A Samsung Galaxy Z Flip7 shipped as a Verizon replacement had an active Mobile Device Management (MDM) profile that let the carrier remotely wipe everything on it—and that's exactly what happened to Tom Collery two weeks after he started using it.
Collery called Verizon in February about dropped calls. Verizon sent him a “refurbished” replacement. What arrived was a store demo unit, a device designed to sit on a sales floor, locked down with the same MDM software used to manage company-owned fleets. Someone forgot to factory-reset it properly.
How a 'Refurbished' Phone Still Had Full Remote Admin Access
MDM profiles give an organization complete control: remote wipe, app management, configuration enforcement. On a demo unit that profile stays active unless deliberately removed. Verizon’s refurbishment pipeline apparently skipped that step.
Collery used the phone for a couple of weeks. Then one day, all his data vanished—photos, contacts, app data, everything. The MDM server sent a wipe command, and the phone obeyed. From the carrier’s perspective, it was just retiring a demo asset; from Collery’s, it was a total data loss event with zero warning.
What Happens When a Demo Unit Goes Out the Door
This isn't a subtle software bug. It’s a failure in physical device lifecycle management. Verizon's process for certifying a phone as “refurbished” should include verifying that no enterprise management profiles remain. That didn’t happen. The result is a customer who trusted a carrier-supplied device and got burned.
MDM itself isn’t the villain—it’s a legitimate tool for IT departments. The problem is that consumers have no way to detect a hidden enrollment profile on a phone that looks brand new in the box. By the time you notice, your data is already in someone else’s command queue.
The Consequence Carriers Shouldn’t Ignore
Verizon now has a PR problem and a process problem. Collery’s story is a textbook case of why refurbishment checklists must include MDM enrollment verification as a hard gate. If a demo unit can slip through, so can any other corporate-managed device that wasn’t properly decommissioned.
Expect this to revive scrutiny of how carriers handle device returns, trade-ins, and warranty replacements. The next time you order a “like new” phone from your carrier, you might want to check for a management profile before you move your data over.
Source: Verizon sent man a refurbished phone with MDM, then deleted his data remotely
Domain: arstechnica.com
Comments load interactively on the live page.