| Mobile device management is the practice of centrally enrolling, securing, and controlling the phones, tablets, and laptops that access your business data, so company information stays protected whether the device is company-owned or personal. |
How many of your staff check work email on a personal phone right now?
For most New Zealand businesses the answer is almost everyone, and most of those phones have no protection on the company data they hold. A lost handset, a departing employee, or a single weak passcode can expose client records, emails, and files in one go.
This guide explains what mobile device management does, how it protects company data on both work and personal devices, and the practical steps to put it in place. It also covers the questions business owners ask most often, from cost and staff privacy to what happens when someone leaves. It is written for business owners and managers, not IT specialists.
What Is Mobile Device Management?
Mobile device management is a system that lets your business enrol, configure, secure, and monitor every device that touches company data from one central place. Instead of trusting each phone or tablet to be set up correctly, you set the rules once and apply them to every device automatically.
The goal is simple. Company data stays protected no matter which device it sits on, and IT can act on any device remotely, including wiping it if it is lost or stolen.
Mobile device management sits alongside broader device protection rather than replacing it. Where endpoint security focuses on defending company computers from malware and intrusion, mobile device management owns the control layer for phones, tablets, and the personal devices staff use for work.
What does mobile device management actually control?
The settings, apps, and data on each enrolled device. Common controls include requiring a passcode or biometric lock, enforcing encryption, restricting which apps can hold company data, pushing security updates, and separating work data from personal data.
- Enrol devices so IT has a register of what is accessing company data
- Enforce a screen lock, encryption, and a minimum operating system version
- Push approved apps and updates without touching the device physically
- Separate work data so it can be removed without wiping personal content
- Locate, lock, or remotely wipe a device that is lost or stolen

What Can Mobile Device Management Do?
Mobile device management can enrol devices, enforce security settings, control which apps hold company data, and lock or wipe a device remotely. In practice that comes down to four things an owner cares about: knowing which devices hold company data, setting one security standard across all of them, controlling the apps that touch that data, and being warned when a device drifts out of line.
Enrolment and device inventory
Enrolment is the foundation. Each phone, tablet, or laptop is registered so IT has a live list of every device accessing company data. You cannot secure what you cannot see, and without an accurate inventory you are guessing at your real exposure.
Policy and configuration control
Policies set the security baseline. Common settings require a passcode or biometric lock, enforce encryption so data is unreadable if the device is taken, and block access from devices running outdated software. Wi-Fi, email, and VPN settings can also be pushed automatically, so a device is configured correctly the moment it is enrolled.
App and data management
App management decides which applications can hold company data and what those apps are allowed to do. You can deploy approved business apps remotely, restrict copying company data into personal apps, and remove a single app’s data without affecting the rest of the device.
Compliance monitoring
Monitoring keeps the standard in place over time. The platform reports which devices meet your policies and flags any that fall out of compliance, such as a phone with encryption switched off or an overdue update. Non-compliant devices can be blocked from company data until they are fixed.
Which devices can be managed?
Mobile device management is not limited to phones. The same platform manages smartphones, tablets, and laptops across the common operating systems, including iOS and iPadOS, Android, Windows, and macOS. This matters because a typical employee now works across several devices, and company data flows between all of them.
When laptops and desktops are brought into the same system, the term often used is unified endpoint management. For a business owner the distinction matters less than the outcome: every device that holds company data, mobile or not, is enrolled, secured, and managed from one place, with no gaps where an unmanaged device can slip through.
Why Does Mobile Device Management Matter for Your Business?
It matters because your most sensitive data now walks out the door every evening in someone’s pocket. Picture a salesperson who loses a phone on a Friday night, with two years of client emails and contacts on it and no passcode. Without management, you cannot lock it, cannot wipe it, and may not even know what was on it.
Mobile device management closes that gap. It gives you proof of what is accessing company data, the ability to enforce a baseline of security, and a fast way to respond when something goes wrong.
What are the risks of unmanaged devices?
Unmanaged devices create blind spots. IT cannot see them, cannot secure them, and cannot remove company data from them. The most common risks are lost or stolen devices with no remote wipe, weak or absent passcodes, and former staff who keep company email on a personal phone after they leave.
