Take mobile security off silent + Dude, where’s my laptop? 💻

Welcome to The IT Factor newsletter, where lean IT teams are expected to secure a workforce that lives on their smartphones while executives assume mobile security "just works." In this edition, we're tackling the mobile device management crisis that's keeping IT admins up at night and explaining why your current approach might be providing more risk than protection.

You're watching all your employees use personal devices for work while a new kind of -ishing gets invented every week. Meanwhile, executives want the productivity benefits of BYOD without understanding that every device provides one more way in. Keep reading for the 5-step escape plan that will help you make sense of your mobile chaos, STAT.

TL;DR

📱 Don’t Let BYOD Stand for BYODisaster

📋 Asset Tracking > Asset Slacking

Is your IT stack IPO-ready? 

Johan Dowdy, Asana’s Global Head of IT (former Lyft & Twitter), shares 5 lessons on scaling with speed, security, and sanity. Register now!

📱 Take your mobile security off silent mode

Here's a stat to keep you up at night! (Sorry.) 97% of employees use personal devices to access work accounts. On top of traditional phishing threats — which are still alive and well — you’ve got a precipitous rise in mishing, smishing, and quishing attacks to contend with, too. Kinda gets you wishing you had a plan to handle all that, right? 

Because that "just this once" personal phone login your CEO did last week could open the door for hackers to access your entire corporate network. And that sales rep who insists on checking email while traveling? They're essentially carrying your company's crown jewels in their back pocket, while you’re back at HQ praying they don’t get pickpocketed. 

Truth is, most IT teams are flying blind when it comes to mobile device management. You're stuck playing defense while employees treat company data like it's their personal Instagram feed. Meanwhile, you're expected to secure devices you can't see, control apps you didn't approve, and protect data flowing through channels you never authorized.

Your 5-step escape plan from mobile chaos:

⚔️ 1. Define your battlefield

Stop trying to secure everything, everywhere. Pick your battles: Are you going full BYOD? Corporate devices only? Mixed fleet? The key is specificity. Define exactly which devices (iOS 15+, Android 12+), which user groups (executives, remote workers, contractors), and which data classifications you're protecting. Write it down, get leadership buy-in, and stop second-guessing yourself. Pro tip: Start small with a pilot group rather than going all-out on day one.

⚖️ 2. Get legal on speed dial

Before you start wiping devices, know what you can and can't touch. Work with legal to map out compliance requirements (HIPAA, GDPR, CCPA, etc.) and establish clear boundaries around employee privacy. This isn't just CYA. It's about building trust with your workforce. Define what constitutes "work data" versus personal data, establish consent procedures, and document your right to monitor and manage business applications. That might not sound like the time of your life, but trust us — it beats explaining a lawsuit to your CFO.

🫡 3. Assign the cleanup crew

Who's doing what when things go haywire? IT handles MDM selection, deployment, and day-to-day operations. Security sets configuration baselines and investigates incidents. Legal advice on compliance and privacy. HR manages the human element and coordinates with departing employees. Help desk troubleshoots user issues and coordinates device replacements. No more "not my job" finger-pointing when someone's phone gets compromised. Everybody knows their role.

📘 4. Build your playbook

Map out exactly what happens from day one to goodbye with step-by-step workflows. For onboarding: HR notifies IT of new hire → IT ships preconfigured device or sends enrollment instructions → user enrolls device → MDM automatically applies baseline policies → user receives credentials and training. For the dreaded offboarding: HR notifies IT of separation → IT remotely locks device → enterprise wipe removes only company data → user coordinates device return. Make it so foolproof that your intern could run it without breaking a sweat.

🎓 5. Train like nobody’s business

Well, not nobody’s business. Your business. Because your company’s reputation relies on getting this right. Don't just send an email about the new policy. Actually teach people why it matters and how to use it. Cover the "why" (those scary stats we mentioned), the "what" (device usage expectations), the "how" (enrollment process), and the "oh no" (violation consequences). Deliver it live, reinforce with written guides, and make completion mandatory for new hires. A 15-minute training session now beats a 15-hour incident response later.

