Skip to content

Offboarding Checklist: The Anatomy of the Perfect BetterCloud Offboarding Workflow

Michael Stone

October 10, 2019

9 minute read

FeaturedImage_AnatomyofWorkflowBC

Our customers frequently ask us what a perfect offboarding workflow should look like. With that in mind, we want to share the essential steps in an offboarding checklist, plus how to build a BetterCloud workflow that incorporates them all.

Offboarding is more than just revoking access. There are many more steps than people often realize—steps that are critical for data security, compliance efforts, and business continuity.

When offboarding is being done manually, it’s subject to human error (not to mention it’s extremely tedious). But building an automated workflow in BetterCloud guarantees that every step is taken every time you offboard a user.

Of course, every company’s information technology offboarding process will differ slightly, from the timing of certain steps to what your source of truth is. We’ve offboarded one million employees across 3,000 companies, and we’ve seen all kinds of variations. But generally speaking, these best practices will make sure that every user is fully offboarded, every time, without fail.

Start from your source of truth

Every workflow must start from your source of truth. In most cases, this is your HR system. In others, this is your identity provider (IDaaS).

It’s important to work with your HR/People team to map out your process before designing your offboarding workflow. Ultimately, an employee will be marked as “inactive” and this will flow down into your SaaS systems. In the best case scenario, your HR system will feed directly into your identity provider (e.g., Okta, OneLogin, Active Directory) or your cloud office system (G Suite, Office 365).

If this is not possible, you may want to consider having the People/HR team open a ticket to notify you of a newly termed user (in JIRA, ServiceNow, etc.) or submit a form notifying you of this (e.g., Google Forms). These requests should include: whether the term is immediate or should be scheduled for a certain time, who their data should be transferred to, if mail will be forwarded, etc.

In more advanced cases, this form submission can automatically trigger an action in your IDaaS or your mail provider (e.g., G Suite). You may also want to consider creating a Slack channel for notifications during your offboarding process.

Decide what your triggering event is

You’ll need to decide which event will kick off your workflow. In some cases this will be a user being moved or disabled in another system. A few of the most common “WHEN” statements for a BetterCloud offboarding workflow are:

Okta


or

Office 365

Namely

G Suite


or

When your workflow is published, BetterCloud will begin listening for this specific event from the connector. When we process the event, your workflow will trigger.

The essential steps in your offboarding checklist

Step 0: The retrieval (for physical security)

First up on the offboarding checklist: retrieving the user’s machine (if applicable) and any other company-owned devices. This ensures that the departing employee does not leave, intentionally or unintentionally, with a device that belongs to the company.

Recommended workflow actions in BetterCloud:

  • Zendesk: Create a ticket
  • Google and Office 365: Send an email

Step 0.1 (optional): The unsuspension

If you’re using an identity provider like Okta or OneLogin, it’s likely that departing users have already been auto-suspended.

If this is the case, some of the actions in your offboarding workflow may fail. We recommend adding an “unsuspend” step to the beginning of your workflow to prevent any subsequent actions from failing. If you include this step, be sure to re-suspend the user toward the end of your offboarding process.

Recommended workflow actions in BetterCloud:

  • Unsuspend

Step 1: The lockout

Next, you’ll want to take additional measures to lock a user out of their account and clear any associated sessions. It’s an important first step to take because the departing employee can still interact with email or Slack once they’re gone if you fail to do this. It’s especially important if you’re dealing with a disgruntled employee. By locking them out, it prevents them from being able to take data with them or send negative messages to employees.

Recommended workflow actions in BetterCloud:

  • Google: Reset password
  • Office 365: Reset password
  • Okta: Clear user session
  • Okta: Reset factors
  • Slack (Plus plan only): Disable user
  • Zendesk: Sign out user
  • Salesforce: Freeze user
  • Box: Update user profile (set to “Inactive”)

Step 2: The directory cleanup

In this step, you will make sure that the user is hidden in the directory, will not auto-complete in emails, and is not visible in any groups, calendars, etc.

This step is important for maintaining good organizational hygiene. Once it’s completed, the departed user will no longer be visible in your system, which prevents confusion and keeps things orderly.

Recommended workflow actions in BetterCloud:

  • Google: Hide user in directory
  • Google: Remove from all groups
  • Google: Remove all email aliases
  • Google: Remove from shared calendars
  • Google: Move to org unit
  • Office 365: Remove from all groups
  • Salesforce: Remove user from permission set

Step 3: The security cleanup

In this step, you will continue to clean up any security-related items for the account. This includes authentication, delegation, mail routing rules, etc.

These additional steps in your offboarding checklist prevent the departing user from being able to log into their accounts. They also prevent mail from going to accounts that it should no longer be going to. These steps are highly recommended to mitigate any offboarding security risks.

Recommended workflow actions in BetterCloud:

  • Google: Delete 2-step backup codes
  • Google: Delete app-specific passwords
  • Google: Revoke delegation access
  • Google: Revoke user’s apps
  • Google: Revoke super admin privileges
  • Google: Disable IMAP
  • Google: Disable POP
  • Google: Disable email forwarding
  • Dropbox: Revoke third-party apps from user virtually

Step 4: The devices

This step is meant to clean any data off of the user’s personal device across all applications. Similar to step 0, this step removes data from the departing user’s device, locks them out of their company laptop, removes the MDM solution, and sends a lock command (e.g., through Jamf).

Recommended workflow actions in BetterCloud:

  • Office 365: Remove devices from user
  • Google: Account wipe mobile device
  • Google: Remove device from user
  • Dropbox: Revoke devices from user account
  • Additional actions available in our new Integration Center

Step 5: The data transfer

This step is meant to transfer any data on the account to other users within the organization. In most cases, this will be the user’s manager or an archive service account (e.g., backup@bettercloud.com).

