Remote Wipe and Device Security for Company Mobiles

Remote wipe is the ability to erase data from a company mobile phone or tablet over the internet — without physically having the device. When a company mobile is lost, stolen, or an employee leaves, remote wipe ensures that company data, emails, contacts, and documents cannot be accessed by unauthorised individuals.

What Is Remote Wipe?

Remote wipe is a feature of Mobile Device Management (MDM) platforms — including Microsoft Intune — that allows IT administrators to send a command to a managed device that erases its contents. The device does not need to be in range of a Wi-Fi or mobile network at the time the command is sent — it queues the wipe command and executes it the next time the device connects.

There are two types of remote wipe relevant to UK businesses:

Full Remote Wipe (Factory Reset)

A full remote wipe resets the device to its factory default state — removing all data, applications, settings, and accounts. After a full wipe, the device is as it was when it left the manufacturer. This is appropriate for company-owned devices that are lost, stolen, or being decommissioned.

Selective Remote Wipe

A selective wipe removes only company data — Microsoft 365 emails, Teams messages, SharePoint files, corporate apps — whilst leaving personal data (photos, personal messages, personal apps) untouched. This is appropriate for personal devices (BYOD) used for work, where a full factory reset would be invasive and disproportionate.

Selective wipe is the primary reason most UK businesses deploy Mobile Application Management (MAM) for staff personal devices — it provides the ability to protect company data without the risk of destroying an employee's personal content.

Why Remote Wipe Matters for UK Businesses

UK GDPR Compliance

Under UK GDPR, personal data must be processed securely using appropriate technical measures. A company mobile device containing customer contact details, email correspondence with personal data, or employee records is a personal data processor. If that device is lost or stolen and its contents are accessed by an unauthorised person, this constitutes a personal data breach that may need to be reported to the ICO within 72 hours.

Remote wipe is the technical control that can prevent a lost device from becoming a reportable breach. If a device is wiped before its data is accessed, the breach may not be reportable — or may be reportable but with significantly reduced severity, as the ICO considers the mitigating technical controls in place.

Protection Against Insider Threats

When an employee leaves — particularly in difficult circumstances — their company mobile may contain sensitive client data, financial information, or proprietary business intelligence. Remote wipe, triggered immediately upon their departure, ensures this data is removed from the device before they lose access.

Without remote wipe capability, businesses often have no way to recover data from a device retained by a former employee, nor any way to prevent continued access to data cached on the device.

Lost or Stolen Devices

AMVIA's experience with UK businesses shows that mobile phone loss is one of the most frequent device security incidents. A 2024 survey found that 23% of UK employees had lost a work mobile device at some point. In most cases, the device was never recovered.

Without remote wipe, a lost device containing work email remains a live risk indefinitely — the finder can access everything on it until the battery dies or the device is reset. With remote wipe and device encryption, a lost device is effectively inert: the encrypted data cannot be read without the device PIN, and IT can remotely erase the device when the loss is reported.

Device Security Controls That Work Alongside Remote Wipe

Remote wipe is most effective as part of a broader device security framework. AMVIA's business mobile security management includes:

Device Encryption

All modern smartphones encrypt their storage by default when a PIN or password is set. This encryption means that even if a device is found and not wiped in time, its data cannot be accessed without the correct PIN. iOS devices are encrypted by default. Android devices require encryption to be enabled — Intune compliance policies can enforce this.

PIN and Biometric Lock

Intune compliance policies enforce that all managed devices require a PIN, password, or biometric (Face ID, fingerprint) to unlock. Without this, device encryption is irrelevant — anyone can access the device without a PIN.

Screen Lock Timeout

Intune compliance policies set the maximum screen inactivity period before the device locks automatically. For business mobiles, AMVIA typically configures a one to two minute timeout — ensuring the screen locks quickly if a device is set down and forgotten.

Jailbreak and Root Detection

Jailbroken (iOS) or rooted (Android) devices have their manufacturer security controls disabled, significantly reducing their security posture. Intune compliance policies detect jailbroken and rooted devices and mark them non-compliant — which, via Conditional Access, blocks them from accessing Microsoft 365 until the issue is resolved.

Minimum OS Version Enforcement

Outdated operating systems contain known, unpatched vulnerabilities. Intune compliance policies require devices to be running a minimum OS version, ensuring that staff are not accessing company data from phones with known security flaws.

How to Trigger a Remote Wipe

When a company mobile is reported lost, stolen, or a staff member leaves, AMVIA initiates the remote wipe process:

1. AMVIA is notified (by the business owner, IT manager, or HR) that a wipe is required
2. The device is located in the Intune management console
3. The appropriate wipe command is sent — full wipe for company devices, selective wipe for personal devices
4. The device queues the wipe command and executes it upon next network connection (Wi-Fi or mobile data)
5. AMVIA confirms completion and documents the wipe event for compliance records

For urgent situations — a senior employee's device reported stolen containing sensitive data — AMVIA escalates the wipe request as a priority incident with immediate action.

AMVIA's Mobile Device Security Management Service

AMVIA's business mobile management service includes remote wipe as a standard capability, alongside the full Intune MDM/MAM deployment:

• Intune enrolment for all company mobiles and tablets
• Compliance policy configuration (encryption, PIN, OS version, jailbreak detection)
• MAM configuration for BYOD personal devices
• Remote wipe on demand — full or selective — with documented response
• Regular compliance status reporting — AMVIA monitors which devices are compliant and alerts on compliance failures
• Device retirement and decommissioning process management