Getting onboarding and offboarding right is security, compliance, and employee experience all rolled into one process. Here is what it looks like for a Mac-based business.
Onboarding: Before Day One
- Order the Mac through a channel that supports Apple Business Manager enrollment
- Assign the device to your MDM server in ABM
- Create user accounts: email, productivity suite (Microsoft 365 or Google Workspace), Slack, and business apps
- Set up a managed Apple ID if using federated authentication
- Configure MDM user assignment so the right apps and settings deploy to their device
- Prepare a welcome document with login instructions, support contact info, and key policies
Onboarding: Day One
- Ship Mac directly to employee (or hand it to them on-site)
- Employee opens box, connects WiFi, zero-touch deployment handles the rest
- Verify FileVault is enabled and recovery key is escrowed
- Confirm endpoint security software is installed and reporting
- Walk through email, messaging, VPN, and key tools
- Set up MFA on all accounts (preferably hardware keys or authenticator apps, not SMS)
- Brief security training: phishing awareness, password policy, acceptable use
During Employment
- Keep MDM enrollment current. Do not let employees unenroll devices.
- Monitor compliance: OS updates, FileVault status, security software running
- Review access periodically. Remove access to systems people no longer need.
- Document role changes that affect system access
Offboarding: Same Day as Departure
Offboarding is time-sensitive. A former employee with active access is a security risk.
- Disable the user's email account and set up forwarding to their manager
- Revoke access to all SaaS applications (productivity suite, Slack, project management, CRM)
- Disable VPN and remote access credentials
- Revoke SSO/identity provider account (this cascades to connected apps)
- Transfer ownership of shared files, drives, and documents
- Remove from shared calendars, distribution lists, and group chats
- Retrieve the Mac (or initiate remote wipe via MDM if the device is not returned)
- Rotate any shared credentials the employee had access to
- Review and remove from any shared/team password manager vaults
The Device
Once the Mac is returned: wipe it via MDM, verify it is released from the departing user's assignment, and reassign it in ABM for the next employee. Apple Silicon Macs can be wiped and redeployed through MDM without physical access, which makes this process straightforward even for remote teams.
Automating the Process
Manual checklists work for small teams, but they rely on someone remembering every step. For growing organizations, integrate onboarding and offboarding with your identity provider. When HR creates or disables an account, the identity provider triggers provisioning or deprovisioning across connected apps. Combined with MDM, this turns a multi-hour manual process into a few clicks.
Do Not Skip This
Sloppy offboarding is one of the most common security gaps in small businesses. Former employees with active access account for a real percentage of data breaches. Having a documented, repeatable process, ideally enforced through your IT systems, is both a security control and a compliance requirement. If your current process is "we'll figure it out when someone leaves," let us help you build something better.