Under the Privacy Act 2020, your business is responsible for keeping personal information secure. A breach caused by an unsecured phone is still your breach to report and explain.
How does mobile device management support compliance?
Mobile device management gives you evidence. You can show which devices accessed data, that they were encrypted and passcode-locked, and that access was removed when a person left. That record supports your obligations under the Privacy Act and is increasingly expected by cyber insurers. It also reinforces your wider identity and access management approach, since a managed device is far harder to use for unauthorised access.
How Does Mobile Device Management Handle Personal Devices?
It separates work data from personal data on the same device. This is how mobile device management makes bring your own device, or BYOD, safe. Staff keep their own phone, and the business controls only the work side.
On a modern phone this is done with a work profile or a managed container. Company email, files, and approved apps live inside a protected space that IT controls. Personal photos, messages, and apps sit outside it and are never touched.
What is BYOD and is it safe?
BYOD means staff use their own personal phones or tablets for work. It is safe when those devices are enrolled in mobile device management with work and personal data kept separate. Without that separation, BYOD is one of the biggest sources of hidden risk in a business, because company data ends up on devices IT cannot see or control.
Can the business see an employee’s personal data?
No. With a work profile in place, the business can manage and wipe only the work container. It cannot read personal messages, browse personal photos, or track personal app use. Spelling this boundary out to staff is usually what gets BYOD accepted, because the most common objection is the fear of being watched.

What Happens When a Managed Device Is Lost or Stolen?
With mobile device management in place, a lost device is a managed event, not a crisis. The moment a device is reported missing, IT follows a clear response chain to protect the company data on it before anyone else can reach it.
Locate, lock, wipe: the response chain
- Locate: where supported, IT checks the device location to judge whether it is misplaced or gone
- Lock: the device is locked remotely so no one can open it, often with an on-screen contact message
- Wipe: if recovery is unlikely, the work data, or the whole device, is erased remotely
Because the work data is separated, a remote wipe on a personal phone can remove the company container while leaving the owner’s photos and messages intact. The employee calls to report the loss, IT acts within minutes, and a panicked Friday night becomes a non-event.
How Do You Set Up Mobile Device Management?
You start by deciding which devices and data need to be managed, then choose a platform, enrol the devices, and apply a simple set of policies. It does not need to be complex to be effective.
Which platform should a business use?
Most New Zealand SMEs already have access to a capable platform. Microsoft Intune is included with Microsoft 365 Business Premium and the Microsoft 365 Enterprise plans, so businesses on Microsoft 365 can often manage devices without buying anything new. Other platforms such as VMware Workspace ONE and Jamf serve specific needs, but for most SMEs an existing Microsoft 365 licence is the natural starting point.
Set up in five steps
- Decide scope. List the devices and data that must be managed, including personal phones used for work.
- Choose the platform. For most businesses this is the Microsoft 365 licence you already hold.
- Set policies. Require a passcode, enforce encryption, and define how work and personal data are separated.
- Enrol devices. Roll out enrolment to staff, ideally as part of how new starters are set up.
- Monitor and review. Check compliance, remove access for leavers, and adjust policies as needs change.
Mobile device management works best when it is part of how your business already operates, not a bolt-on. It fits naturally into a remote work IT setup, where staff connect from home, on the road, and on their own devices, and it should be applied the moment a new device is issued rather than months later.
How Do You Remove Company Data From a Leaver’s Device?
You remove it remotely, in minutes, through mobile device management. When a staff member leaves, you revoke their access and use mobile device management to wipe the work data from any enrolled device, including a personal phone, without needing the device in hand.
This is one of the most common gaps in a business without device management. A person resigns, hands back their laptop, and still has live company email syncing to a personal phone that nobody thinks about. Months later that data is still there, on a device you do not control.
With management in place, removing a leaver becomes a checklist step rather than a risk. The work container is wiped, access is cut, and personal content on the device is left untouched. Tying this into the same employee IT onboarding and offboarding process you use for new starters means device access is removed every time someone leaves, not just when someone remembers.
