Designate trusted wipe contacts
Authorize specific SecurePhone identities—such as a spouse, security officer, or duress contact—to request a wipe without entering the administrator portal.
SP-REMOTE · SELF-HOSTED
SecurePhone supports peer-authorized wipe requests, administrator actions, server-side credential revocation, subscription lockout, and one-time reactivation. The erase scope stays explicit: Global Chat data on ordinary installs, or a whole-device reset when an enrolled Device Owner path is available.
Pixel 8 · field-07Last sync 2 minutes ago
AT RISKServer credentialsAccount + device tokens
RevokedDevice commandAvailable erase scope
QueuedReplacement activationFresh OMEMO bundle
ReadyA good loss workflow does not depend on a single administrator being online. It distinguishes local erase, whole-device reset, server revocation, and later recovery instead of calling every action ‘wipe.’
Authorize specific SecurePhone identities—such as a spouse, security officer, or duress contact—to request a wipe without entering the administrator portal.
IT can revoke an enrolled user and issue the appropriate erase command from management, with server access severed even while the endpoint is offline.
When service expires, server-side credentials rotate and the app enters lockout on its next successful sync instead of retaining indefinite access.
Issue a new single-use activation, invalidate the old endpoint, and establish fresh device credentials and an independent OMEMO bundle.
The sequence is designed for a device that may be offline, stolen, damaged, or already outside administrator control.
A trusted peer or administrator starts the action through their permitted surface.
Account and device credentials are invalidated so an offline endpoint cannot resume normal service later.
Ordinary installs clear Global Chat data; properly enrolled Device Owner phones can receive a whole-device reset command.
After identity checks, provision a new one-time activation and restore only the services the replacement device needs.
Server-side revocation can happen immediately. Local erase still requires the endpoint to receive or execute the command, and whole-device factory reset requires managed Device Owner authority.
See Panic WipeAn offline device cannot acknowledge or execute an erase command until it reconnects.
Global Chat data wipe and whole-device factory reset are separate actions.
The separate emergency control performs an immediate Device Owner reset from the phone itself.
Apps, policy, eSIM, and identity may need to be provisioned again on the replacement endpoint.
Define who can trigger an action, what gets revoked, which devices can factory-reset, and how a legitimate user returns afterward.
Configure yours