Anatomy of the Good BetterCloud Offboarding Workflow

By  |  0 Comments
Related Products

Our clients regularly ask us what an ideal offboarding workflow ought to appear to be. With that in thoughts, we wish to offer you a step-by-step information on tips on how to construct an entire offboarding workflow in BetterCloud.

Offboarding is extra than simply revoking entry. There are lots of extra steps than folks usually understand—steps which might be vital for knowledge safety, compliance efforts, and enterprise continuity.

When offboarding is being achieved manually, it’s topic to human error (to not point out it’s extraordinarily tedious). However constructing an automatic workflow in BetterCloud ensures that each step is taken each time you offboard a consumer.

After all, each firm’s offboarding course of will differ barely, from the timing of sure steps to what your supply of fact is. We’ve offboarded a million workers throughout three,000 corporations, and we’ve seen every kind of variations. However usually talking, these finest practices will guarantee that each consumer is totally offboarded, each time, with out fail.

Begin out of your supply of fact

Each workflow should begin out of your supply of fact. Typically, that is your HR system. In others, that is your id supplier (IDaaS).

It’s vital to work together with your HR/Folks crew to map out your course of earlier than designing your offboarding workflow. Finally, an worker might be marked as “inactive” and it will move down into your SaaS techniques. In the perfect case state of affairs, your HR system will feed immediately into your id supplier (e.g., Okta, OneLogin, Energetic Listing) or your mail system (G Suite, Workplace 365).

If this isn’t doable, you could wish to think about having the Folks/HR crew open a ticket to inform you of a newly termed consumer (in JIRA, ServiceNow, and many others.) or submit a kind notifying you of this (e.g., Google Kinds). These requests ought to embrace: whether or not the time period is rapid or ought to be scheduled for a sure time, who their knowledge ought to be transferred to, if mail might be forwarded, and many others.

In additional superior circumstances, this kind submission can routinely set off an motion in your IDaaS or your mail supplier (e.g., G Suite). You may additionally wish to think about making a Slack channel for notifications throughout your offboarding course of.

Resolve what your triggering occasion is

You’ll have to determine which occasion will kick off your workflow. In some circumstances this might be a consumer being moved or disabled in one other system. A number of of the commonest “WHEN” statements for a BetterCloud offboarding workflow are:



Workplace 365


G Suite


When your workflow is printed, BetterCloud will start listening for this particular occasion from the connector. After we course of the occasion, your workflow will set off.

The important steps of an ideal offboarding workflow

Stage Zero: The retrieval (for bodily safety)

On this stage, you’ll retrieve the consumer’s machine (if relevant) and some other company-owned gadgets. This ensures that the departing worker doesn’t depart, deliberately or unintentionally, with a tool that belongs to the corporate.

Really useful workflow actions in BetterCloud:

  • Zendesk: Create a ticket
  • Google and Workplace 365: Ship an e mail

Stage Zero.1 (non-obligatory): The unsuspension

If you happen to’re utilizing an id supplier like Okta or OneLogin, it’s possible that departing customers have already been auto-suspended.

If so, among the actions in your offboarding workflow might fail. We suggest including an “unsuspend” step to the start of your workflow to stop any subsequent actions from failing. If you happen to embrace this step, be sure you re-suspend the consumer towards the tip of your offboarding course of.

Really useful workflow actions in BetterCloud:

Stage 1: The lockout

This stage is used to take further measures to lock a consumer out of their account and clear any related classes. It’s an vital first step to take as a result of the departing worker can nonetheless work together with e mail or Slack as soon as they’re gone in the event you fail to do that. It’s particularly vital in the event you’re coping with a disgruntled worker. By locking them out, it prevents them from having the ability to take knowledge with them or ship damaging messages to workers.

Really useful workflow actions in BetterCloud:

  • Google: Reset password
  • Workplace 365: Reset password
  • Okta: Clear consumer session
  • Okta: Reset components
  • Slack (Plus plan solely): Disable consumer
  • Zendesk: Signal out consumer
  • Salesforce: Freeze consumer
  • Field: Replace consumer profile (set to “Inactive”)

Stage 2: The listing cleanup

On this stage, you’ll guarantee that the consumer is hidden within the listing, won’t auto-complete in emails, and isn’t seen in any teams, calendars, and many others.