💡 The reality check:

Bottom line: The math is simple: invest in MDM policies now, or pay exponentially more in breach response, regulatory fines, and reputation recovery later. The good news is, you don't need a massive budget or team to get this right. You just need to start treating mobile security like the strategic imperative it is.

Ready to move to a cross-OS MDM solution that will scale with your team? Download our MDM migration guide to see how you can get to a cleaner, faster way to manage every device in your environment — Mac or Windows — from one unified system.

📋 Stop asset slacking, start asset tracking

JR Lam learned the hard way that more exciting initiatives get all the attention while good ol’ asset management lurks in the background, just waiting to haunt you later. After scaling IT at Snapchat, Twitter, and Salesforce, he's seen this pattern repeat: teams focus on keeping the lights on while ignoring the foundation that matters later.

"This was a mistake that I personally had made," says Lam, who spent nine years building Snap’s IT infrastructure from pre-IPO startup to global scale. "Especially if you're scaling really quickly, the focus tends to be onboarding new tools, hiring as fast as possible.”

Everyone knows IT manages computers, but most teams think about functionality, not lifecycle. "We were purchasing computers, tagging computers, doing the basics. But nobody was going back and looking at the details of, 'Hey, did these get logged correctly? What can we do with this actual data?'"

Why it matters: Asset management isn't just about knowing where your laptops are. "There's a cost component. There are definitely controls you have to worry about. There's definitely a security aspect. And things like legal hold — if somebody's on litigation hold, those assets have to be retained, sometimes indefinitely."

Your action item: Start treating asset management like infrastructure, not paperwork. Lam's advice: "I had to take full ownership of this and really understand where everything's going. It's something that I didn't pay attention to at the beginning. I definitely do now."

That spreadsheet you keep meaning to update isn't just busywork. It's the difference between being prepared and scrambling to recreate years of purchasing history when auditors come asking questions.

Stay tuned for more advice from today’s IT and security pros every week. And if you have a question you’d like us to answer, submit it here.

Must-do this week

☑️ Advice: 5 actions to build an AI-ready data culture (CIO)

☑️ Learn: How USB-C stole the heart of the hardware industry (IT Brew)

☑️ Opinion: Vibe coding? Meet vibe security (TechCrunch)

☑️ $$$: Oracle, OpenAI Sign Massive $300 Billion Cloud Computing Deal (Wall Street Journal)

☑️ Read: Watch Out for Salty2FA: New Phishing Kit Targeting US and EU Enterprises (The Hacker News)

🙌🏾 Group therapy

"My boss refused to switch his password for MFA, and it's driving me friggin’ mental. We rolled out conditional access requiring phishing-resistant authentication for everyone, with one notable exception. Guess who that was? 

So I got creative with alphanumeric character settings and configured his old password as a PIN. Problem solved, right? Wrong. He actually called me on a Sunday, complaining about trouble getting access. Like we hadn’t gone over this as a matter of company policy.

It all worked out in the end once I talked with him on Monday. But seriously, why does the C-suite seem to think security policies are suggestions? Meanwhile, our cyber insurance probably won't cover us if we get breached because we don't have MFA for everyone. It's like I’m a fire safety inspector whose boss insists on storing gasoline next to the space heater." 🔐 ~ Anonymous IT hero

Do you have an IT horror story? Share here to be featured in a future issue.

If you’ve ever dealt with software sprawl, you may be familiar with the experience above. And while we’re sorry for your forehead, we’d also like to hear about your hardships! 

Take our software sprawl survey, right here.

🎁 Want free swag?

We’re building a community of IT heroes on our channels in MacAdmins and Spiceworks.

Jump in, say hi, and drop the phrase “The IT Factor sent me” in a comment or post. We’ll send you a free IT Hero T-shirt, no strings attached.

Tell a friend