Rose
Google Team

 

Modern workplaces are full of digital footprints. From day one, employees leave a digital trail, from corporate email accounts to VPN access and social media updates.

 

So, to ensure a secure exit, it's vital to have an offboarding process in place. Companies must carefully decouple an employee's digital footprint to mitigate risks like data breaches and unauthorized access.

 

To help you with this, we've created a checklist of things to consider when offboarding an employee. While the exact process will vary from organization to organization, read on for some handy tips.

 

IT Admins: Checklist for a Secure Exit

 

Once the employee offboarding process has been initiated, you’ll need to consider the level of remote access the employee should retain. It may be a good idea to reduce this in stages, affording the employee enough time to backup personal and corporate data appropriately. Or depending on the level of sensitivity, more immediate restrictions may be appropriate. 

 

  1. Identify the user’s device(s):

Use your MDM solution to locate the employee’s device.

 

  1. Limit access: 

If your company leverages SSO, you can immediately revoke a user's access to all apps by revoking their SSO tokens. Otherwise, you will need to consider the following: 

  • Email:
    • Disable the user's email account.
    • Redirect incoming emails to an appropriate recipient or archive them.
  • Company Apps:
    • Remove the user's access to company-specific apps, or third party apps that were previously authorized.
    • Revoke app licenses, if applicable.
  • Cloud Storage:
    • Revoke the user's access to cloud storage services (e.g., Google Drive, Dropbox).
    • Remove the user from shared folders and documents.
  • Collaboration Tools:
    • Remove the user from collaboration tools (e.g. Google Workspace, Microsoft Teams).
    • Revoke access to shared documents and projects.
  • VPN and Remote Access:
    • Disable the user's VPN and remote access privileges.
    • Revoke any VPN certificates or keys.
  • Data Retention and Archiving:

    • Determine the appropriate retention period for the employee's data and implement necessary archiving procedures.
    • Ensure compliance with data privacy regulations.
  • Deactivate User Account: 
    • Deactivate the user's account to prevent future access, while allowing other employees to still access any documents associated with the deactivated account. 

 

  1. Configure Factory Reset Protection policies:

To ensure a seamless offboarding process for company-owned Android devices, it's crucial to properly configure Factory Reset Protection (FRP). If you've already configured your FRP policies, you can skip to step 4. Otherwise, let's dive into the details. 

 

Factory Reset Protection (FRP) is a security feature designed to protect Android devices from unauthorized access after a factory reset. It requires authentication with the Google account last used on the device. While this is a valuable security measure, it can complicate device management, especially during employee offboarding.

To ensure a smooth offboarding process, consider these two approaches:

    • Designed for Enterprise, EFRP allows you to specify which Google Accounts can activate a device that has been factory reset and locked by FRP.
    • These approved users can unlock company-owned devices that have been factory reset, without the need for the previous user’s Google account details.
    • This approach provides a balance between security and manageability. 
  • Disable FRP:

    • Disabling FRP allows you to factory reset devices without requiring the previous user's Google account credentials.
    • This can simplify the offboarding process, but it also reduces the device's security.
    • Use with caution, particularly for devices that are at risk of loss or theft.

 

Important Note: Resetting a device through the Settings app typically doesn't trigger FRP, except in specific scenarios involving company-owned devices with Work Profiles and EFRP enabled. Therefore, it's crucial to disable FRP or enable EFRP before initiating a factory reset to prevent potential lockouts.

 

  1. Remote wipe:

  • After allowing the user a brief period to back up personal data on company-owned devices, or transfer ownership to work files, remotely wipe the device.  Depending on the device’s enrolment method either:
    • Factory Reset: For company-owned devices, instigate a factory reset to erase all work apps and data from the device without physical access.
    • Remove Work Profile: For BYOD devices, use your MDM solution to remove the user's Work Profile from the device. This will eliminate company apps, data, and settings from the device. Note, personal data is unaffected by the removal of the Work Profile so does not require backup.

