerability to achieve persistence will be removed by following these methods.

5. BlackBerry 10 OS

This guidance was developed from testing on BlackBerry Z10 devices running BlackBerry 10.2.1.

5.1 Summary of factory reset for platform

BlackBerry offers a variety of options for performing a factory reset, each one with its advantages and limitations. The factory reset functionality offered can be applied either locally or remotely. The latter is really important in cases that the device is lost or stolen and the owner does not want a potential attacker to access personal sensitive data stored on the phone. In the following sections, the available methods for factory reset are presented along with possible scenarios and best practices.

Methods of factory resets for platform

In this section, the methods of performing device factory reset of BlackBerry devices will be presented along with the specifications, limitations and risks according to the information provided by the vendor documentation.

Method 1 – Security Wipe from the handheld device

One of the methods provided by the BlackBerry 10 OS is to secure wipe the information on the device locally from the handheld device.

To perform a security wipe follow the following steps on the mobile device:

Settings > Security and Privacy > Security Wipe

The user is required to enter keyword blackberry in order to confirm that the action is deliberate and not accidental.

Finally, tap on Delete Data option.

After the device has been successfully wiped out, the initial configuration wizard appears the next time the device boots up.

Further information can be found athttp://docs.blackberry.com/en/smartphone_users/deliverables/50635/als1342454190100.jsp.

What happens

Following the aforementioned process, the device is restored to the factory state and no data from the user or third party applications remains on the storage. In addition, any IT policies that have been specified on the device are reset to the default values.

Device Security settings

Any settings that have been set to enhance device’s security have been reset to default – possibly less secure – values.

Malware removal

The official BlackBerry documentation does not state specifically the device locations that the data is erased. However, the process can be regarded as a full wipe of the potential data that the user stores, whether they are malicious attachments downloaded from mail or third-party applications installed on the device.

Risks

If the user accidentally or deliberately removes the battery or he impedes in any way the normal reset process, the device enters an undefined state where further interaction should take place in order to boot properly (e.g. reload the BlackBerry OS).
Method 2 – Remotely wipe using BlackBerry Protect

The BlackBerry platform offers the ability to remotely reset the device if the BlackBerry Protect functionality is enabled. BlackBerry Protect is an application that provides a set of operations through a designated web interface. Although the application is not enabled by default, the user is able to enable it by following the steps below:

Enable BlackBerry Protect application on the handheld device via Settings > BlackBerry Protect > Turn switch to On (Note: As soon as the BlackBerry Protect is enabled the user can lock the functionality using their BlackBerry ID, in order to prevent a potential attacker disabling it.)

Perform Security Wipe via BlackBerry Protect web interface

Access BlackBerry Protect website at http://protect.blackberry.com.
Enter BlackBerry ID and respective password.
Select the device to security wipe remotely.
Click on Wipe Device.
Enter password again to verify the action and click on Security Wipe.

What happens

After the remote wipe has been applied, the device restores to the factory state and no data including third party applications remain on the device’s storage. In addition, any IT policies that have been specified on the device are reset to the default values.

Device Security settings

The Device Security settings of the device are not maintained and they should be reapplied.

Malware removal

The available documentation does not state specifically the locations where from data has been erased. However, the process can be regarded as a full wipe of the potential data that the user stores, whether they are malicious attachments downloaded from mail or third-party applications installed on the device.

Limitations

The device should be connected on the Internet in order to be accessible remotely. This can be achieved either if the device is connected through Wi-Fi or mobile data network.

In case the device is not accessible at the time the command is sent, the action is queued and it is performed the next time the device connects to the Internet.

Risks

If the user accidentally or deliberately removes the battery or impedes in any way the normal reset process, the device enters an undefined state where further interaction should take place in order to boot properly (e.g. reload operating system).
Method 3 – Security wipe using BlackBerry Enterprise Service (BES) 10

In enterprise environments, it is common to manage the devices provided to employees using a centralised solution offered by BlackBerry Enterprise Service (BES). The version that is compatible with version 10 of BlackBerry operating system is BES 10. Using this functionality the IT administrator of a company is able to factory reset the devices either remotely or when the devices become available in the corporate network. There is a number of possible operations that can be performed on the device. The majority of the actions performed are accessible through the BES 10 User Administration Tool that provides a command window where the respective command can be given as input.

BES 10 User Administration Tool

The command window is available in the following path: Start > All Programs > BlackBerry Resource Kit for BlackBerry Enterprise Service 10 > BlackBerry Enterprise Service 10 User Administration Tool

The available actions that are applicable on the handheld device that communicates with the BES are:

Removal of user account and data deletion from user’s device.

