The Tough Conversation: How to Furlough Users (and Re-Onboard Them Later)
April 24, 2020
6 minute read
Update 5/27/20: We just released new Workflow Templates to help teams get started building new automations faster: Furlough Employee, Re-Hire Furloughed Employee, and Offboard Furloughed Employee. These templates can be found under Workflows > Templates on the left side bar in BetterCloud. Learn more here.
As U.S. unemployment claims soar to 22 million, there’s been an unprecedented spike in layoffs and furloughs across nearly every industry.
Offboarding is a tough conversation to have right now. We know. No one wants to talk about it. But it’s IT’s responsibility to do it completely and securely for every user across every SaaS application, with an audit trail to prove it.
And while we’re probably all tired of hearing the phrase, “in these trying times,” the reality is that IT teams were stretched thin even before this pandemic. Now, many are simply overwhelmed.
In this post, we’ll focus specifically on how BetterCloud can create a streamlined offboarding workflow for furloughed employees. You’ll learn how to temporarily “pause” accounts, and then easily re-onboard people, once employees return to work in the (hopefully not too distant) future.
Unique offboarding process for furloughed workers
To furlough workers, you need to conduct a unique variation of your usual offboarding process.
With furloughs, the assumption is that employees will eventually return to their role, and therefore will need their accounts, permissions, and data intact. Ideally, you can shift users into a furloughed status without eliminating their user accounts and data entirely, so that when things turn around and employees return to work, re-onboarding will be quick and simple.
Below, we’ll outline the essential steps to take, as well as how furloughs differ from a traditional offboarding process for IT.
Multiple furlough workflows for people returning at different times
With BetterCloud, you can create multiple workflows to accommodate different furlough scenarios, such as those returning at different times.
The focus here is to lock down SaaS access while keeping the SaaS accounts intact, and delegating access to a manager where possible:
Start from your source of truth
You’ll want to start from your source of truth. However, if that’s not an option, you’ll want to get as close to this as possible through BetterCloud, such as through an IdP (like OneLogin) or SaaS apps like Google or 365.
Step 0: Lock device remotely
In this new WFH world, you’ll want to first lock the device remotely, if possible.
Since furloughed employees will return at some point, your organization may want them to keep their devices until then. If this is the case, remotely wiping the machine is recommended (hopefully your MDM solution supports it!). Alternatively, you can walk the users through the process and take them on their word.
Examples:
- Lock device with Jamf
- Delete mobile device from MDM in Google
- Remove devices from user in Office 365
- Wipe accounts where possible (if necessary, wipe device)
Step 1: Lock out accounts
This step is used to take additional measures to lock a user out of their account and clear any associated sessions.
Examples:
- Freeze user in Salesforce
- Deactivate user in Zoom
- Disable user in Duo
- Disable user in Slack
Step 2: Clean up directory
In this step, you will make sure that the user is hidden in the directory, will not auto-complete in emails, and is not visible in any groups, calendars, etc.
Directory cleanup is important for maintaining good organizational hygiene. Alternatively, rather than making the user no longer be visible in your system, you may want to consider adding “(furloughed)” next to their name to keep things orderly.
Step 3: Clean up security
In this step, you will continue to clean up any potential security threats for the account. This includes authentication, delegation, mail routing rules, etc.
These additional steps prevent the furloughed user from being able to log into their accounts. They also prevent mail from going to accounts that it should no longer be going to.
Examples:
- Revoke third-party apps in Dropbox
- Delete 2-step verification backup codes in Google
- Disable IMAP/POP settings in Google
Step 4: Transfer data (optional) or assign delegation access
When terminating a user, you normally want to transfer any data on the account to other users. But since you expect the furloughed users to return, you may want to skip this step entirely or assign delegation access, rather than transferring. You could also simply make a change manually, if the need arises, to assign delegation access temporarily. Whichever path you choose, it’s important to preserve data for compliance reasons as well as avoiding disruption to productivity.
Examples:
- Transfer all Drive files in Google
- Delegate user’s email in Google
- Add file/folder collaborator in Google
- Transfer primary calendar events in Google
- Copy user’s OneDrive files in Office 365
Step 5: Route mail
In this step, you will decide what will happen to the user’s email, such as routing it to another user or putting an auto-reply in place. In the case of furloughs, you may want to reroute email to other users, so their communications will still be handled while they’re on temporary leave.
- Set user’s auto-reply in Google
- Set forwarding settings in Google
- Create email forwarding rule in Office 365
Step 6: Notify IT
As part of your offboarding workflow, we recommend setting up multiple notifications to the IT team as well as to the user’s manager to inform them that the initial offboarding steps have been completed. However, in the case of furloughs, it may make more sense to inform managers once all furlough offboarding is complete, rather than sending out notifications for each individual employee—in which case, there’s no need to build it into the workflow.
- Send email to user in Google
- Wait for approval in BetterCloud
- Send email to user in Office 365
Step 7: Wait
After offboarding a user, you will likely want to keep the account active for some time before completely deleting it and freeing up the license. In this case, the “Wait For Duration” step in BetterCloud will represent the expected duration of furlough.
Step 8: Manage licenses
In this step you will remove or add licenses, depending on what SaaS applications you use. This step ensures that you won’t be paying for unused licenses.
Reduce license costs by assigning G Suite Archived User (AU) licenses
A newer license type you should consider is the Archived User (AU) license. Archiving is a good way to keep accounts active so that you can grant access again in the future.
AU licenses are beneficial because you don’t have to recreate licenses when users return. They’ll also provide some cost savings, as compared to other G Suite license types.
If you’re on G Suite, you can assign departed users an AU license once you archive a departing user. Google support states, “To archive a user, you must have an AU license available. The license type corresponds to your G Suite edition.” AU licenses securely maintain users’ data, because Google retains all of the user’s G Suite data where it’s available in Google Vault until you decide to permanently delete the user. Assigning an AU license also prevents the departed user from accessing G Suite services and it ensures that you’re not paying for an unused G Suite license.
All you have to do in BetterCloud is add the “Archive User” action to your offboarding workflow in order to assign the departing user an AU license.
Automate onboarding for returning employees
After waiting for a designated time period, such as 30 or 90 days, you can create actions in BetterCloud to send an automated email to the users’ managers to confirm their re-onboarding.
For example, you can also create a distinct workflow for “Returning Employees”:
The process is easy to build. Simply add the “Wait for Approval” action to occur after the designated “waiting” period for the duration of the furlough. Next, assign a person to approve the action and send that individual an email prompting them to approve or decline. You can assign someone in HR, or, to avoid creating a bottleneck, assign each user’s manager to approve.
Any users whose accounts have been archived can be put into a group to re-onboard in order to automatically get their full license and data back.
We know conversations around offboarding and furloughs aren’t easy. But BetterCloud is here to help IT manage users and secure data—through both the good and bad, during tough times and brighter days ahead.
For more information on furloughs and offboarding, check out our webinar recording, “The Hard Conversation: Workflow Templates for Offboarding & Furloughs.” Join us for a deep dive on workflow automation in BetterCloud, including a look at our new release featuring Workflow Templates.