Bobby2234
Enthusiast
Enthusiast

Theft/Misplaced Device Best Practices

Hi All - We have only iOS devices so this would be iOS specific. If a staff member loses a device or it is stolen, what is the best practices for handling the device? All of our devices have passcodes so they are automatically encrypted. Best practices typically say to enterprise wipe the phone but what if I can put it in lost mode to display a message to the user AND gain the location of the device? The phone is locked and allows the user to call the number listed on the phone but if it were enterprise wiped, that isn't possible. All of our devices are 100% DEP so the device is pretty useless to the thief unless they sell it to someone who is unsuspecting. To add, enterprise wiping the device pretty much opens up the device to the thief unless they factory wiped it. This seems like the worst way of handling it but seems to be the best practice for HIPAA and other controls.


Also, one thing that I noticed. We have disabled automatically enable/disable users in AirWatch when they are deactivated in AD....why?... Because I remember years ago when a user would have a phone, then would be fired, and the phone would enterprise wipe. This prevented us from displaying the message mentioned above and also disabled us from capturing the location of the device. Did AirWatch fix this with... Devices and Users - General - Enrollment - Grouping ' Default Action for Inactive Users'  set to disabling enrollment on other devices? I am scared to turn this on.


Thanks!

Labels (1)
2 Replies
AbrahamSanchez
Contributor
Contributor

I am not sure how other large organizations deal with this issue, but we follow best practice. When a corporate owned device is stolen, we send a  wipe command to that device. It's up to the user to report the device stolen so we can take action.   Because the device is DEP we are not concerned over finding out it's location.  The device basically becomes a brick.  Nothing can be done with it.  All PHI will be removed once the wipe command hits that device.  If the sim is removed and the device is turned off there is not much you can do with location.  Not something we worry about.
0 Kudos
chengtmskcc
Expert
Expert

Good insight there Abraham.

Bobby, all DEP device should always, always, always receive a Device Wipe command. Never ever send an Enterprise Wipe command to any DEP device. This ensures the device receives the same DEP profile and be enrolled into AirWatch even if it's ever wiped manually or through iTunes or Apple Configurator. Combining with a device profile to specify the lock screen message with your contact info should help with getting the device returned to you.
0 Kudos