Selective wipe: The secret to getting users to report lost mobile devices

Of course smartphones and tablets will contain personal data, so security policies need to protect it, too

mobile security

Every iOS and Android release seems to make our smartphones more and more into personal devices. Apple's addition of the Apple Pay mobile payment system and the Health app for aggregating data about our fitness and well-being are the most recent examples of this trend. As our smartphones contain an increasing amount of personal information, user privacy and security become increasing concerns, particularly for those of us who use them for work and personal tasks.

This presents a major challenge for IT. Regardless of whether the device is owned by a company or an employee, both personal and business content will end up on it. Thus, IT departments need to effectively manage such devices and their associated risks. But they also need to ensure that users know their privacy will be respected.

One of the biggest concerns that many users have in letting an IT team manage a dual-use business and personal device is what will happen if the device is lost. Many fear that a device reported as lost will immediately be wiped remotely. That's an important process if there's corporate -- or even personal -- data on it.

But having personal data on a device won't make many users hesitate before reporting the loss, especially if the data isn't backed up. For example, IT policies may prevent the use of iTunes or iCloud backup, or as in the case of HealthKit, Apple doesn't let some sensitive data be stored in the cloud. That means the personal data can't be retrieved and restored.

This isn't a new concern. I remember talking to CIOs and other IT leaders about this possibility a few years ago as the industry was coining the phrase BYOD. At that time, some were adopting a wait-to-wipe policy, giving users a few hours to try to recover the device before wiping it.

There is, of course, a better option today: wiping only the business content on the device. This isn't a new feature. In one form or another, selective or surgical device wipe has been available for some time.

The exact mechanics of how you use selective wipe varies from one mobile device management (MDM) tool to another, but most tools support the functionality. In the majority of cases, you can revoke access to and delete corporate email that has been synced to a device, as well as data associated with managed apps on the device that were installed using a mobile app management (MAM) tool or through an enterprise app store.

If you’re using a containerization or dual-persona mechanism that creates a secured on-device container where corporate data and apps are stored separately from personal content and apps, a selective wipe will simply delete the secured container and everything in it. The other advantage of secured containers is that they prevent -- or can be set to prevent -- transferring of content into personal apps. Thus, you don’t have to worry about copies of that corporate data also existing in users' personal email, cloud storage, or productivity apps. In turn, you can be more confident about a selective wipe.

If you use Microsoft's Exchange ActiveSync to manage devices, such as through your Exchange admin console or System Center, selective wipe is not an option -- it’s all or nothing. However, you can do selective wiping by using both Exchange 2013 and Outlook Web Access. It's not as capable as an MDM tool, but it's at least there.

Despite the widespread ability to do selective wipe, I've been surprised in recent conversations with IT managers at how seldom it's part of their mobility or BYOD policy.

Even when selective wipe is used, many employees don't know IT has that option, or they don't trust that IT will use it. (One user told me she simply didn't trust her organization's help desk staff to "push the right button" if she reported her phone lost.) Thus, employees avoid reporting lost devices even when it is safe to do so.

As with many mobility and consumerization issues, the use or option of selective wipe needs to be communicated clearly to employees, so they can be confident that reporting a lost device won't kill their personal data. Simply sending out a policy email or document won't do the trick -- employees skim such documents, if they read them at all, and miss such details.

Instead, IT needs to proactively engage employees and ensure that they know exactly what apps, data, email accounts, and other content may be wiped if their device is lost or stolen.

The best way I've seen this handled -- by only a few organizations -- is to actually let users peek behind the curtain. Each of these companies explains to its users the situations in which a data wipe might occur, why, and how -- and they didn't stop after explaining remote wipes. They also very clearly explained why a device should be managed, including legal liability for data on it, what IT staff could see or monitor about a device, what they couldn't access, and when they might choose to use that functionality. One company even let users look at the console of their MDM platform.

It is also a good policy to inform users when a selective wipe has been done to ensure that they’re aware that their corporate data will no longer be available on their device should it be recovered.

Establishing mutual respect is vital to mobility success. Making selective wipes part of the mobility policy and communicating that to every employee is a key part of gaining that respect.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.