
How to Secure Employee Devices Before Someone Leaves
An employee departure, planned or not, creates a real window of data exposure. This guide walks you through exactly how to lock down devices, revoke access, and recover company assets before any damage is done.
TL;DR: When someone leaves your company, their device is a live data risk until you explicitly close every access point. This guide covers the full offboarding sequence, from account revocation to physical device recovery, so nothing falls through the cracks.
What You Need
Before you start, have these in place:
- Admin access to your identity provider (Microsoft 365, Google Workspace, or Active Directory)
- A mobile device management (MDM) tool, or at minimum a documented device inventory
- HR confirmation of the departure date and type (voluntary, involuntary, or extended leave)
- A checklist template you can hand off to whoever manages IT on short notice
- Physical access to retrieve hardware after the employee is notified
If you are running without an MDM solution or a formal device inventory, that is the first gap to fix. A managed IT arrangement typically includes both. Without them, the steps below become guesswork.
Step 1: Classify the Departure Before You Do Anything Else
Not every departure carries the same risk profile. A retirement with two weeks notice is different from a termination with cause or an employee who just gave notice and still has admin credentials.
Ask these questions:
- Does the employee have elevated privileges, admin rights, or access to sensitive systems?
- Do they have company data on a personal device in addition to a company-issued one?
- Was this departure expected, or are you reacting to something that already happened?
The answers determine the urgency and sequence of the steps below. For high-risk departures, revoke access first, recover the device second, and explain later. For planned transitions, you have a bit more room to coordinate.
Step 2: Revoke Account Access Immediately
This is the highest-priority action. Accounts stay live until someone explicitly turns them off, and a former employee with active credentials is an open door.
In Microsoft 365:
- Go to the Microsoft 365 admin center.
- Select the user and choose "Sign out of all sessions."
- Block sign-in on the account.
- Remove the user from all shared mailboxes, Teams channels, and SharePoint sites.
- Convert the mailbox to a shared mailbox if you need to retain access to their email.
If your organization uses Microsoft 365 across the board, most of this can be done in under ten minutes from the admin console. If you are on a hybrid Active Directory setup, you also need to disable the on-premises AD account separately. Cloud and on-prem do not always sync instantly.
Also revoke:
- VPN credentials
- Any third-party SaaS apps connected via SSO
- Password manager entries if the employee had access to shared vaults
- Physical key codes or badge access (coordinate with facilities)
Step 3: Remotely Lock or Wipe the Device If Needed
If the employee still has possession of the device and the departure is hostile or high-risk, use your MDM to issue a remote lock before they have a chance to copy or delete anything.
For lower-risk departures where you expect the device back shortly, a lock is usually enough. A full remote wipe is a last resort, and it should only happen after you have confirmed that any company data on the device has been backed up or already exists elsewhere.
This is why a backup and disaster recovery policy matters before someone ever resigns. If you are scrambling to preserve data at the moment of departure, you are already behind.
If no MDM is in place:
- For Windows devices, BitLocker encryption means the drive is unreadable without the recovery key. Make sure those keys are stored in your admin portal, not on the device itself.
- For Macs, FileVault serves the same purpose.
- iOS and Android both support remote wipe through Apple Business Manager and Android Enterprise respectively, but only if enrollment was set up in advance.
Tired of IT that breaks at the worst time? Talk to our business IT team
Step 4: Physically Recover the Device
Get the hardware back. This sounds obvious, but it is the step that gets delayed when HR and IT are not coordinating, and a delayed device recovery is how laptops end up in someone's car for three weeks.
- Schedule the return as part of the offboarding meeting, not as an afterthought.
- Have a receipt or return acknowledgment for the employee to sign.
- Inspect the device for physical damage before accepting it.
- Do not let the employee wipe the device themselves before return. That is your job.
Once the device is back in your hands, do not immediately reimage it. First, confirm that any data you need has been transferred. Check for locally stored files, browser profiles, and any work that was never synced to a shared drive.
If the device has physical damage or is acting strangely, a computer repair evaluation before redeployment is worth the time. Returning a damaged laptop to a new employee creates a support problem on day one.