 

  1. Revoke device access:

  • Deactivate the device from your MDM solution.
  • This will prevent the device from receiving updates, policies, and security patches.

 

  1. Asset retrieval:

  • Create a comprehensive inventory of all physical assets assigned to the employee (e.g., laptops, phones, keys, badges).
  • Ensure all physical assets are returned or disposed of securely.

 

  1. Update device inventory:

  • Update your device inventory to reflect the device's status (e.g. retired, reassigned).

 

Employees: Your Role in a Secure Exit

 

  1. Data Backup:

  • Use a personal cloud storage service or external storage to back up any personal data that you want to keep before the device is wiped or reset.
  • Following your company's guidelines for data backup, ensure that all company data is backed up to the appropriate location or cloud storage.

 

  1. App Removal

  • Clear the data and cache for these apps to remove any sensitive information. 
  • Uninstall any company-owned or work-related apps that you no longer need.
  • This may include email, calendar, and productivity apps.

 

  1. Network Access:

  • Disconnect from any company VPN connections.
  • Remove any VPN profiles or certificates.
  • Forget any saved company Wi-Fi networks.

 

  1. Personal Cloud Storage:

  • Download and save any personal files from company-provided cloud storage.
  • Revoke access to personal accounts linked to company devices.

 

  1. Assets:

  • Depending on company policy, return all corporate devices and accessories to the IT department or designated location.
  • Ensure that the device is in good condition and free of any damage.

 

  1. Social Media Accounts:

  • Review and remove any company-related content from personal social media accounts.
  • Update privacy settings to limit public visibility.

 

Best Practices

 

From the off, it’s good to keep handover in mind. After all, the more structure in place when setting up, the easier handover will be. With this in mind we've put together some tips and best practices to consider when starting out, or even implementing further along. 

 

Setting Up Devices and Profiles:

  • Separate Profiles:
    • Create separate profiles for work and personal data to improve security and privacy.
    • Use work profiles to enforce company policies and manage company-owned apps.
  • Corporate email accounts: 
    • The improved Android sign-up process makes it easier for IT admins to sign-up and access Google services using their corporate email addresses. This eliminates the need for personal Gmail accounts, leading to cleaner handovers when an employee leaves. Plus, certain setup tasks can be managed centrally through the Google Admin console, again making it much easier to keep track, document and handover tasks. 
  • Centralized Management 
    • Avoid the hassle of being locked out of corporate Google accounts when the time comes for the admin that set up the account to embrace a new opportunity. Maintaining a centralized approach avoids having a sole owner of any Google accounts, making it easier to manage and maintain control and access to business Google accounts in the event of a handover. IT admins can also easily track, document, and hand over administrative tasks in this way. 

  • Default Settings:
    • Configure default settings for devices and profiles to streamline the onboarding process and ensure consistency.
    • Consider using templates or scripts to automate device setup.
  • App Management:
    • Use Google Managed Play to create a customized and secure app store for different business needs and user roles and have more control over which apps employees can install and use.
  • Policy Enforcement:
    • Implement policies to enforce security measures such as password complexity, screen lock timeout, and data encryption.
    • Use conditional access policies to restrict access to company resources based on device compliance.

 

Employee Training:

 

Remember, documented procedures and workflows are vital for mitigating risks associated with employee turnover. Proactive documentation ensures business continuity and minimizes disruptions during employee transitions.

  • Provide employees with clear guidelines and training on their responsibilities during the offboarding process.
  • Educate employees on data security best practices and the importance of returning company assets.

 

Regular Reviews:

  • Review and update your offboarding procedures regularly to ensure they remain effective and aligned with evolving security threats.
  • Conduct periodic security audits to identify and address any potential gaps.

 

A well-executed offboarding process is crucial for safeguarding your organization's sensitive data and maintaining security. By following the checklist provided, you can effectively mitigate risks, minimize disruptions, and ensure a seamless transition for both the departing employee and your organization.

 

Like and share this post to help others secure their organization's digital footprint!

 

Let us know your thoughts and experiences in the comments below. Do you have any additional tips for a smooth offboarding process?