Best practices for securing and reallocating a professional smartphone or tablet when an employee leaves the company
The departure of an employee is a key moment in the life of a company. Contract, tool access, handover… everything is generally well-structured. However, one point is still too often overlooked: the management of professional mobile devices enrolled in an MDM solution.
Smartphones, tablets or rugged terminals entrusted to an employee and managed via an Android MDM software like TinyMDM can contain sensitive data, professional access or specific configurations. Without a clear process, the risk is twofold: leaving confidential data accessible or unnecessarily complicating the device’s reallocation to another employee.
Let’s look in this article at the best practices to adopt with TinyMDM when an employee leaves the organization, depending on the device’s enrollment mode and the data it contains.
Device transfer: a false good idea
When an employee leaves the company, the temptation might be to simply transfer the device to another user using the dedicated feature. In reality, device transfer is not designed to manage an employee’s departure.
For one thing, it is a complex process that depends on Google services and not TinyMDM. Its implementation can take up to 24 hours, which makes it an unsuitable solution in a context where devices need to be reattributed quickly.
For another, and most importantly, device transfer does not address the main issue of an employee departure: data management. This feature only allows adjusting applications according to the new policy, by deleting apps present in the device’s departing policy but not in the arriving policy. However, it does not guarantee the deletion of confidential data present on the device.
In the context of a professional device reattributed to a new employee, transfer is therefore neither the safest nor the most appropriate method.
The 3 cases to distinguish for corporate-owned, fully managed devices
For corporate-owned, fully managed professional devices (Fully Managed or Kiosk Mode), the procedure essentially depends on the type of data present on the device.
Case 1: no sensitive content on the device
If the device contains no confidential data, management is relatively simple. In this case, it is advisable to rename the user associated with the device to reallocate it directly to a new employee.
The device remains operational and ready for use without heavy manipulation. This approach is suitable for example for terminals dedicated to a specific task, without local data storage.
Case 2: sensitive data only in applications
In some contexts, sensitive data is contained exclusively within applications but not in the device’s local storage. In this case, it is possible to delete the application data directly from the Devices tab of the TinyMDM console, via “Installed apps” in the menu 
. Once this data is deleted, the device can then be reallocated to a new employee by renaming the user associated with the device, as in Case 1.
Please note: locally stored files on the device (photos, downloaded documents etc) are not deleted by this action. If this type of data exists, this scenario is no longer sufficient.
Case 3: sensitive data in and outside of applications
As soon as the device contains sensitive data in applications AND locally stored data, the only reliable solution is to completely reset the device, then re-enroll it in TinyMDM by creating a new user.
This is the safest method to ensure:
- Total erasure of the former employee’s data
- A device restored to a standard and compliant state
- Risk-free reallocation to the next user
Devices used for work and personal life
Mobile devices enrolled in BYOD
In the case of BYOD (Bring Your Own Device), the device belongs to the employee, but a professional section is managed by the company.
Upon the employee’s departure, the best practice is to delete the work profile. This approach allows the employee to continue using their device normally, while guaranteeing the company that no professional or confidential data remains on the Android phone or tablet.
Mobile devices enrolled in WPCO
WPCO (Work Profile on Company-Owned device) mode concerns devices belonging to the company but authorizing personal use.
In this context, an employee’s departure systematically implies the presence of professional data and personal data related to the employee.
The only reliable option is therefore to:
- Reset the device
- Re-enroll the device in TinyMDM
Conclusion: anticipate departures to avoid risks
The management of mobile devices upon an employee’s departure should never be improvised. It is an integral part of the terminal lifecycle and the company’s security policy.
An Android Mobile Device Management tool like TinyMDM allows adapting the right action to the right context: user renaming, deletion of application data, deletion of the work profile or complete reset. By applying this process, companies secure their data, simplify device reallocation, and avoid costly errors.