A device goes missing. Maybe a delivery driver left a tablet in a vehicle and it was taken. Maybe a retail kiosk was physically removed after hours. Maybe a warehouse scanner disappeared during a shift change. However it happens, the clock starts ticking the moment you realize a device is gone.
If that device is enrolled in a mobile device management platform, the response is fast, controlled, and auditable. If it isn’t, the response is panic.
This guide walks through exactly what to do when a managed device goes missing, why each step matters, and how MDM compresses what used to take days into a process that takes minutes.
Step 1: Confirm the Device Is Actually Missing
Before triggering any device security actions, verify that the device is genuinely lost or stolen rather than in an unexpected location or powered off.
In your MDM dashboard, pull up the device record. Check the last known location if GPS tracking is enabled. Check the last check-in time. Review any recent alerts, a sudden loss of connectivity, a geofence breach, or an unexpected location update are all meaningful signals.
Moki’s device monitoring gives you real-time visibility into device status, including connectivity, location, and last activity. In many cases, a “missing” device is actually offline at its expected location due to a network issue, a very different situation than a stolen device.
If location data shows the device somewhere it shouldn’t be, or if last check-in was at an unusual time combined with a location anomaly, treat it as missing and proceed.
Step 2: Enable Lost Mode Immediately
Lost mode is the first line of defense. When activated through MDM, lost mode locks the device so it cannot be used, displays a message on the screen (typically a contact number or return instructions), and continues reporting location if GPS is available.
Moki’s iOS MDM supports Apple’s native Lost Mode for supervised iOS devices, which provides robust lockdown and location reporting. For Android devices, Moki’s Android Enterprise and Android Agent platforms support equivalent lockdown capabilities.
Activating lost mode from the MDM dashboard takes seconds and does not require physical access to the device. The command queues and executes as soon as the device connects to a network, which is important because a device that’s been stolen will often reconnect when the person who has it attempts to use it.
Step 3: Document Everything for the Audit Trail
Lost or stolen devices create compliance and legal obligations depending on your industry. Healthcare organizations under HIPAA have specific breach notification requirements. Organizations handling payment card data under PCI DSS must document device security incidents. Even outside of regulated industries, a documented response demonstrates due diligence.
From the MDM platform, export the device’s activity log, last known location, last check-in timestamp, and the record of when lost mode was activated. This creates an auditable chain of custody that demonstrates your organization took prompt action to secure the device.
Record internally: who reported the device missing, when, what actions were taken and in what order, and what data the device had access to.
Step 4: Determine What Data Was at Risk
Not all missing devices represent the same level of data risk. A locked-down kiosk that only runs a single app and stores no user data is a different situation than a field service tablet with access to customer records.
Review what the device was enrolled to do. What apps did it have installed? What data did those apps access? Was the device encrypted? Was it locked with a PIN or biometric that would prevent casual access?
If the device was properly configured through MDM, encrypted, locked down to approved apps, and set to wipe after a defined number of failed unlock attempts, the actual data exposure risk is likely low even if the physical device is gone.
This is one of the clearest arguments for device lockdown policies during the configuration phase: by the time a device goes missing, your response is mostly administrative rather than a crisis.
Step 5: Issue a Remote Wipe if Recovery Is Unlikely
If the device doesn’t surface within a reasonable timeframe, or if the nature of the loss suggests it won’t be recovered, issue a remote wipe command from the MDM dashboard.
Remote wipe erases the device to factory settings, removing all data, credentials, app configurations, and enrolled profiles. For devices enrolled through MDM, this command can be issued regardless of physical location, it executes the next time the device connects to any network.
This step is irreversible, which is why it follows confirmation of the loss and documentation rather than being the first response. A device that was simply left in a break room and will be recovered in an hour doesn’t need to be wiped.
Moki supports remote wipe across iOS, Android, and BrightSign devices. The command is logged in the platform, giving you a timestamped record that the wipe was issued as part of your incident response.
Step 6: Revoke Credentials and Update Network Access
If the device had access to any network resources, Wi-Fi credentials, VPN access, app authentication tokens, revoke or rotate those through MDM and your identity management systems.
MDM platforms that integrate with directory services or identity providers allow you to push new network policies to the rest of your fleet, effectively invalidating the credentials a stolen device might carry without affecting your operational devices.
For apps that use individual login credentials, work with your IT or security team to invalidate the session tokens associated with the missing device.
Step 7: File a Report and Notify as Required
File a police report for any confirmed theft. This creates an official record and is required by many cyber insurance policies as a condition of any claim.
If the device handled personal data, customer information, employee records, health data, payment data, review your notification obligations under applicable regulations. HIPAA requires notification within specific timeframes. Various state data breach notification laws have their own requirements. Document that you completed this review regardless of whether notification is ultimately required.
How MDM Compresses Your Response Time
The difference between a managed and unmanaged device loss is measured in hours versus days, and in controlled versus chaotic responses.
With MDM, the sequence above can be completed in under 30 minutes from the moment you identify a device as missing. Without MDM, you’re making calls to carriers, trying to find device serial numbers, contacting app vendors to revoke access, and hoping the device hasn’t been accessed in the meantime.
Moki’s platform is built to give you the visibility and controls you need not just for day-to-day fleet management, but for exactly these moments when a fast, documented response is what protects your business.
If you’re managing devices in the field without MDM and want to close this gap, request a demo to see how Moki handles device security from deployment through end of life.