All good things must come to an end.  And that includes the use of a device in the workplace.

This is often due to damage, but perhaps it can also be due to the need for more features, such as increased storage, or simply the employee’s wish to have the latest and greatest model.

As important as it is to secure company data when a device is in use, doing so when a device is retired is even more critical; unless the device is going back into the corporate pool to be reused, it is paramount that the device is correctly retired in line with best practices to protect the business from data leakage, especially if the device will be leaving with a former employee.

While returning a device to the corporate pool is usually the fastest and easiest process of retiring a device, the following steps should be undertaken:

  1. Enterprise wipe
  2. Return to base
  3. Verify device is clean
  4. Update asset register
  5. Add to corporate pool

In general, it can be considered more secure to wipe before the device is returned, particularly if using a postal service where said device could end up in the wrong hands; corporate data can be worth a lot more than a single lost or stolen device. However, we recommend wiping the device immediately when an employee is going to be terminated or when an employee quits.

 

Retiring a BYOD device

A device leaving the business with an end-user can be seen as the most high-risk retirement and it is therefore necessary to ensure every step of the retirement process is undertaken and verified.

Providing corporate data has been containerized — Android allows for dual-use of a device, with a secure, separate container for work use  — this should be a relatively straight-forward task; retiring the device should remove that container and all traces of corporate data in one go.

Unfortunately for BYOD devices that have had full access to corporate data with the option of saving attachments to storage, an enterprise wipe will not suffice and a full wipe will be required to guarantee that corporate data has been removed. This may not be well received by the end-user. However, this process should have been thoroughly explained in the corporate BYOD policy.

The following process should be used for BYOD devices:

  1. Enterprise/full wipe
  2. Verify data has been removed
  3. Remove device record from MDM platform
  4. Update asset register

As the device is leaving the business, there’s no need to retain the device record on the MDM platform unless required for auditing purposes. Removing the device record ensures the platform does not become cluttered with obsolete records.

 

Retiring for destruction

Although supposedly safe in the hands of contracted disposal/recycling companies, there is no guarantee once it leaves the premises. Though a device may be destroyed via secure means, it should still be subject to a thorough decommissioning in the same way a corporate PC or laptop would be, taking all of the following measures:

  1. Full wipe
  2. Removal and destruction of removable media if not re-used
  3. Sending off to secure destruction company
  4. Update asset register

Once this is complete, the device can leave the premises with administrators feeling confident that there is no corporate data remaining on the device.

 

Retiring the user account

Where the user will no longer continue working in the business, retiring the device is only half of the effort required to maintain a well-organized MDM platform; the use should also be decommissioned from the platform accordingly.

For users authenticated via active directory (AD) wherein the MDM platform regularly synchronizes with the remote AD server, removing a user will be as simple as disabling the user account from AD itself. Following the next sync of AD, the user will be removed from the MDM platform.

For MDM platforms that support only one-way import of users from AD, and for locally created users, the account will need to be manually removed to prevent future access.

 

Audit trail

In whatever way the device data or user account is removed from the MDM platform, a complete audit trail of taken actions should be recorded by the MDM platform. This audit trail should include the time stamp, which administrator has ran the actions, and the end-result of the actions taken. It should be noted that the administrator cannot remove the audit trail.

 

Whichever way you chose to retire your device, you can rest assure that Miradore Online’s MDM will give you the necessary tools to do so in just a few simple clicks to ensure that your company’s data stays safe. Learn more.

Title photo by Joy Benetton.

Not managing your mobile devices yet?

Sign-up now for free!