‍

An employee resigns on Friday. By Monday morning, their accounts are still active, their laptop sits unwiped at home, and three SaaS licenses continue billing. This scenario plays out at thousands of companies every week, and it creates real security exposure. A staggering 91% of employees still have access to company files months after being offboarded. (Beyond Identity)

This article focuses exclusively on the IT side of offboarding: shutting down accounts, recovering devices, reclaiming licenses, and protecting data. It's not about farewell parties or exit interviews. With a structured process, you can complete the entire IT offboarding in about 30 minutes manually. With automation through platforms like offboarding software, you can cut that to under five minutes.

What Happens If You Get IT Offboarding Wrong?

Poor IT offboarding isn't just an inconvenience. It's a security, compliance, and financial liability that compounds with every departure.

Security risks from orphaned accounts. When former employees retain access to corporate systems, the attack surface grows. An Osterman Research study found that 89% of employees could still access sensitive corporate applications well after their departure. (CurrentWare) Orphaned accounts become easy targets for credential-stuffing attacks or insider misuse, especially if passwords were never rotated.

Compliance exposure. Under GDPR Article 5(1)(f), companies must ensure appropriate security of personal data, including protection against unauthorized access. Leaving ex-employee accounts active violates this principle. With NIS2 expanding cybersecurity obligations across the EU, organizations face growing regulatory pressure to demonstrate proper access lifecycle management.

License waste. Every unrecovered SaaS seat is money burned. If your company pays per-user fees for tools like Slack, Figma, or Notion, failing to deactivate accounts means you're paying for ghost users. Across a year of turnover, the cost adds up fast, particularly for growing SMEs managing dozens of tools.

For HR teams and founders who inadvertently manage IT, the exposure often goes unnoticed until an audit or incident forces the issue. Proactive compliance and security governance prevents these costly surprises.

The IT Offboarding Checklist: Accounts, Devices, Data, Licenses

A structured sequence matters more than speed alone. Here's a prioritized checklist you can execute in roughly 30 minutes for a single departing employee.

1. Revoke the identity provider or SSO access (minutes 0-5). Start here. Disabling the employee's account in your identity provider (Google Workspace, Microsoft Entra ID, Okta) cascades to every connected application. This single action locks the front door.
2. Secure email (minutes 5-12). Before deleting the mailbox, set up forwarding to a manager or successor. Transfer ownership of shared drives, calendars, and contacts. Archive critical correspondence if retention policies require it.
3. Deactivate SaaS accounts (minutes 12-20). Work through a list of standalone tools the employee used: CRM, project management, design tools, communication platforms. Deactivate each account and reassign any owned resources like shared boards or team channels.
4. Lock and recover devices (minutes 20-25). Issue a remote lock via your MDM solution. For on-site employees, collect the device physically. For remote workers, initiate a return shipment with a prepaid label. Queue a remote wipe once data transfer is confirmed.
5. Audit and reclaim licenses (minutes 25-28). Review license assignments. Downgrade or cancel any seats tied to the departing employee. Reharvest licenses for reassignment to new hires.
6. Document and log (minutes 28-30). Confirm every step in a completion log. Record timestamps for compliance purposes. This documentation protects you during audits and demonstrates GDPR-compliant access management.

This checklist works for a single departure. When you're offboarding multiple employees or handling frequent turnover, automated onboarding and offboarding becomes essential to maintain consistency.

Why the Revocation Order of Operations Matters

Not all offboarding steps are interchangeable. The sequence above reflects critical dependencies that, if broken, create security gaps or permanent data loss.

Consider what happens if you delete the email account before transferring data: recovery flows for connected services break, shared document ownership becomes orphaned, and the successor loses access to client communications. The damage is often irreversible.

Similarly, if you revoke SSO access before deactivating standalone SaaS accounts that don't use single sign-on, some tools may lock data behind a login you can no longer access. The employee's work in that tool is effectively gone. Only 44% of companies ensure all access rights are revoked within 24 hours. (TechClass)

The principle is simple: secure first, transfer second, delete last. Following this order ensures you close security gaps immediately while preserving business continuity for the team inheriting the departing employee's responsibilities.

