Every new phone, tablet, or laptop ships with default settings that prioritize convenience over security. Bluetooth is broadcasting. Wi-Fi auto-connects to any network it recognizes. Your lock screen timeout is too long. App permissions are wide open. None of this is malicious — it’s just how manufacturers ship devices to reduce friction during setup. But it means your first 10 minutes with a new device should be spent locking it down.

Minute 1-2: Set a strong passcode and enable biometrics. Skip the 4-digit PIN. Use a 6-digit minimum or, better, an alphanumeric password. Then enable Face ID or fingerprint authentication on top of it. The passcode is your fallback — biometrics are your daily driver. On Android, avoid pattern unlock — it’s the easiest to shoulder-surf.

Minute 3-4: Enable device encryption. On iOS, encryption is automatic when you set a passcode — there’s nothing extra to do. On Android, go to Settings → Security → Encryption and verify it says ‘Encrypted.’ On Windows laptops, enable BitLocker (Pro/Enterprise) or device encryption (Home). On Mac, turn on FileVault in System Settings → Privacy & Security.

Minute 5-6: Configure auto-lock and auto-updates. Set your screen to lock after 30 seconds to 1 minute of inactivity — not 5 minutes. Then go to Software Update settings and turn on automatic updates for both the OS and apps. Unpatched devices are the number one entry point for endpoint attacks.

Minute 7-8: Audit app permissions. Go to Settings → Privacy (iOS) or Settings → Apps → Permissions (Android). Review which apps have access to your camera, microphone, location, contacts, and photos. Revoke anything that doesn’t need it. Your flashlight app does not need access to your contacts. Your weather app does not need your microphone.

Minute 9-10: Set up remote wipe and disable unnecessary radios. Enable Find My iPhone or Find My Device (see our Remote Wipe guide). Turn off Bluetooth when you’re not using it — Bluetooth relay attacks are real. Disable Wi-Fi auto-join for open networks. On Android, turn off NFC if you don’t use contactless payments.

This 10-minute routine should happen on every device you buy, every device your employees receive, and every device you hand your kids. It’s not comprehensive endpoint security — it’s the baseline. Everything else (MDM enrollment, policy enforcement, compliance monitoring) builds on top of these fundamentals.