Discover Primo in 2 minutes

Blog
IT offboarding checklist: how to automate employee offboarding in 2026
Onboarding & Offboarding

IT offboarding checklist: how to automate employee offboarding in 2026

Written by
Last updated on
April 17, 2026

Table of contents

What Is HRIS-MDM Integration?
The 5 Key Benefits of Connecting Your HRIS to Your MDM
Get IT together

See how Primo simplifies your IT operations without compromising on security or your ability to scale.

Start free trial
Book live demo

Employee offboarding is one of the most overlooked processes in IT, until something goes wrong.

A former employee still able to log into Slack three weeks after leaving. A laptop never returned. A SaaS license forgotten and billed for months. These are not edge cases. For SMBs without a structured process, they are the norm.

This guide covers everything you need in a solid IT offboarding checklist, and how automation can transform a high-risk manual process into a reliable, repeatable workflow.

What is IT offboarding?

IT offboarding is the set of actions taken by IT teams when an employee leaves the company (whether through resignation, layoff, contract end, or internal transfer).

In practice, IT offboarding includes:

  • Revoking all digital access (email, SaaS apps, internal tools, VPN)
  • Recovering company equipment (laptops, smartphones, accessories)
  • Wiping or reassigning devices
  • Archiving or transferring data (files, emails, calendar, shared drives)
  • Cancelling or reassigning licenses
  • Generating audit logs for compliance purposes

When done manually, this process is slow, error-prone, and highly dependent on individual memory. When automated, it becomes secure, consistent, and scalable.

Why IT offboarding is a critical security moment

Offboarding is the single highest-risk moment in the employee lifecycle from a security standpoint.

According to multiple industry reports, a significant share of data breaches involve former employees: either through oversight (access not revoked in time) or intentional misuse.

For SMBs, the risks are amplified:

  • Smaller IT teams mean less bandwidth for manual offboarding steps
  • Fewer security layers mean that one open access point can expose critical data
  • Rapid growth means departures happen frequently and often without much notice

A single forgotten admin account or an unreturned laptop can have serious consequences: from GDPR exposure to competitive data leakage.

The complete IT offboarding checklist (2026)

Before the last day

Before the employee leaves, align with HR on the exact departure date, then build a complete inventory of what the employee has: devices, accounts, access rights, and any privileged roles. Communicate the plan to the manager and relevant internal teams, and decide what data needs to be transferred or archived (files, email, calendar, ownership of ongoing projects). For remote employees, prepare the return process in advance (instructions, prepaid label, packaging). Finally, decide what will happen to inbound email (redirect, delegate access, or an out-of-office message).

On the last day

On the last working day, focus on immediate risk reduction. Remove access to core identity systems first (email and SSO), then disable VPN credentials. Next, deprovision the employee from business-critical SaaS tools (collaboration, CRM, ticketing, finance), revoke access to code repositories if relevant, and remove the user from shared drives or sensitive folders. Don’t forget non-obvious accounts that can create long tail risk (social accounts, banking portals, analytics dashboards). Close the loop by collecting physical access items (badges, keys, access cards).

After the last day

After departure, confirm the device return and verify condition. Wipe and re-enroll the device, or trigger an MDM remote wipe if the device is not returned within your defined window. Reassign or decommission hardware, then clean up licenses by cancelling or reallocating unused seats. Finish with a final access audit to confirm there are no remaining active accounts, and archive the employee record with a compliance report for future audits.

The 4 most common IT offboarding mistakes

1) Relying on a manual email chain

The most common offboarding process in SMBs is a shared email or Slack message from HR: "Please remove [Name] from everything."

This creates dependency on individual responsiveness, no tracking, and no guarantee of completeness.

2) Forgetting SaaS apps that are not SSO-protected

If a tool is not connected to your SSO, disabling the SSO account will not revoke access. Apps like legacy project tools, external platforms, or departmental subscriptions are often invisible to IT; they remain open long after departure.

3) Losing track of devices in remote setups

For distributed teams, device recovery during offboarding is a persistent challenge. Without a structured return process (prepaid shipping, timeline, reminders), devices simply disappear.

4) No audit trail

Compliance teams and security auditors often ask: when was access revoked? Who confirmed it? Without a log, these questions are impossible to answer accurately.

How to automate employee IT offboarding

Automation turns offboarding from a checklist that depends on human diligence into a process that runs reliably, every time.

Step 1: Connect your HRIS to your IT systems

The trigger for offboarding should come from HR, not from IT discovering that someone left. When your HRIS (Lucca, Personio, BambooHR, Workday) is connected to your IT tools, a departure recorded in HR automatically initiates the offboarding workflow.

This eliminates the most common gap: the delay between HR being notified and IT taking action.

Step 2: Automate access revocation through SSO

A well-configured SSO (Single Sign-On) layer is the most powerful lever in offboarding. When you deactivate an account in Google Workspace or Okta, all connected applications lose access immediately.

However, this only works for apps that are actually connected to your SSO. A full offboarding automation requires identifying and closing gaps in non-SSO-protected tools.

Step 3: Use MDM for device management

Your MDM (Mobile Device Management) platform allows you to:

  • Remotely lock a device immediately upon departure
  • Send an automated return request to the employee
  • Wipe the device remotely if it is not returned within a defined period
  • Reassign or re-enroll the device once it is received

For distributed teams, automating the return logistics (return label generation, reminders, tracking) is essential.

Step 4: Automate license management

Every open license costs money. An automated offboarding workflow should include:

  • Automatic detection of licenses linked to the departing employee
  • Cancellation or reallocation to another user
  • A report of licenses recovered and cost savings generated

Step 5: Generate a compliance report automatically

At the end of each offboarding, your tool should automatically produce a report including:

  • List of accesses revoked (with timestamps)
  • Device status (returned / wiped / pending)
  • Licenses cancelled or transferred
  • Confirmation of data archiving

This report is critical for audits, GDPR compliance, and internal governance.

Primo: automating IT offboarding for SMBs

Primo is an IT lifecycle management platform built specifically for SMBs. Its offboarding module automates the entire process: from HRIS trigger to compliance report.

Key capabilities for offboarding:

  • HRIS synchronization: departure recorded in HR automatically triggers the offboarding workflow in Primo
  • Instant access revocation: SSO deactivation in under 5 minutes, plus coverage of non-SSO apps
  • Device recovery workflow: automated return request, shipping label generation, remote wipe if needed
  • License management: automatic detection and cancellation of licenses linked to the departing employee
  • Audit trail: full report generated automatically at the end of each offboarding

For SMBs managing rapid growth or distributed teams, Primo removes the dependency on manual steps and ensures that every departure is handled securely and completely.

FAQ

How long should IT offboarding take?

With automation, the critical steps (access revocation, device lock) can be completed in under 10 minutes on the last day. Full offboarding including device return and license clean-up typically takes 1 to 5 business days.

What happens if an employee does not return their device?

With an MDM in place, you can remotely lock or wipe the device regardless of its location. Automated reminders and a clear return policy set before departure significantly reduce non-return rates.

Is IT offboarding required for compliance?

Yes, for most compliance frameworks (GDPR, SOC 2, ISO 27001), you need to demonstrate that access is revoked promptly and that a clear process exists. An automated audit trail is the easiest way to meet this requirement.

What is the difference between offboarding and deprovisioning?

Deprovisioning refers specifically to the technical removal of access rights and accounts. Offboarding is the broader process that includes deprovisioning, plus device recovery, data archiving, license management, and compliance documentation.