Is Mobile Device Management Worth the Cost for a Small Business?
For most small businesses, yes, and here is the part owners are surprised by: you may already be paying for mobile device management without using it. Microsoft Intune is bundled into the Microsoft 365 plans many SMEs already hold, so the main investment is the time to switch it on and set it up properly, not a large new spend.
The value is easiest to see against a single bad day. One lost phone with unprotected client data can mean a privacy breach, the cost and embarrassment of notifying affected clients, and trust that takes years to rebuild. Weighed against that, managing your devices is cheap insurance.
Will it slow my team down?
Set up well, mobile device management should be invisible to most staff. A passcode and an automatic work profile are the main things people notice, and both are now normal on any modern phone. The aim is protection that runs in the background, not controls that make everyday work harder.
What does a good setup look like?
A good mobile device management setup covers every device that touches company data, separates work from personal cleanly, enforces a sensible security baseline, and ties enrolment and removal into how staff join and leave. It is reviewed regularly so it keeps pace as your business and its devices change.
Take Control of Every Device With Exodesk
Exodesk helps Christchurch, Dunedin, and South Island businesses set up mobile device management that protects company data without getting in your team’s way. Our cyber security specialists can secure the phones, tablets, and laptops you already have, often using the Microsoft 365 licences you are paying for.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions
What is mobile device management?
Mobile device management, or MDM, is software that lets a business control every work phone, tablet, and laptop from one place. It enforces security settings, keeps work data separate from personal data, and lets IT lock or erase a device remotely if it goes missing. The same controls apply whether a device is owned by the business or by the employee.
Why does my business need mobile device management?
Your business needs it because phones and tablets now hold the same sensitive data as your computers but leave the building every day. Without management, a lost device or a departing employee can expose client records and emails with no way to remove them. Mobile device management gives you visibility, enforced security, and a fast way to respond when a device goes missing.
What is the difference between MDM and endpoint security?
Mobile device management controls the configuration, access, and data on devices, especially phones, tablets, and personal devices used for work. Endpoint security focuses on defending devices from malware, intrusion, and attacks. They work together: management sets and enforces the rules, while endpoint protection defends against active threats.
Can mobile device management work with personal phones (BYOD)?
Yes. Mobile device management makes BYOD safe by creating a separate work profile or container on the personal device. Company email, files, and apps sit inside that protected space, while personal photos, messages, and apps stay outside it. The business controls only the work side and never sees personal content.
Can my employer see my personal data on a managed phone?
No, not when a work profile is used. The business can manage and wipe only the work container, not your personal messages, photos, or app activity. This separation is why most staff accept bring your own device, and a good provider will make the boundary clear during setup.
What happens if a managed device is lost or stolen?
IT follows a response chain of locate, lock, and wipe. The device can be located where supported, locked remotely so no one can open it, and wiped to remove company data. Because work data is separated on personal phones, a wipe can remove only the company container and leave personal content untouched.
What is remote wipe?
Remote wipe is the ability to erase data on a device from a distance, without physical access to it. On a managed personal phone it can remove just the work container, and on a company device it can erase everything. It is the control that protects company data when a device is lost, stolen, or held by a former employee.
Do I need extra software to manage devices?
Often not. Microsoft Intune is included with Microsoft 365 Business Premium and the Microsoft 365 Enterprise plans, so many businesses can manage devices using a licence they already hold. Other platforms exist for specific needs, but for most New Zealand SMEs an existing Microsoft 365 subscription is the natural starting point.
How does mobile device management help with the Privacy Act?
Mobile device management helps you meet your obligation to keep personal information secure and to respond to incidents. You can show that devices were encrypted and passcode-locked, that access was removed when staff left, and that a lost device could be wiped. That evidence supports compliance under the Privacy Act 2020 and is increasingly expected by cyber insurers.
How long does it take to set up mobile device management?
For a typical small business it can be set up in a matter of days once the platform and policies are agreed. The main work is deciding scope, setting sensible policies, and enrolling devices. Rolling enrolment into how new staff are set up keeps it simple and ensures no device is left unmanaged over time.