This step is critical because it preserves data for compliance reasons, and it ensures that other team members can continue working without any disruption. Additionally, this step keeps your environment clean and organized. You can delete recurring calendar events and free up those resources, and also remove the departing employee from user groups, reducing confusion and keeping your environment tidy.

Recommended workflow actions in BetterCloud:

  • Google: Transfer Drive files
  • Google: Transfer primary calendar events
  • Google: Transfer group ownership
  • Google: Transfer secondary calendars
  • Box: Move owned items
  • Dropbox: Remove team member and transfer files

Step 6: The mail routing

In this step you will decide what will happen to the user’s email once they are offboarded. Who should their email be routed to? Is it okay if the mail bounces? Should there be an auto-reply in place? If you suspend an account, mail automatically bounces. If you decide to leave the account active, how do you ensure that the email is being directed to the right people?

If you do leave the Google license active, you can create an email delegation rule so that the emails will be accessible to the departing user’s manager. Alternatively, you can change the departing user’s primary email address and then create a (free) Google Group with their email address. This allows you to free up that license, while making sure that their mail is being properly routed.

Recommended workflow actions in BetterCloud:

  • Google (if active): Set auto-reply
  • Google (if active): Set email forward
  • Office 365: Set email forward
  • Office 365: Set auto-reply
  • Office 365: Change primary email address
  • Google: Add email alias

Step 7: The backup (optional)

In “the backup,” take the necessary steps to back up the departing user’s data. BetterCloud does not have the ability to do this for you; instead, we recommend a “Send Email” action that sends you a reminder to back up the data. This way you’ll be sure to download all Drive data and store it using Google Takeout, Spanning, Backupify, or whatever backup system you use.

Note: If you’re on BetterCloud’s Enterprise SKU, you can extend BetterCloud to connect Spanning or Backupify and create a workflow that will take care of this for you.

While backing up data isn’t critical for your offboarding process, it’s likely important for legal and/or compliance reasons.

Recommended workflow actions in BetterCloud:

  • Google: Send email to group
  • Office 365: Send email
  • Zendesk: Open ticket

Step 8: The notification

Step 8 rounds out the initial offboarding. Now that these steps are complete, we recommend setting up multiple notifications before you go on to step 9. These notifications should go to the IT team as well as to the user’s manager (if applicable). They should inform the team that the initial offboarding steps have been completed and when they can expect the remaining steps to be completed.

Recommended workflow actions in BetterCloud:

  • Slack: Send message to channel
  • Slack: Send direct message
  • Google: Send email to group
  • Google: Send email to user
  • Slack (Advanced): Send message to private channel

Step 9: The wait

Step 0-8 were the initial steps of offboarding; steps 10-11 are the final steps that will finish up the offboarding process. Step 9 is the period in between.

After the initial offboarding, you will likely want to keep the account active for some time before completely deleting it and freeing up the license. In many cases, you may add a “Wait For Duration” step in BetterCloud for legal hold or data retention reasons. You can use as many wait periods as you’d like within a workflow. However, the total time period cannot exceed two years.

Recommended workflow actions in BetterCloud:

  • Wait for Duration (in hours or days)

Step 10: The license management

In this step you will remove or add licenses, depending on what SaaS applications you use. This step ensures that you won’t be paying for unused licenses.

Recommended workflow actions in BetterCloud:

  • Office 365: Remove license
  • Google: Remove license (less common than assigning a Vault license)
  • Google: Assign license (e.g., Vault)

Step 11: The deletion

The final step on the offboarding checklist is to delete the accounts and free up licenses. This completes your process, and the departed user is now fully offboarded.

Recommended workflow actions in BetterCloud:

  • Google: Delete user
  • Office 365: Delete user
  • Box: Delete user
  • Zendesk: Delete user
  • Dropbox: Remove team member
  • Salesforce: Deactivate user

A few extra SaaS management offboarding best practices in BetterCloud

Your workflow title & description

The title of your workflow should follow a certain naming convention that you will use in all other workflows. For example: [Type] [Connector] [Description]. Choosing a naming convention and sticking with it keeps things organized and cuts down on confusion.

Your description should include what the workflow is doing, who it was last updated by, and the date it was last updated. This description will be visible from the Workflow Manager in BetterCloud. When you have all these things in place, it’s easy to see at a glance what a workflow is accomplishing.

Email notification

Using the email notification feature is a must for offboarding workflows. This notification, sent once the workflow completes, includes information about (and the status of) every step taken within the workflow.

This feature is helpful not only for historical record keeping, but also for alerting you in the event that any steps fail along the way. If you don’t have this notification set up, you would need to manually read the results for each individual workflow that you run. Doing so is time consuming and runs the risk of overlooking an error that may have occurred.

Stop on error

Something else you may want to consider is adding “Stop on error” to your workflow. This way, if your workflow encounters an error, it will stop until you (or maybe with the help of our best-in-class support team) fix whatever is causing the workflow to fail. This feature helps ensure that every step of your offboarding workflow is properly completed every time it runs.

New actions in our Integration Center

With the recent release of our new Integration Center, we now offer 32 new BetterCloud-built integrations with apps like Zoom, PagerDuty, Jamf, Duo, and more. You can also develop and share your own custom integrations using the latest evolution of capabilities available through the Platform API.

Connecting these platforms enables IT to add custom steps to their offboarding workflows, such as transferring Zoom recordings to a manager or disabling a user in Duo. These steps ensure that all loose ends are tied up when a user leaves your organization.

To learn more about how BetterCloud can help you automatically offboard your users, request a demo.

Categories

Sign up for our newsletter