People may move on because of a contract’s completion, to take a new job, or because they’re retiring. Employees may also leave due to being laid off or fired. Whatever the reason, offboarding—the process of managing an employee’s departure from an organization—is essential.

Without a systematic offboarding protocol, organizations face significant risks related to data security, device mismanagement, operational disruptions, and compliance violations. In a particularly troubling example, a fired employee allegedly hacked Disney World’s menu creation system, changing prices, adding profanity, and—most problematically—adjusting allergen information in ways that could have caused someone allergic to peanuts to order food that contained them.

Obviously, offboarding has various administrative aspects. We’ll focus on those associated with technical infrastructure, but it’s also important to consider how you’ll communicate internally about the departure and any human resources and legal matters.

Our overarching advice regarding offboarding is to establish a formal protocol so everyone knows what’s involved. That’s particularly important for departures that happen with little notice. When building your offboarding plan, consider these three parts of the process: revoking access, retrieving devices, and preserving the organization’s data.

When offboarding an employee, the most important consideration is how you’ll revoke their digital access to organizational resources such as email, shared password managers, and core service accounts. For employees retiring or staying to train a replacement, access revocation can proceed gradually on a schedule, allowing time for a smooth transition of ongoing projects and communications.

However, in most cases, it’s safest to revoke access immediately, particularly when an employee has been terminated involuntarily due to layoffs, performance issues, or misconduct. This is especially critical for employees in high-security roles, such as IT administrators, legal team members, or high-ranking executives. Even when a departure is amicable, the risk of data leakage is too high to delay access removal.

Using a combination of an MDM (Mobile Device Management) platform and an identity provider streamlines this process. Solutions such as Microsoft Intune, Apple Business Manager, VMware Workspace ONE, and other MDM tools allow IT administrators to revoke access to organization-managed email accounts, VPNs, Wi-Fi networks, and cloud services while remotely locking, wiping, or resetting unreturned devices.

Integrating an identity provider like Google Workspace, Microsoft Entra ID, or Okta with a single sign-on (SSO) system makes access revocation even more seamless. By tying authentication to a central directory, deactivating a departing employee’s account instantly cuts off access to all connected systems, eliminating the need to manually disable individual accounts across multiple platforms like Google, Adobe, and Slack.

Additionally, the combination of MDM and identity management enables real-time monitoring for unusual activity during the offboarding process. Whether in an Apple, Windows, or hybrid environment, this approach helps organizations detect and respond to unauthorized data access attempts immediately after an employee receives notice.

Another key aspect of your offboarding plan should revolve around retrieving organization-owned devices. Even if you use MDM to revoke access, recovering hardware is necessary to redeploy it for other employees or hold it in reserve as a backup.

A strong device management system—whether for Windows, Apple, or mixed environments—ensures organizations maintain control over their assets. Solutions like Microsoft Intune, Apple Business Manager (ABM), and other enterprise MDM platforms allow IT teams to track, manage, and reassign devices efficiently. These platforms also provide essential security features, such as remote locking, wiping, and resetting, in case a device isn't returned.

To avoid complications when reclaiming devices, follow these best practices:

• Maintain an up-to-date inventory of all organization-owned devices, including serial numbers and assigned users.
• Enforce policies requiring employees to return company devices before their final day.
• Use MDM solutions to remotely remove corporate access and data from both Windows and macOS devices.
• Disable activation locks and unlink personal accounts from organization-owned devices before reassignment.
• Have a clear chain of custody process to ensure devices are checked in, reset, and redeployed securely.

A well-structured retrieval process ensures that hardware remains an asset rather than a liability, minimizing risks and maximizing IT efficiency.

Finally, think about what the departing employee was doing. You’ll want to transfer or archive everything they worked on, including their organizational email account. In most cases, someone else will have to take over their responsibilities and may need access to emails, files, contacts, and more.

An identity provider can help by transferring ownership of cloud-based files and other data stored in Google Workspace or Microsoft 365. Without one, you’ll have to review all their online files and reassign ownership manually.

Email requires additional thought. You’ll probably want to forward the departing employee’s email to whoever is taking over. If that’s not feasible, set up an auto-reply explaining that the employee is no longer available and providing alternative contacts. In that case, it’s also worth scanning the incoming email periodically to ensure essential communications aren’t being missed.

Regardless of whether an employee is leaving voluntarily or being terminated, it’s essential to walk them through a systematic offboarding process to revoke their digital access, retrieve devices, and preserve organizational data. We have thoughts.

If you don’t have a formal offboarding policy, we recommend developing one soon to ensure that you aren’t at risk for data security, device mismanagement, or operational disruptions. It’s one of those tasks that are easy to put off until it’s too late, at which point you have to scramble. You can find offboarding policy templates and other resources online, and we’re happy to discuss the tech-specific aspects when you’re ready.

Of course, if you’re not already using Apple Business Manager, Microsoft Intune, or another MDM solution, getting started with them is even more important to implement right away. Contact us to discuss what’s involved.

(Featured image by iStock.com/yacobchuk)