This step is vital for sustaining good organizational hygiene. As soon as it’s accomplished, the departed consumer will now not be seen in your system, which prevents confusion and retains issues orderly.

Really useful workflow actions in BetterCloud:

  • Google: Disguise consumer in listing
  • Google: Take away from all teams
  • Google: Take away all e mail aliases
  • Google: Take away from shared calendars
  • Google: Transfer to org unit
  • Workplace 365: Take away from all teams
  • Salesforce: Take away consumer from permission set

Stage three: The safety cleanup

On this stage, you’ll proceed to wash up any security-related objects for the account. This contains authentication, delegation, mail routing guidelines, and many others.

These further steps stop the departing consumer from having the ability to log into their accounts. In addition they stop mail from going to accounts that it ought to now not be going to.

Really useful workflow actions in BetterCloud:

  • Google: Delete 2-step backup codes
  • Google: Delete app-specific passwords
  • Google: Revoke delegation entry
  • Google: Revoke consumer’s apps
  • Google: Revoke tremendous admin privileges
  • Google: Disable IMAP
  • Google: Disable POP
  • Google: Disable e mail forwarding
  • Dropbox: Revoke third-party apps from consumer just about

Stage four: The gadgets

This stage is supposed to wash any knowledge off of the consumer’s private machine throughout all purposes. Much like stage Zero, this step removes knowledge from the departing consumer’s machine, locks them out of their firm laptop computer, removes the MDM answer, and sends a lock command (e.g., by way of Jamf).

Really useful workflow actions in BetterCloud:

  • Workplace 365: Take away gadgets from consumer
  • Google: Account wipe cellular machine
  • Google: Take away machine from consumer
  • Dropbox: Revoke gadgets from consumer account
  • Further actions obtainable in our new Integration Middle

Stage 5: The information switch

This stage is supposed to switch any knowledge on the account to different customers throughout the group. Typically, this would be the consumer’s supervisor or an archive service account (e.g.,

This step is vital as a result of it preserves knowledge for compliance causes, and it ensures that different crew members can proceed working with none disruption. Moreover, this step retains your atmosphere clear and arranged. You’ll be able to delete recurring calendar occasions and release these assets, and in addition take away the departing worker from consumer teams, lowering confusion and holding your atmosphere tidy.

Really useful workflow actions in BetterCloud:

  • Google: Switch Drive information
  • Google: Switch main calendar occasions
  • Google: Switch group possession
  • Google: Switch secondary calendars
  • Field: Transfer owned objects
  • Dropbox: Take away crew member and switch information

Stage 6: The mail routing

On this stage you’ll determine what is going to occur to the consumer’s e mail as soon as they’re offboarded. Who ought to their e mail be routed to? Is it okay if the mail bounces? Ought to there be an auto-reply in place? If you happen to droop an account, mail routinely bounces. If you happen to determine to go away the account lively, how do you make sure that the e-mail is being directed to the appropriate folks?

If you happen to do depart the Google license lively, you may create an e mail delegation rule in order that the emails might be accessible to the departing consumer’s supervisor. Alternatively, you may change the departing consumer’s main e mail deal with after which create a (free) Google Group with their e mail deal with. This lets you release that license, whereas ensuring that their mail is being correctly routed.

Really useful workflow actions in BetterCloud:

  • Google (if lively): Set auto-reply
  • Google (if lively): Set e mail ahead
  • Workplace 365: Set e mail ahead
  • Workplace 365: Set auto-reply
  • Workplace 365: Change main e mail deal with
  • Google: Add e mail alias

Stage 7: The backup (non-obligatory)

In “the backup,” take the mandatory steps to again up the departing consumer’s knowledge. BetterCloud doesn’t have the power to do that for you; as an alternative, we suggest a “Ship E-mail” motion that sends you a reminder to again up the information. This fashion you’ll be sure you obtain all Drive knowledge and retailer it utilizing Google Takeout, Spanning, Backupify, or no matter backup system you employ.

Observe: If you happen to’re on BetterCloud’s Enterprise SKU, you may lengthen BetterCloud to attach Spanning or Backupify and create a workflow that can maintain this for you.

Whereas backing up knowledge isn’t vital on your offboarding course of, it’s possible vital for authorized and/or compliance causes.

