Skip to main content

Device & Endpoint Physical Security › Tracking and Recovering Lost Devices

Tracking and Recovering Lost Devices

When a corporate device goes missing, the clock starts ticking. Every minute between loss and response is a minute that sensitive data may be exposed. Effective device tracking and recovery capabilities allow organisations to locate lost devices, lock them remotely, and wipe data before an attacker can access it. These capabilities must be configured proactively — they cannot be deployed after a device is already lost.

Tracking and Management Capabilities

  • MDM-based location tracking. Mobile Device Management solutions provide real-time location data for enrolled devices. This enables the security team to determine whether a device is simply misplaced or has been stolen and is moving away from the owner’s location.
  • Remote lock. The ability to remotely lock a device with a custom message (“This device has been reported lost. Please contact…”) prevents immediate access and aids recovery.
  • Remote wipe. When recovery is unlikely, a remote wipe erases all data on the device. Selective wipe removes only corporate data, preserving personal content on BYOD devices.
  • Activation lock. Apple’s Activation Lock and Android’s Factory Reset Protection prevent a stolen device from being reset and reused, reducing the resale value and therefore the incentive for theft.
  • Asset inventory integration. Link device tracking to your asset management system so the security team can immediately identify the assigned user, data classification, and applications installed on a reported lost device.

Response Procedures

  • Immediate reporting. Employees must know how to report a lost device — a dedicated phone number, email address, or self-service portal available 24/7. Delay in reporting is the biggest risk factor.
  • Triage decision tree. Define clear criteria for when to attempt location and recovery versus when to proceed directly to remote wipe. Devices containing highly sensitive data should be wiped immediately.
  • Law enforcement coordination. For confirmed theft, file a police report and provide the device serial number and last known location to assist recovery.
  • Post-incident review. After every device loss incident, review what data was at risk, whether encryption was active, and whether the response met your target timelines.

Action Steps:

  1. Confirm that all corporate devices are enrolled in MDM with location tracking, remote lock, and remote wipe enabled.
  2. Publish a 24/7 reporting procedure for lost or stolen devices and test it with a simulated loss.
  3. Define a triage decision tree specifying when to locate, lock, or wipe based on device type and data sensitivity.

Quick Knowledge Check

  1. Why must device tracking capabilities be configured before a device is lost?
    Because MDM enrolment, location services, and remote wipe capabilities require pre-configuration on the device. They cannot be activated remotely after the device is already lost or stolen.
  2. When should a remote wipe be triggered immediately instead of attempting device recovery?
    When the device contains highly sensitive data (customer PII, financial records, credentials) and the risk of data exposure outweighs the cost of replacing the device.