When running offboarding from BetterCloud's Workflow Templates, there are a set of grouped Actions that are, by default, included in the workflow. They are as follows:
- Reset Password
- Revoke Access
- Manage Devices
- Transfer Ownership
- Manage Groups
- Manage Email
- Notify Stakeholders
- Suspend User
- Delete Account
By the end of this article, you will be able to understand what each of these entails, and how they help you secure your environment when offboarding an employee.
Resetting the account's password is the first part of BetterCloud's suggested offboarding. This takes place across all apps which require a password, and ensure the user for this point forward will have a difficult time logging back into their account. You may notice that not all of your applications integrated with BetterCloud will be included in this step. This is because some applications do not require a password, relying exclusively on SSO. It's important to note that not all applications will display in each of the grouped Actions, so if you feel something is missing you steps need to be added, feel free to add those steps and/or Actions when you begin editing your offboarding workflow via the Workflow Builder.
While resetting a password is a great first step to locking an account, it is important to take additional steps when it comes to account disablement and stored information. For example, in Google, the account may have app-specific passwords associated with it, or with Zoom, the account may have a stored SSO token. These actions will go one step further, removing any additional codes or security credentials for the account.
If you are performing mobile device management (MDM), or allowing users to gain access to data via their mobile device, this group of Actions will ensure mobile devices are removed from your organization, and where possible, all data associated with your organization is cleared from these devices. It is important to note that not all of the Actions listed will need to be taken. Therefore, if you are not using Google for MDM, you may wish to remove the Block Mobile Device and Wipe Mobile Device Actions listed as part of the group.
When possible, this group of Actions ensures all files, folders, groups and calendars are moved from the user to their manager (by default). For applications like Box and Dropbox, you will need to specify a service account or a default account for transfers, so please add these actions when your Workflow template is completed, and the Workflow Builder loads.
This group of Actions will to ensure your departing employee is properly removed from all of their groups across each of your integrated SaaS apps. At this point, there is little security concern since the user has had their password reset and their access revoked, but it is a good best practice to perform housekeeping on these groups.
These grouped Actions ensure a user's email is properly being handles upon their departure. This could include items like setting up email forwarding, delegating email access and setting up an auto-reply.
In order to ensure communication is being handled in an automated fashion, applications like Slack, Google and 365 will be included here. These will either send emails to the accounts listed manager, or send direct messages as needed.
Now that all offboarding actions have taken place to ensure no data is lost, the user can finally be suspended (or disabled/frozen, depending on the applications language). Please take note of what happens when a user is suspended in an application. In the case of Google, this will halt email forwarding and prevent delegated email access. It is important to recognize the repercussions of a suspension before deciding how you'd like to proceed with these Actions.
At the beginning of this group of Actions. BetterCloud adds in a Wait for Duration, which essentially puts a legal hold on a user's account. The default time for a hold is 3 days, so you may want to alter this as you see fit. Following the wait period, the user's account will be deleted entirely from all integrated applications (where applicable), and oftentimes cannot be recovered. If you wish to confirm the user's account should be deleted prior to a full deletion, consider adding in a Wait for Approval step following the Wait for Duration. This can allow a stakeholder to decide if the Workflow should continue running, and if the account should be permanently deleted.
Now that you have an idea of what goes into BetterCloud's offboarding template, and what we view as best practices, you may want to alter your Workflow. Perhaps you'd prefer not to use the template, but instead, to start from scratch. To review additional information about user offboarding, please view our next article.