According to certain aspects of the present disclosure, a computer-implemented method is provided that includes detecting a malicious activity or a security event on a managed device. The method includes adding the managed device to a group. The method includes removing a user configuration profile from, and transmitting a security configuration profile to, the managed device. The method includes placing the managed device in a protect state to notify and forcibly log out the end user. The method includes notifying the end user that access is prohibited. The method includes clearing the managed device from being in the protect state after remediation of the malicious activity or the security event. The method includes removing, responsive to clearing the managed device from being in the protective state, the security configuration profile from, and transmitting the user configuration profile to, the managed device. Systems and machine-readable media are also provided.