The leaver who kept the company data on a personal phone: the offboarding step that wasn't a ticket

The operations director signs off the leaver checklist and reads it as done: mailbox disabled, SSO revoked, licences reclaimed, laptop collected at the desk. The assumption hiding in that list is that "the device" means the company laptop. The sales rep who left ran her whole job off her own iPhone, and that phone walked out the door still holding three years of cached mail.

Account revocation and device de-enrollment are two different jobs. The leaver flow closed the first and never opened the second, because nobody wrote a ticket for hardware the company doesn't own.

BYOD, MDM, and the selective wipe the leaver ticket should trigger

On a managed personal device the corporate footprint lives inside a work profile or container that your MDM controls separately from the user's photos and personal apps. The right offboarding action is a selective wipe: removing the corporate data, the managed apps, and the management profile while leaving everything personal untouched. The full device wipe is for company-owned kit. On a leaver's own phone you want the targeted one, and you want it fired the moment access is revoked, not weeks later when someone remembers.

The failure is almost never the tooling. Intune, Jamf, and the rest all expose a selective wipe action. The failure is that de-enrollment isn't an item on the checklist, so the clock starts and nobody runs it.

Cached data after account revocation: what's still on the device

Revoking the account stops new sign-ins. It does not reach back and scrub what already synced to the handset. A native mail client holds offline copies of messages and attachments. The file app keeps the documents marked for offline access. A password manager retains its vault until the next online check-in. Disabling the identity at the IdP does nothing to that local cache, and on a phone with biometric unlock the old data is one Face ID away from being opened on a personal device you have no claim to.

If the only thing offboarding does is flip accounts off, the data sitting on the leaver's phone is now orphaned: still company information, no longer under any company control. That gap is exactly what the selective wipe is supposed to close, and it stays open until something triggers it.

GDPR exposure when a leaver retains personal data on personal kit

Under GDPR you remain the controller of personal data in that cached mailbox even though it sits on hardware you don't own. You can't demonstrate a lawful retention period or deletion for records you've lost sight of, and a leaver's phone is the definition of lost sight. The trap tightens from the other side: you generally cannot lawfully wipe a personal device unless the BYOD policy the employee signed already granted that consent in writing. No prior consent, no clean remote action, and the data stays where it is.

So the director ends up explaining two failures at once: company personal data retained past its purpose on uncontrolled kit, and no agreed mechanism to remove it. Both trace back to the same missing checklist line. Industry breach reporting consistently puts a meaningful share of insider data exposure on former employees whose access or data lingered after departure, and "we revoked the login" is not a defence when the bytes never left the building.

Adding device de-enrollment as a hard gate on the leaver checklist

Treat de-enrollment as a blocking step the leaver ticket cannot close without. Concretely:

That last point is the whole fix. A leaver flow that closes on accounts while devices hang unconfirmed is a flow that lies to the director who signs it. In OpsDesk you wire device de-enrollment into the same leaver workflow as the account steps, scoped per workspace, with the selective-wipe confirmation logged as an artefact so the checklist can't close on an open device. See how the lifecycle gates hold the ticket until the hardware is genuinely clear.