How to Automate the IT Offboarding Process

Manual checklists work, but they don't scale. When you're growing quickly and handling departures every month, relying on a spreadsheet introduces human error. Half of all organizations take three days or longer to revoke system access after a worker leaves, and only 35% automate this process. (Security Magazine)

Automation transforms offboarding from a multi-hour scramble into a controlled, repeatable workflow. Here's how it works with deeploi:

• The offboarding process triggers automatically via HR system integration (for example, Personio, BambooHR, HiBob, Factorial, etc.). When HR marks an employee as departing, IT offboarding begins without a separate request.
• The IT manager configures options in the dashboard: archive email, set up forwarding, transfer data to a successor, or delete. Each choice is explicit and logged.
• deeploi executes the workflow: workspace license downgrade, email forwarding, data transfer, SaaS deactivation, and device remote lock, all within minutes.
• License reharvesting happens automatically, recovering costs immediately and making seats available for the next hire.

Instead of 30 minutes of manual work, deeploi reduces the IT input to two to five minutes. The rest happens in the background, consistently and without gaps. For IT teams handling dozens of departures per quarter, this reclaims significant operational capacity.

Edge Cases: Remote Employees, Personal Devices, and Shared Accounts

Standard offboarding assumes the employee is on-site with a company laptop. Reality is messier. Here are the edge cases that trip up most organizations.

Remote workers. Device return logistics require planning. Send a prepaid shipping label before the last day. If the device isn't returned within the agreed window, a remote wipe through your MDM serves as a fallback to protect company data. Solutions like zero-touch deployment simplify this because devices provisioned remotely can be wiped remotely too.

Personal devices (BYOD). Removing company data from a personal phone or laptop requires a targeted approach. Mobile application management (MAM) policies let you wipe corporate apps and data without touching personal files. Robust cybersecurity policies should define BYOD offboarding procedures before the situation arises.

Shared accounts. Some teams share credentials for social media accounts, analytics dashboards, or legacy tools. When someone who managed these leaves, transfer ownership explicitly and rotate all credentials immediately. Never assume shared passwords will remain secure after a departure.

Contractors and freelancers. External collaborators often have narrower access but less structured offboarding. Their access typically ends on a project basis rather than an employment timeline. Build contractor offboarding into your project closure process, not your HR workflow.

FAQ

What should you do if an employee needs to leave immediately?

Trigger an immediate lockout protocol. Revoke SSO and identity provider access first, then remote-lock all devices. Handle data transfer and license recovery afterward. Speed is critical to prevent unauthorized access or data exfiltration during contentious departures.

How long should you keep a former employee's email and data?

Most companies retain email and files for 30 to 90 days after departure. Legal or regulatory requirements in your industry may extend this. Set up automatic forwarding to a manager during the retention period and archive data before deletion.

Which accounts should you revoke first during offboarding?

Revoke the identity provider or SSO account first. This cascades to most connected applications and closes the broadest access in a single action. Then address standalone SaaS tools individually.

What's the difference between IT offboarding and HR offboarding?

HR offboarding covers exit interviews, final payroll, benefits termination, and knowledge transfer. IT offboarding focuses on revoking system access, recovering devices, reclaiming licenses, and securing data. Both should run in parallel, ideally triggered from the same system. Aligning HR and IT workflows prevents gaps.

How do you offboard someone who used personal devices for work?

Use mobile application management to selectively wipe corporate data and apps from personal devices. Revoke access to company email, cloud storage, and collaboration tools. Ensure your BYOD policy specifies these procedures upfront so employees know what to expect.

Can IT offboarding be fully automated?

Yes. Platforms like deeploi automate the entire workflow, from account deactivation and email forwarding to device locking and license recovery. Automation ensures consistency and eliminates the risk of forgotten steps, which is especially valuable for companies with frequent employee turnover.

The same systems you provision during employee onboarding are the ones you revoke during offboarding. Building both processes on the same platform ensures nothing slips through the cracks.