Really useful workflow actions in BetterCloud:

  • Google: Ship e mail to group
  • Workplace 365: Ship e mail
  • Zendesk: Open ticket

Stage Eight: The notification

Stage Eight rounds out the preliminary offboarding. Now that these steps are full, we suggest establishing a number of notifications earlier than you go on to step 9. These notifications ought to go to the IT crew in addition to to the consumer’s supervisor (if relevant). They need to inform the crew that the preliminary offboarding steps have been accomplished and after they can count on the remaining steps to be accomplished.

Really useful workflow actions in BetterCloud:

  • Slack: Ship message to channel
  • Slack: Ship direct message
  • Google: Ship e mail to group
  • Google: Ship e mail to consumer
  • Slack (Superior): Ship message to personal channel

Stage 9: The wait

Phases Zero-Eight had been the preliminary steps of offboarding; steps 10-11 are the ultimate steps that can end up the offboarding course of. Step 9 is the interval in between.

After the preliminary offboarding, you’ll possible wish to hold the account lively for a while earlier than utterly deleting it and releasing up the license. In lots of circumstances, you could add a “Wait For Period” step in BetterCloud for authorized maintain or knowledge retention causes. You need to use as many wait intervals as you’d like inside a workflow. Nonetheless, the whole time interval can’t exceed two years.

Really useful workflow actions in BetterCloud:

  • Look forward to Period (in hours or days)

Stage 10: The license administration

On this step you’ll take away or add licenses, relying on what SaaS purposes you employ. This step ensures that you just gained’t be paying for unused licenses.

Really useful workflow actions in BetterCloud:

  • Workplace 365: Take away license
  • Google: Take away license (much less widespread than assigning a Vault license)
  • Google: Assign license (e.g., Vault)

Stage 11: The deletion

The ultimate offboarding step is to delete the accounts and release licenses. This completes your course of, and the departed consumer is now totally offboarded.

Really useful workflow actions in BetterCloud:

  • Google: Delete consumer
  • Workplace 365: Delete consumer
  • Field: Delete consumer
  • Zendesk: Delete consumer
  • Dropbox: Take away crew member
  • Salesforce: Deactivate consumer

A number of additional offboarding finest practices in BetterCloud

Your workflow title & description

The title of your workflow ought to comply with a sure naming conference that you’ll use in all different workflows. For instance: [Type] [Connector] [Description]. Selecting a naming conference and sticking with it retains issues organized and cuts down on confusion.

Your description ought to embrace what the workflow is doing, who it was final up to date by, and the date it was final up to date. This description might be seen from the Workflow Supervisor in BetterCloud. When you might have all these items in place, it’s straightforward to see at a look what a workflow is conducting.

E-mail notification

Utilizing the e-mail notification characteristic is a should for offboarding workflows. This notification, despatched as soon as the workflow completes, contains details about (and the standing of) each step taken throughout the workflow.

This characteristic is useful not just for historic report holding, but additionally for alerting you within the occasion that any steps fail alongside the way in which. If you happen to don’t have this notification arrange, you would wish to manually learn the outcomes for every particular person workflow that you just run. Doing so is time consuming and runs the chance of overlooking an error which will have occurred.

Cease on error

One thing else you could wish to think about is including “Cease on error” to your workflow. This fashion, in case your workflow encounters an error, it’ll cease till you (or perhaps with the assistance of our best-in-class assist crew) repair no matter is inflicting the workflow to fail. This characteristic helps be certain that each step of your offboarding workflow is correctly accomplished each time it runs.

New actions in our Integration Middle

With the latest launch of our new Integration Middle, we now supply 32 new BetterCloud-built integrations with apps like Zoom, PagerDuty, Jamf, Duo, and extra. You too can develop and share your individual customized integrations utilizing the most recent evolution of capabilities obtainable by way of the Platform API.

Connecting these platforms allows IT so as to add customized steps to their offboarding workflows, similar to transferring Zoom recordings to a supervisor or disabling a consumer in Duo. These steps be certain that all unfastened ends are tied up when a consumer leaves your group.

To study extra about how BetterCloud may help you routinely offboard your customers, request a demo.

Michael Stone


You must be logged in to post a comment Login