How to wipe mobile company devices (and stop the data leaks you can’t see)

You’ve suspended the user. You’ve changed their password. You’ve transferred their Drive files to a manager. Job done, right?

Wrong.

If your offboarding checklist ends at the Google Admin Console password reset, you haven’t closed the door. You’ve just locked the front gate while leaving the side window wide open.

In the modern workplace, access doesn’t just live in a password; it lives in local caches, synced folders, and “zombie” tokens that persist long after an employee has left the building. For IT admins, the challenge isn’t just stopping the user from logging in again; it’s about scrubbing the data they’ve already taken with them.

Here is why your offboarding process needs to go deeper than a password reset, and why you need to wipe mobile company devices properly.

The device in their pocket: A data liability

We often think of Google Workspace as purely cloud-based. But to make work seamless, our phones and tablets aggressively cache data for offline access. Email attachments, Drive files, and corporate contact lists often sit locally on a device.

When an employee leaves, that data doesn’t magically vanish just because their account is suspended.

Many data protection regulations, such as GDPR and HIPAA, require you to demonstrate that you have taken all reasonable steps to secure sensitive data. Leaving a local cache of patient records or client contracts on an ex-employee’s personal phone is a compliance nightmare waiting to happen.

You need to sever the connection completely:

• On Android: You must remove the entire Work Profile. This deletes the corporate Google Workspace account, all work-related apps, and every byte of associated corporate data, without touching their personal photos or apps.
• On iPhone: You need to trigger a wipe that removes the corporate account and any apps installed via your Mobile Device Management (MDM) profile.

Chromebooks aren’t innocent either

There is a common misconception that Chrome OS devices are purely “terminals” with no local footprint. However, Chromebooks store local copies of synced files, downloaded documents, and browsing history associated with the user’s corporate profile.

If you don’t remotely wipe the device, the next person to open that laptop – or the ex-employee, if they haven’t returned it yet – could technically access cached sensitive information. You need to trigger a remote command that destroys the leaver’s local data entirely.

The silent killer: Zombie access (OAuth and ASPs)

Perhaps the scariest gap in manual offboarding is “zombie access”, which are connections that survive a password change.

1. OAuth Tokens Think about how many apps use “Sign In with Google.” When a user connects a third-party app, Google issues an OAuth token. If you only change the main password, the third-party application often holds onto a “Refresh Token.”

This token can be used by the app’s server to silently generate new Access Tokens 24/7. This effectively keeps the data connection alive indefinitely. An ex-employee could continue to read and write data to your corporate Drive or sync emails through that third-party app, bypassing your main Google login barrier entirely. You must revoke these tokens explicitly.

2. Application Specific Passwords (ASPs) Older applications that don’t support modern OAuth use ASPs. These bypass 2FA and the main Google password. If a user has an email client set up on a personal phone using an ASP, and you don’t revoke it, that phone can keep pulling data even after you’ve locked the main account.

Close the gaps automatically

Trying to remember all these steps manually for every leaver is a recipe for burnout and mistakes. A manual process is slow, resource-intensive, and prone to human error. All it takes is one forgotten OAuth token or one unwiped tablet to create a security breach.

CloudM Automate solves this by letting you build a rigorous, secure offboarding workflow that executes over 30 steps automatically. You can set it to wipe mobile devices, revoke all tokens, remove ASPs, and transfer data the moment a user is marked as a leaver.

It ensures you don’t just lock the gate; you clear the building.

Ready to secure your offboarding process with CloudM?