This operation removes a user account from the BlackBerry Device Service (BDS) and all the data stored on their device are deleted resetting the device to the initial factory state.

Command: besuseradminclient (credentials) -delete –u (user_name) -wipe –all_device_data

Delete all data from a device

Following this operation, all the data on the device will be erased and the device will return to the factory state. This operation can also be applied on multiple devices that belong to the same user by providing the (pin) argument in the command below.

Command: besuseradminclient (credentials) -kill_handheld –u (user_name) -pin (pin)

BlackBerry 10 OS implements enhanced functionality for the operation of a device as an enterprise solution. One of the features is the “BlackBerry Balance”. Taking advantage of this functionality the user can have both personal and corporate profile on the same device without any risk of overlap. However, there are cases that the security of the business workspace might become compromised. BES 10 offers functionality to mitigate any incident by wiping out the work related data and leaving intact the personal data.

Remove a user account and delete the work data from the user’s devices.

The user can be removed from the centralised server and subsequently all the data that belong to the work profile are erased.

Command: besuseradminclient (credentials) -delete –u (user_name) -wipe -organization_data_only

Delete the work data from the device.

This is another option to wipe out only the working data from the user’s BlackBerry device without touching personal data. Business data that will be deleted are encryption keys, IT policies and any applications that have been installed on the device using the centralised service.

Command: besuseradminclient (credentials) -kill_handheld –u (user_name) -organization_data_only

What happens

The data that are deleted from the device depends on the command that have been executed in each case as explained above.

Device Security settings

The Device Security settings are reset to default settings and they need to be pushed again to the device from the administration through the BES.

Malware removal

The documentation does not state specifically the device’s locations where from data has been erased.

In the case all the data are deleted, the process can be regarded as a full wipe of the potential data that the user stores, whether they are malicious attachments downloaded from mail or third-party applications installed on the device.

If the wipe performed applies only on the business profile of the device, no assurance can be provided that malware will not persist on the personal profile’s workspace of the device.

Limitations

The device should be connected on the Internet through Wi-Fi or mobile data network. Otherwise, the device should be connected on the corporate network either by using corporate Wi-Fi network or through a microUSB cable.

Risks

No assurance can be provided that the malware will be removed if the data deletion is performed only on the business profile of the device in case “BlackBerry Balance” functionality is in use.

Method 4 – Remotely wipe using BlackBerry Enterprise (BES) 10 Self-Service

BES 10 Self-Service functionality allows the user of a BlackBerry device to selectively delete data from the device in case a device is no longer used for corporate purposes or it got stolen. The functionality is provided through a web interface where the user is able to perform various actions on the device. The administrator of the corporate network who is in charge of the BES 10 management should provide users with the appropriate URL and the respective credentials in order to login to the service and access their devices. The following steps describe the separate procedures of deleting only the data belonging to the working profile or all the device data.

Delete only work data

Select the device from the web interface.
Click on Delete only work data > Delete only work data to apply the command.
Delete all device data

Select the device from the web interface.
Click on Delete all device data > Delete all device data to perform the action.
What happens

Depending on the type of reset that is performed different amount of data are erased from the device.

Delete only work data

Only the data on the working profile of the device are deleted. These include the work email messages and other work related data.

Delete all device data

A full wipe is performed reverting the device to its factory state. Note: In both cases, the device will no longer be manageable from the BlackBerry Device Service (BDS) of the BES.

Device Security settings

The Device Security settings of the device are not maintained and they should be reapplied.

Malware removal

The documentation provides only a high-level description of the erased data. In the case that only the work-related data is deleted, malware can persist in locations of the device that are not affected by the operation performed. Regarding the second case, the process can be considered as a full wipe of the potential data that it have been stored, whether they are malicious attachments downloaded from mail or third-party applications installed on the device.

Limitations

The device should be connected on the Internet in order to be accessible remotely. This can be achieved either if the device is connected through Wi-Fi or mobile data network.

Risks

If the user accidentally or deliberately removes the battery or impedes in any way the normal reset process, the device enters an undefined state where further interaction should take place in order to boot properly (e.g. reload operating system).

Method 5 – Automatic wipe device according to applied IT Policy

BlackBerry offers enhanced functionality to the devices assigned to BES 10 by enforcing IT Policy rules. Through this functionality the device can be wiped out automatically when certain conditions are met. The IT Policy rules available to administer the devices are presented below:

Maximum Password Attempts

This rule belongs to the Password group of Policy Rules and it is activated when the number of incorrect password entries exceed a number that have been specified on the policy rule. When this rule is triggered, all the data that belong to the work profile are deleted.

