Very often an organization falsely believes they can wipe a device in the event of an employee termination using a remote wipe command. While remote wipe technology may be available for some/all mobile devices, it is unlikely you can use this feature during an employee departure. As you will learn from this guide, remote wipe is intended to be used for lost/stolen or compromised devices. We strongly recommend that, for cases where a data-wipe is required, your company maintain procedures and request that company applications and accounts are removed in the presence of a manager/owner during termination.
To understand this better, consider these key points:
- Most organizations allow other connection types that do not provide a wipe command. For example, POP, SMTP, and IMAP are just some examples of e-mail technology that are not capable of being managed. An organization would need to have these capabilities disabled – or controlled via conditional access – in order to affect them in any way.
- Devices using certain synchronization technologies like ActiveSync can be wiped as a whole, or in part, by the system. This is designed for a lost/stolen device and has some likelihood of success. A whole-device wipe will destroy all data on the device and would be unethical (and possibly illegal) without written consent from the employee (see BYOD Sample Agreement in BENTO:GUIDES)
- ActiveSync is a legacy technology and is being actively replaced by native apps like the Gmail App or the Outlook App which can be removed from a device – with all data – without affecting the remainder of the devices. In 2021 it is highly anticipated that security changes within Microsoft 365 and Google Workspace will prevent users from self-enrolling using ActiveSync and such enrollments will only be possible via Mobile Device Management profiles.
- In order to remove an app with all of its data, the device must have been enrolled in a Mobile Device Management platform. It must also have the apps deployed via the MDM platform or successfully overtake existing apps during enrollment. This is a specific kind of capability that needs to be functional in advance.
- Mobile Device Management platforms needs to be audited and verified routinely to make sure they are capable of executing critical commands during an incident. An audit should consist of policy verification, settings check, and a command execution.
- Certain devices have multiple tiers of management. For example, Apple devices can be enrolled in Mobile Device Management directly, but in order to enter a state known as Supervised they must be provisioned as company devices. Certain functionality is only available to Supervised devices.
Unless your organization has a comprehensive mobile device strategy, it is unlikely able to execute a termination-related wipe. A comprehensive strategy would generally consist of:
- Information Classification Policy, which outlines and instructs what systems can be accessible by personal devices.
- Controls and procedures of materially significant applications/systems that enable such request.
- Application systems and mission-critical apps configured to allow connections only from trusted devices, with legacy protocols disabled.
- Mobile Device Management policy that includes management of company owned and personal devices.
- MDM procedures for deploying, managing, and removing materially significant apps and their data.
- Bring Your Own Device (Personal Device) policy with signed agreements from staff.
- Clear understanding of the procedures and process.
- Documented off-boarding procedures with verified steps for device sanitization.
- Practice drills or table-top exercises for doing this periodically.
Additionally, the organization would need a technology stack that includes:
- Advanced directory services such as those provided by Azure Premium (P2) or Google Workspace Business Plus (or Enterprise).
- Conditional Access Control along with some form of trusted access or Zero Trust Access
- Mobile Device Management platform with unique configuration profiles for mission-critical data systems
- Apps acquired via a volume purchase program and deployed using device-based licensing via a Mobile Device Management platform.
- Recent audit/verification trail that confirms that certificates are good, devices are either enrolled and connected, and all recent tests of capabilities.
Unless you have a developed program described above, here are some simple things you can do during an employee departure.
- Be prepared the employee may walk out during the termination.
- Consult with your security/IT specialist about what applications the employee has access to. The IT team should be able to determine whether the employee is using sync, get a list of devices, and inform you about risks. This information is available in audit/device logs for most major SaaS systems although a plan upgrade may be required.
- If you have a CASB system in place, ask your IT team to audit for data dumps.
- Understand the likely delays in this process including the amount of time it may take to execute a command or revoke access. Microsoft systems can take 60 minutes to complete a revocation.
- Schedule the departure at a reasonable hour and confirm that your IT support has staff scheduled to work with you during that time.
- Ask the employee to remove mail accounts from their mobile device in your presence. Have instructions ready for this on stand-by.
- Ask the employee to delete any organization-specific applications from their device.
- Request the employee sign a statement saying they have not saved data to personal storage systems.
- Revoke access as the last step and attempt a wipe only as a last resort.
- Understand that a wipe may not work.
Learn and Improve
We strongly advise you review BENTO:GUIDES content on Mobile Device Management to really understand this topic and inform your strategic decisions. If you are really unable to focus, there are a few standard things our team will suggest including:
- Upgrade/expand your Google or Microsoft account with premium services.
- Make use of an Cloud Application Security Broker
- Consider a SAML based authentication system with better access revocation.
- Test your plans.