Selective wipe is the removal of corporate data and managed applications from a device without erasing the user’s personal content. It is useful in mixed-use mobile environments because it limits business loss while preserving the user device where appropriate.
Expanded Definition
Selective wipe is a targeted device-remediation action used in endpoint and mobile device management to remove organisational data, managed apps, access tokens, and related cached content while leaving personal photos, messages, and other private content intact. In security programmes, it is usually associated with bring-your-own-device, contractor, and mixed-use device models, where full device erasure would be disproportionate or operationally disruptive.
Its scope is narrower than a factory reset, but broader than simply disabling an account. A well-executed selective wipe should break the organisation’s data path on the device, including offline copies and synchronised business content, without assuming that every app or storage location is under enterprise control. That is why it depends on policy enforcement, application management, and identity lifecycle processes working together. The NIST Cybersecurity Framework 2.0 is relevant because selective wipe supports asset protection, access revocation, and incident response outcomes.
Definitions vary across vendors on whether a selective wipe also revokes device certificates, removes only managed accounts, or triggers app-level deletion through a mobile application management policy. The most common misapplication is treating selective wipe as a complete security reset, which occurs when organisations assume all corporate traces are removed even though unmanaged copies, shared storage, or third-party backups remain.
Examples and Use Cases
Implementing selective wipe rigorously often introduces administrative complexity, because organisations must coordinate identity, endpoint, and application controls to remove corporate data without damaging legitimate personal use.
- A consultant leaves a project and the security team removes only managed email, documents, and collaboration app data from a personally owned phone.
- An employee reports a lost tablet, and the organisation uses selective wipe on cloud-synced work profiles while preserving the family’s personal media library.
- A contractor’s access is terminated, and the device management platform clears cached SSO tokens and managed browser data tied to corporate services.
- A regulated business responds to a policy breach by removing business records from a shared mobile device while keeping non-corporate applications intact.
- A phishing investigation identifies a compromised account, and selective wipe is used alongside credential reset to remove stored session data and managed app content.
For mobile and endpoint teams, NIST guidance on mobile device security helps frame the operational boundaries for device control, data separation, and remote response. Selective wipe is most effective when corporate data is clearly partitioned from personal data and when managed apps are configured to honour remote data removal commands. In practice, that means testing whether offline files, email attachments, and app caches are actually reachable by the wipe process. It also means confirming whether the target device is under MDM, MAM, or a hybrid management model before assuming the action will succeed.
Why It Matters for Security Teams
Selective wipe matters because it lets security teams respond decisively to loss, offboarding, or compromise without creating unnecessary user disruption or legal exposure from over-collection of personal data. For identity and access teams, it is closely linked to credential revocation, session invalidation, and device trust decisions: removing data without ending access can leave synchronised services exposed, while overreaching can destroy evidence or violate privacy expectations.
It is also important for governance. If a policy promises data separation but the underlying app stack stores business content in unmanaged locations, the organisation may believe it has cleaned a device when residual risk still exists. That gap becomes more significant in mixed-use environments and in agentic AI workflows where mobile devices may hold authentication material for enterprise copilots or automation tools. Guidance from CIS Controls is useful here for aligning device management, asset handling, and account control discipline.
Organisations typically encounter the real limitations of selective wipe only after a lost-device incident, a disputed offboarding, or a data-removal request reveals that corporate content persisted outside the managed container, at which point selective wipe becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Selective wipe supports access revocation when a device or account must no longer trust enterprise data. |
| NIST SP 800-53 Rev 5 | MP-6 | Media sanitization aligns with removing organisational data from a device without erasing personal content. |
| NIST SP 800-63 | Credential lifecycle guidance is relevant because selective wipe often accompanies token and authenticator revocation. | |
| NIST Zero Trust (SP 800-207) | Zero trust depends on continuous trust withdrawal when a managed device can no longer be relied on. | |
| OWASP Non-Human Identity Top 10 | Managed app tokens and secrets on devices can be exposed if selective wipe does not reach NHI material. |
Pair selective wipe with authenticator revocation and session termination during offboarding or compromise response.
Related resources from NHI Mgmt Group
- Who is accountable when a valid admin identity is used to wipe devices at scale?
- Who is accountable when a compromised privileged account triggers remote wipe?
- Who is accountable when a management plane is used to wipe endpoints at scale?
- What failed when attackers used Intune to wipe enterprise endpoints?