Properly Offboarding Employees

Employers and their employees part ways for all sorts of reasons. People may move on because of a contract’s completion, to take a new job, or because they’re retiring. Employees may also leave due to being laid off or fired. Whatever the reason, offboarding—the process of managing an employee’s departure from an organization—is essential.

Without a systematic offboarding protocol, organizations face significant risks related to data security, device mismanagement, operational disruptions, and compliance violations. In a particularly troubling example, a fired employee allegedly hacked Disney World’s menu creation system, changing prices, adding profanity, and—most problematically—adjusting allergen information in ways that could have caused someone allergic to peanuts to order food that contained them.

Obviously, offboarding has various administrative aspects. We’ll focus on those associated with technical infrastructure, but it’s also important to consider how you’ll communicate internally about the departure and any human resources and legal matters.

Our overarching advice regarding offboarding is to establish a formal protocol so everyone knows what’s involved. That’s particularly important for departures that happen with little notice. When building your offboarding plan, consider these three parts of the process: revoking access, retrieving devices, and preserving the organization’s data.

Revoke Digital Access

When offboarding an employee, the most important thing to consider is how you’ll revoke their digital access to organizational resources such as email, a shared password manager, and core service accounts. For those who are retiring or staying to train their replacement, access revocation can proceed gradually on a schedule. This approach provides sufficient time to transition ongoing projects and communications.

However, in most cases, it’s safest to revoke access immediately, especially when an employee has been terminated involuntarily due to layoffs, performance problems, or misconduct, or when dealing with employees in high-security roles, such as IT administrators, members of the legal team, or high-ranking executives. Even if their departure isn’t contentious, the risk of data leakage is too high.

MDM—mobile device management—is important because it enables administrators to revoke access to organization-managed email accounts, VPNs, Wi-Fi networks, and cloud services. If a device isn’t returned, an MDM platform can remotely lock, wipe, or reset it.

Using an identity provider like Google Workspace, Microsoft Entra ID, or Okta with a single sign-on system makes revoking access even more straightforward. These services tie access to an organization’s apps, resources, and devices to a single login, so deactivating a departing employee’s account in the identity provider instantly cuts off access to all connected systems.

Retrieve Organization Devices

Another key aspect of your offboarding plan should revolve around retrieving organization-owned devices. Even if you can use MDM to revoke access, you need to get your devices back so they can be given to other employees or held in reserve as backups.

Having devices enrolled in Apple Business Manager lets you turn off Activation Lock on all supervised devices, whether it was turned on using a federated Apple or personal Apple Account. Without Apple Business Manager, you may have to work with the employee to regain access to the device. If that’s not possible, Apple support may be able to help unlock the device if you can provide proof of purchase and ownership.

To ensure you don’t end up in such an awkward situation, follow these best practices when using Apple Business Manager:

• Make sure to purchase Apple devices through Apple Business Manager-compatible channels.

• Use Automated Device Enrollment to ensure that devices are supervised and managed by MDM out of the box.

• Rely on federated Apple IDs, rather than personal Apple IDs

• Note that you may not need Apple IDs on the devices at all

Preserve Organization Data and Communications

Finally, think about what the departing employee was doing. You’ll want to transfer or archive everything they worked on, including their organizational email account. In most cases, someone else will have to take over their responsibilities and may need access to emails, files, contacts, and more.

Email requires additional thought. You’ll probably want to forward the departing employee’s email to whoever is taking over. If that’s not feasible, set up an auto-reply explaining that the employee is no longer available and providing alternative contacts. In that case, it’s also worth scanning the incoming email periodically to ensure essential communications aren’t being missed.

Next Steps

If you don’t have an offboarding procedure and policy, we recommend developing one soon to ensure that you aren’t at risk for data security, device mismanagement, or operational disruptions. It’s one of those tasks that are easy to put off until it’s too late, at which point you have to scramble. We’re happy to discuss the tech-specific aspects when you’re ready.

Of course, if you’re not already using Apple Business Manager and an MDM solution, getting started with them is even more important to implement right away. Contact us to discuss what’s involved.