MDM in financial services: stopping data leaving the building

In a financial firm, the most valuable thing isn’t the hardware — it’s the data on it. Client records, positions, advice, correspondence. Every laptop and phone that touches that data is a way it can walk out of the building: lost on a train, left in a taxi, kept by a leaver, or quietly synced to a personal account.

Mobile device management (MDM) — Microsoft Intune in most Microsoft 365 estates — is how you keep control of the data without trying to chain down the devices. Here’s what matters, and why it’s not optional for a regulated firm.

Why financial services especially

Two reasons. First, the data is sensitive and often regulated — its loss can mean a reportable breach, an FCA conversation, and real harm to clients. Second, regulators expect you to be able to show control: who can access what, on which devices, and what happens when something goes wrong. “We trust our staff” is not a control.

What good device management actually does

• Enrolment and inventory — every device that accesses company data is known, enrolled and accounted for. Unmanaged devices simply don’t get in.
• Compliance policies — encryption (BitLocker/FileVault) enforced, screen locks, minimum OS versions, no jailbroken or rooted devices. Non-compliant devices lose access automatically.
• Conditional Access — the linchpin: access to email and data is only granted from a managed, compliant, MFA-authenticated device. A password alone, on an unknown laptop, gets nowhere.
• App protection / DLP — on phones especially, work data is contained: no copy-paste into personal apps, no saving to personal cloud storage, no forwarding to a personal address. Personal and work data stay separate.
• Remote wipe — when a device is lost or someone leaves, you remove the company data — selectively on personal (BYOD) devices, fully on company ones — the same day.

The leaver problem

The highest-risk moment is the day someone leaves. Without device management, their laptop and phone may still hold a full copy of client data and live access for days. With it, access is revoked and company data removed as part of the offboarding process — not a favour someone remembers to do.

BYOD without losing sleep

Most firms can’t issue every contractor and adviser a managed laptop. App protection policies let people use their own phones for work email while keeping work data walled off and wipeable — you protect the data without owning the device or reaching into someone’s personal life.

The point

Device management isn’t about distrust or surveillance. It’s about making sure that when a device is lost — and eventually one will be — it’s an inconvenience, not a data-loss incident and a regulatory notification. For a financial firm, that difference is the whole game, and it’s one of the first things we put right on an estate.