Why is it necessary to be able to erase corporate data if a mobile device is lost or stolen?

In order to continue enjoying our site, we ask that you confirm your identity as a human. Thank you very much for your cooperation.

“Remote wipe” is a term you’ll hear a lot when it comes to managing smartphones and tablets, especially regarding security, loss and theft. If a device is lost or stolen, someone can send a command to completely remove stored data, which can protect the company’s valuable assets and reduce the risk of breach or compromise.

Since a data breach costs an enterprise $3.9 million on average, aggressively wiping a lost phone is pretty good business sense. With this in mind, it's worth taking a few minutes to understand remote wipe and its implications for your employees' smartphones.

A remote wipe policy is used by IT managers to help manage the risks presented by easily lost or stolen mobile devices. As an end user, understanding what remote wipe is capable of is beneficial if you find your technology compromised.

1. Remote wipe requires power and a network connection

Since “wipe” is a command that’s sent to a device, it has to be turned on, connected to the network and able to receive the protocol. If a device is lost at an airport, it may be easy to wipe. On the other hand, if someone wants to keep the device from being wiped, it’s easy to power it off, shield it or pop out the SIM card.

This means that when a device goes missing, it’s important to let your IT department know about it as soon as possible, as the window for wiping can be very brief. When a device is stolen, it can be a matter of seconds before data is compromised.

2. Remote wipe is not monolithic

Today’s mobile devices and management systems have a wide variety of options for remote erasure. In certain cases, it can be used to send the device back to factory reset status. In others, it can be subtler. For example, some setups have “enterprise wipe,” which only deletes the applications and data installed by the company, leaving personal data untouched. Phones that have a container setup, such as an Android Enterprise work profile, may only have the work profile wiped, since your organization is more concerned with those assets.

In a Bring Your Own Device (BYOD) setting, enterprise wipe can be used when someone leaves the company without properly deregistering their own smartphone. In that case, they may still be storing personal data, so just deleting the enterprise data makes more sense.

Another variation of erasure is often called “KeepAlive.” With KeepAlive, the device must check in with the company’s MDM/EMM tools over the network every so often. If the device goes missing for too long, then it will automatically take action, such as a complete device reset. The idea behind KeepAlive is that if your phone is stolen and then disconnected from the network, data will still remain protected.

KeepAlive isn’t universally used and can have some false positives if the MDM/EMM system is disconnected for too long. However, it’s another tool for your IT manager, and if they’re using it, you should be aware of it.

3. Employees should be forewarned

Remote wiping is generally included with all MDM/EMM tools, so no matter which one your company is using, there is probably some level of erasure capability on employee smartphones. For corporate-owned devices, employees may naturally expect that they can be wiped at any time.

However, in the case of BYOD policies, IT admins may still have the ability to remotely wipe devices if employees are required to install an EMM/MDM agent or antimalware tools on their phone or tablet. Organizations should spell this out clearly in their BYOD policy, which employees sign before gaining access to corporate systems on their personal devices.

For organizations that do not have an MDM/EMM solution in place, remote wiping may be handled on a per-app basis, which can mean blocking access to an app and removing associated data when a user’s device is believed to be compromised. When users enroll in those services, a screen often pops up telling them that this is part of the terms and conditions.

Employees may not like the idea that IT has the ability to remotely wipe data from their personal device, but generally, there is no other way to both provide full access to your company’s systems and maintain data security. From the business’ point of view, it’s an important measure to protect valuable informational assets.

Remotely locate, lock, and wipe Samsung devices with Knox Manage, included with Knox Suite along with Knox Platform for Enterprise, Knox Mobile Enrollment, and Knox E-FOTA.

• Article
• 06/02/2022
• 3 minutes to read

You can use built-in Basic Mobility and Security for Microsoft 365 to remove only organizational information, or to perform a factory reset to delete all information from a mobile device and restore it to factory settings.

Before you begin

Mobile devices can store sensitive organizational information and provide access to your organization's Microsoft 365 resources. To help protect your organization's information, you can do Factory reset or Remove company data:

• Factory reset: Deletes all data on a user's mobile device, including installed applications, photos, and personal information. When the wipe is complete, the device is restored to its factory settings.

• Remove company data: Removes only organization data and leaves installed applications, photos, and personal information on a user's mobile device.

• When a device is wiped (Factory Reset or Remove Company Data), the device is removed from the list of managed devices.

• Automatically reset a device: You can set up a Basic Mobility and Security policy that automatically factory resets a device after the user unsuccessfully tries to enter the device password a specific number of times. To do this, follow the steps in Create device security policies in basic mobility and security.

• If you want to know the user experience when you wipe their device, see What's the user and device impact?.

Wipe a mobile device

1. Sign in to the Microsoft 365 admin center, and go to the Mobile Device Management page.

2. Select Manage devices.

3. Select the device you want to wipe.

4. Select Manage.

5. Select the type of remote wipe you want to do.

   • To do a full wipe and restore the device to its factory settings, select Factory reset.
   • To do a selective wipe and delete only Microsoft 365 organization information, select Remove company data.
   • To remove the device from your organization, select Remove device.

6. Select Yes to confirm.

How do I know it worked?

You no longer see the mobile device in the list of managed devices.

Why would you want to wipe a device?

Wipe a device for these reasons:

• Mobile devices like smartphones and tablets are becoming more full-featured all the time. This means it’s easier for your users to store sensitive corporate information such as personal identification or confidential communications and access it on the go. If one of these mobile devices is lost or stolen, wiping the device can help prevent your organization’s information from ending up in the wrong hands.
• When a user leaves the organization with a personal device that is enrolled in Basic Mobility and Security, you can help prevent organizational information from going with that user by performing a factory reset.
• If your organization provides mobile devices to users, you might need to reassign devices from time to time. Doing a Factory Reset on a device before assigning it to a new user helps ensures that any sensitive information from the previous owner is deleted.

What's the user and device impact?

The wipe is sent immediately to the mobile device and the device is marked as not compliant in Azure active directory. While all data is removed when a device is reset to factory defaults, the following table describes what content is removed for each device type when a device when you remove company data.

Note

Company Portal app is available at the App Store for iOS and the Play Store for Android devices.