Wiping and locking corporate devices is a regular part of managing an enterprise fleet. As employees come and go or devices get lost or stolen, employers must be ready to wipe and lock devices in different contexts. While these may be standard compliance actions, they come with risks, including accidental deletions or getting a device into an irrecoverable state. In this post, we’ll discuss some things we can do to mitigate these risks and accelerate action within device wipe and lock workflows with a focus on macOS computers.
Locking and wiping are two examples of actions that can be irreversible without physical possession of the device. As organizations continue to become more distributed, it’s more and more likely that the device we’re interacting with is not nearby. While there are measures we can take to de-risk the deployment of most controls (e.g., Staged Rollouts, Communication + Expectation Setting), locking and wiping are discrete actions for which a remote administrator doesn’t have the same recourse.
With this in mind, we should be extra careful when taking irreversible actions and make sure the actor understands the consequences of what they’re about to do. Before submitting a lock or wipe command, we should take care to:
Confirm the action we’re about to take with the employee’s manager as well as others on our team to be sure nobody else will be executing the same action.
Validate that we’re taking action on the correct device — ensure that the device name and users of that device are what we would expect.
Ensure the device is connected to the network to guarantee the action will be executed immediately.
After taking action, broadcast an update to relevant teammates to confirm completion.
The most typical use case for wiping a device is when we’re off-boarding an employee. Apple introduced a control called Activation Lock on iOS 7 but more recently shipped it to macOS devices with the Apple silicon or T2 security chip. The release to macOS has been met with criticism from the device management community, where a significant number of otherwise fine MacBooks are now headed to landfills. We should make a point to disable the activation lock before departing employees are out of reach to ensure we can recover their computers after wiping them.
Locking or wiping a device may be done as part of a typical off-boarding process, but these actions could also be called for in a high-stress situation. If an employee just reported a device lost or stolen, time is of the essence, and we need to act fast. By documenting how we should respond to events like this in the context of our MDM tools, we can avoid potential mistakes when moving quickly.
One of the first questions we should answer to prepare for devices being lost is how much of a threat it is to our business if the encrypted hard drive is never wiped or recovered. This is important because when a device is locked, it’s disconnected from the network, so we won’t be able to execute a subsequent wipe command until it’s unlocked.
There are a number of different use cases for wiping or locking a device, and this post only scratches the surface of how we can best situate ourselves for success. We hope these practices resonate and can help improve some of your workflows. If you have questions or want to connect, please reach out!