Step 5: Audit What They Had Access To
This step gets skipped because it is tedious, but it is how you find the risks you did not know existed.
Pull an access log for the departing employee and look for:
- Any files accessed or downloaded in the 30 days before departure
- Large email exports or forwarding rules set up in their mailbox
- Third-party apps authorized under their account
- Any new user accounts they may have created
- External shares created from company drives
If you see unusual activity in that window, treat it as a potential cybersecurity incident and document it. Most departures are clean. Some are not, and you want to know the difference.
Step 6: Reimage and Redeploy or Store Securely
Once you have confirmed the data situation and completed the audit, wipe and reimage the device according to your standard configuration. A clean image removes any software the employee installed, any stored credentials in browsers or apps, and any configuration changes they made.
For storage, if the device will sit for more than a few weeks before redeployment, document it in your inventory with its condition, specs, and any applicable warranty dates. Devices that disappear into a closet without documentation are how you end up with mystery hardware and no idea what is on it.
If you need help building out a redeployment workflow or your IT team is stretched thin, this is exactly the kind of process that managed IT services can own so you are not reinventing it every time someone quits.
Common Mistakes
1. Waiting until after the employee has left to revoke access. The offboarding process should trigger account revocation on the last day, not the following Monday when someone gets around to it.
2. Only revoking the primary account and forgetting shared credentials. If the employee knew a shared admin password or had access to a team password vault, rotate those credentials immediately. The primary account lock means nothing if they can still log in through a shared credential.
3. Assuming cloud sync means the data is safe. Cloud sync works both ways. An employee can delete files from a shared drive and that deletion propagates to everyone. Versioning and backup retention policies are what protect you here.
4. Skipping the audit on friendly departures. A voluntary departure with two weeks notice feels low-risk. Most of the time it is. But the audit takes an hour and it is the only way to confirm that nothing walked out the door.
5. Not having any of this documented. If the person who normally handles IT is on vacation when someone resigns, who runs this process? A written offboarding checklist that lives somewhere accessible is not optional. It is infrastructure.
Bottom Line
Employee offboarding is a security event, whether it feels like one or not. The risk window is the gap between when someone decides to leave and when you have locked everything down. The steps above close that window in a predictable, repeatable order.
If you are a South Florida business running without a formal offboarding process, an MDM solution, or documented access policies, now is the time to fix that, not after something goes wrong. Take a look at what a business IT or managed IT arrangement can do for your organization, or reach out to us directly to talk through what your current gaps look like.
Tired of IT that breaks at the worst time?
We run managed IT, backups, and security for South Florida businesses so you can stop thinking about it.
Frequently asked questions
When should I revoke an employee's access, before or after they leave?
For most departures, access should be revoked on the final day, coordinated with HR so it happens at the moment of the offboarding meeting. For terminations with cause or high-risk situations, revoke access before or during the meeting, not after. Waiting until the next business day is when things go wrong.
What if the employee has company data on their personal phone?
This is why mobile device management (MDM) enrollment matters at the start of employment, not the end. If a personal device was enrolled in your MDM, you can remotely wipe only the work partition without touching personal data. If it was never enrolled, your options are limited and mostly involve asking nicely, which is not a security posture.
Do I need to wipe the device even if the employee was trustworthy?
Yes. A full reimage before redeployment is standard practice regardless of how the departure went. Stored browser credentials, locally cached files, and leftover app configurations are all risks for the next person who uses that machine, and a clean image takes those off the table entirely.
What counts as a security incident during offboarding?
Unusual file downloads or large email exports in the weeks before departure, forwarding rules pointed at personal accounts, or third-party app authorizations that should not exist are all worth documenting and investigating. Most will have innocent explanations, but you need to confirm that rather than assume it.
How do I handle offboarding if we have no IT staff?
Start with a written checklist that someone in management can follow, covering account revocation, device return, and credential rotation. Longer term, a managed IT provider can own the entire process and make sure it runs correctly every time, without depending on institutional memory that walks out the door with the employee.