Allowed values: 3 to 10 Default value: 10

Note: If the “BlackBerry Balance” technology is used:

Password Required for Work Space rule should be set to Yes.
If Apply Work Space Password to Full Device rule is set to Yes, then all data belonging to personal and work profiles are deleted.
Wipe the Device Without Network Connectivity for “BlackBerry Balance” enabled devices

This rule belongs to the Security group of Policy Rules and specifies the amount of time that can elapse without the device be connected on the organisational network before it deletes the data of the work profile. This rule should be set when the activation type of the user used to activate the device on the BlackBerry Device Service (BDS) is “Work and Personal-Corporate” or “Work and Personal-Regulated”.

This rule can be used in the case the device cannot receive updates or commands from the BES 10.

Wipe the Device Without Network Connectivity for “Work space only” devices

This rule belongs to the Security group of Policy Rules and specifies the amount of time that can elapse without the device be connected on the organisational network before it deletes all device’s data. This rule should be set when the activation type of the user used to activate the device on the BlackBerry Device Service (BDS) is “Work space only”.

This rule can be used in the case the device cannot receive updates or commands from the BES 10.

The value of the rule states the number of hours that can elapse before the rule is triggered. Allowed values: 2 to 8670 Default value: null (indicates that rule is not in use)

What happens

The data that are deleted depend on the policy rule that has been set. Wherever it is mentioned that all the data are deleted, these include documents, settings, third-party applications, along with any existing IT Policy that have been applied on the device.

On the other hand, in the case only work profile data are deleted, applications, contacts and mails that are associated only with the work profile are erased.

Device Security settings

The Device Security settings do not persist on the device and they should be set again.

Malware removal

The official BlackBerry documentation does not state specifically the device locations that the data is erased. However, the process can be regarded as a full wipe of the potential data that the user stores, whether they are malicious attachments downloaded from mail or third-party applications installed on the device.

Method 6 – Factory Reset Device using BlackBerry Link

Windows and Mac OS users can restore a BlackBerry device running version 10 of the BlackBerry operating system using the BlackBerry Link desktop application. The process that should be followed for each operating system is presented below:

On Windows (using BlackBerry Link for Windows 1.2.2):

On the desktop computer, the BlackBerry Link application should be executed.
Then, the connected device that will be restored in default state should be selected from the side of the screen.
Click on Back Up & Restore.
Finally, click on Factory Reset to initiate the procedure.
On Mac OS (using BlackBerry Link for Mac OS 1.2):

On the desktop computer, the BlackBerry Link application should be executed.
Then, the connected device that will be restored in default state should be selected from the side of the screen.
For the top menu of the window application, click on BlackBerry Link menu and then select Preferences option.
Finally, click on Reload to perform the factory reset.
What happens

According to documentation this process erases the device data, documents, settings, third-party applications, along with any existing IT Policy that have been applied on the device.

Device Security settings

The Device Security settings do not persist on the device and they should be re-configured.

Malware removal

The official BlackBerry documentation does not state specifically the device locations that the data is erased. However, the process can be regarded as a full wipe of the data that the user stores on the device, whether they are malicious attachments downloaded from mail or third-party applications installed on the device.

Limitations

The device should be physically accessible and connected on the desktop system using micro USB cable. Moreover, the process of restoring the device to default settings cannot be terminated once started. However, in case it is interrupted by a device reset, the restore resumes after the device restarts.

Method 7 – Clean Reload BlackBerry 10 OS using BlackBerry Link

BlackBerry provides the ability to reload the operating system on a BlackBerry 10 OS device in case the device faces inconsistency issues (e.g. interrupted security wipe). Moreover, the process described below erases the device data in the same manner a factory reset does. Hence, it is useful regarding the situation that the handheld device is infected with malware. The procedure that should be performed on each operating system is the following:

On Windows (using BlackBerry Link for Windows 1.2.2):

Open BlackBerry Link application.
Power off the handheld device and connect it on the computer using microUSB cable.
Select the device to reload the OS from the Devices section.
On the top-right of the BlackBerry Link window, click on Preferences.
On the left side of the window, select Reload Device Software and click on Reload.
On Mac OS (using BlackBerry Link for Mac OS 1.2):

Open BlackBerry Link application.
Power off the handheld device and connect it on the computer using microUSB cable.
From the left side of the BlackBerry Link window, select the device.
Finally, click on the Reload button.
Note: In the case the device has not been detected by BlackBerry Link automatically, click the BlackBerry Link menu on the top menu bar and subsequently select Reload under the Preferences menu option.

