Enterprise Mobile Device Decommissioning Policies
Enterprise asset security sometimes requires the decommissioning of mobile devices. The suggested decommissioning policies apply only to enterprise-issued mobile devices. You may be called upon to decommission mobile devices for one of these two reasons:
Accidental loss or theft of the device
Willful violation of mobile device policies
In either of the preceding cases, the steps that need to be taken are similar. Therefore, the policies that you define for decommissioning mobile devices should also be consistent.
You can use the following guidelines to educate end users about decommissioning policies in the enterprise:
You are expected to inform the IT department immediately upon loss or theft of your mobile device.
Your device will be located and locked out, and all data will be erased as soon as possible.
Any data loss as a result of the wipeout of the mobile device is your responsibility. IT does periodic backups; however, you are expected to follow the backup policies as well, especially if your device contains personal content, such as photos, music, and videos, for which the IT department bears no responsibility. Having a backup would allow you to quickly restore the configuration on a replacement phone.
If the decommissioning is a result of policy violations, a replacement phone will not be provided to you. Furthermore, if you owned the device and violated policy, access to the enterprise network and its resources will be prohibited for up to a year. [Change this based on your leniency threshold.]
BlackBerry in particular has had the remote-wipe feature for years, and some of the newer mobile devices have this capability. iPhone owners can remote-wipe their device through the subscription-based MobileMe services. Additionally, Apple now provides the Find My iPhone app free of charge. It can run on any iOS 4.2 device (or newer), including iPhone 4, iPad, and the fourth-generation iPod touch.
In the event of a loss or theft (or maybe just for the heck of it), individual users now have the power to remotely locate and wipe out their devices. While these capabilities certainly sound handy, it does not take away your responsibility toward protecting the enterprise assets.