What happens

According to documentation this process erases the device data, documents, settings, third-party applications, along with any existing IT Policy that have been applied on the device.

Device Security settings

The Device Security settings do not persist on the device and they should be re-configured.

Malware removal

The official BlackBerry documentation does not state specifically the device locations where from the data is erased. However, the process can be regarded as a full wipe of the data that the user stores on the device, whether they are malicious attachments downloaded from mail or third-party applications installed on the device.

Limitations

The device should be physically accessible and connected on the desktop system using microUSB cable.

Internet connectivity is required in order to install the latest version of BlackBerry operating system.

It is also advisable to have the latest version of BlackBerry Link for each platform described installed.

5.2 Factory reset scenarios

The BlackBerry platform can offer an approach for each of the scenarios described in the introduction, as explained below.

Reissuing device to a different user in the same security environment

BES 10 provides a centralised solution for managing devices in security environments that maintain a significant number of users. Managing the device through BES 10, the device can be modified and personalised according to the needs of each environment. In this specific scenario, a device can be restored in the factory state by deleting all the data that are installed on the device (both user and work profiles). Subsequently, through the BES the existing IT policies can be pushed on the device before the device is issued to a different user.

By applying method 3 a security wipe can be performed and all the data will be deleted from the device.

Using method 1 the device can be wiped out securely, but subsequently it should be set up with a corporate account in order to load the enforced IT Policy rules.
Method 2 is not applicable if the user’s credentials required to log into the BlackBerry Protect service are not available.
Method 5 is mainly applicable as a mitigation mechanism in case of device theft or if it got lost.
Methods 6 and 7 can perform a secure wipe effectively, but they require a direct connection through MicroUSB cable to a computer, along with the appropriate software installed i.e. BlackBerry Link.
Risks

Care should be taken when using method 3, in order to delete all the data on the device in case multiple profiles have been enabled through the “BlackBerry Balance” functionality.
Preparing a device which has not previously been managed

Method 1 offers the ability to erase all device’s data from the handheld device.

Method 2 requires the device to have been set up using a user’s BlackBerry ID. In the context of this scenario, it is recommended to wipe out the device using another way before providing user related data on the device.

Method 3 and 4 requires to have set up the device with a corporate account. As mentioned in the previous point it is recommended to wipe the device before inserting user related data.

Method 5 is mainly applicable as a mitigation mechanism in case of device theft or if it got lost.

Method 6 and 7 can also be used in this scenario, as they perform a full factory reset of the device. However, a direct connection through MicroUSB cable to a computer, along with the appropriate software installed i.e. BlackBerry Link.

Risks

Associating the device with a corporate account as in methods 3 and 4 or with a BlackBerry ID as in method 2 might allow malware to intercept personal information or user credentials, before the device is wiped out.
Sanitising device believed to be compromised with malware

In the case a device is believe to be compromised with malware there are options to erase data from it whether the device is physically accessible or not.

A complete full device wipe can be performed on the handheld device using the methods 1, 6 and 7. However, methods 6 and 7 require a direct connection through MicroUSB cable to a computer, along with the appropriate software installed i.e. BlackBerry Link.

If the device cannot be accessed physically, it is advisable to perform a remote wipe using the method 2. However, the limitation of these methods is that the device should be connected on the Internet.

In case BES is used, then methods 3 and 4 might be applicable. These methods offer the advantage that the device can be wiped out remotely if it is connected on the internet. Nevertheless, care should be taken to execute the appropriate command of deleting all the data from the device.

Method 5 is mainly applicable as a mitigation mechanism in case of device theft or if it got lost.

Risks

Malware may be able to persist in locations that the methods described are not wiping out. However, the documentation does not provide any further insight on the specific locations that are wiped out.
Sanitising device for release to lower security domain or sale

Method 1 is the most convenient way of erasing the device data and restoring it to its factory state as it can be performed directly from the handheld device.

Methods 6 and 7 require access to a computer (running Windows or Mac OS) and a physical connection with the device through microUSB cable to perform a security wipe.

In case a centralised solution like BES 10 is in place, the method 3 offers the option of factory resetting the device by deleting all the data from it.

Method 2 can also be used in case the device is accessible remotely and credentials for the BlackBerry Protect service are known.

In order to use method 4, the device should be activated with a corporate account that belongs to the BES.

Method 5 is mainly applicable as a mitigation mechanism in case of device theft or if it got lost.

Risks

Care should be taken when using method 3, in order to delete all the data on the device in case multiple profiles have been enabled through the “BlackBerry Balance” functionality.

Read more here:: NCSC Guidance