5 simple steps to automate offboarding
Employee offboarding can drain valuable time from businesses with lean information technology (IT) teams. For small teams with limited bandwidth, efficiency is paramount. Manual offboarding processes, however, can require IT staff to execute a series of repetitive (yet critical) steps in coordination with other departments. Sounds like a job for IT automation, right?
At Sendbird, we initially relied on manual offboarding and quickly outgrew this as we scaled. With a support team of 3 to assist a workforce of 250 employees and contractors in the US, Korea, and elsewhere, automated offboarding proved to be a huge time saver for Sendbird. IT automation has helped us to streamline workflows, reduce errors and risk, and ensure compliance; it’s likely that IT automation can help you, too.
This blog will walk you through Sendbird’s journey of achieving zero-touch employee offboarding with IT automation.
The problem without offboarding automation: Many steps, many departments
In our original process, multiple teams would collaborate around many steps to offboard a single person. Sometimes, even after the back-and-forth, the process wasn’t effective.
To start, HR would terminate the employee records in the human resources information system (HRIS). Meanwhile, IT would disable the employee’s laptop in our master data management (MDM) system, disable their Okta account, and distribute a document detailing their accounts outside of Okta to all software admins.
Next, IT or the office manager would have to purchase a box to reclaim the employee’s laptop from either Amazon or FedEx or UPS in urgent cases. The IT department was also responsible for following up with all internal parties to ensure the employee accounts were properly closed.
Sendbird’s largest office is in Korea, so time zone differences often complicate offboarding. For example, a software admin might be asleep during offboarding for American employees, and vice versa if offboarding was in Seoul.
While this manual process was initially manageable with our small team, it became increasingly cumbersome and painful as Sendbird grew. Sometimes, we would discover accounts that remained active long after individuals had departed, raising serious security concerns.
Streamlined offboarding with IT automation
Our goal was to build a fully automated system for employee offboarding. The automated process would be triggered whenever an employee was deactivated in our HRIS, completing the rest and offboarding the employee without unnecessary legwork and uncertainty.
We settled on using Okta Workflows for automated offboarding, as it was already available to us without purchasing another SaaS product. We came across a helpful post by Pete Viri at Faire, from which we drew inspiration for our new offboarding process. With Okta Workflows, we aimed to streamline offboarding, reduce errors, and save valuable time, which ultimately proved successful.
IT automation in action: 5 simple steps for automated offboarding
The chart below outlines the steps in our new automated offboarding process — from employee deactivation in BambooHR (our source of truth) to physical logistics via our laptop return solution, Retriever.
Step 0: The trigger
Our offboarding process triggers when a user deactivation is initiated within our HRIS system, which is integrated with Okta.
Step 1: Revoke Okta access
The first automated step is deactivating the user in Okta, clearing their existing sessions and removing devices registered to their account. This revokes the user’s access to all enterprise applications.
Step 2: Delegate access
A key step in offboarding automation is delegating access to the previous user’s manager, which helps ensure a more seamless transition of responsibilities. This involves transferring files and calendars while temporarily granting the manager access to the employee’s Gmail inbox.
We automate these tasks to minimize downtime and prevent data loss, using Google Cloud Platform (GCP) for domain-wide delegation. Once an employee is offboarded, Okta Workflows triggers a process that uses GCP APIs to transfer the Gmail inbox to the delegated manager without needing verification emails. Temporary access is given to the manager for 60 days, then automatically revoked.
Step 3: Lock the laptop
Next, the onboarding automation calls Jamf APIs to lock the user’s laptop with a randomly generated passcode. We opted for at first locking the employee’s laptop instead of erasing the laptop in case we decide later that we need the device’s contents.
Step 4: Coordinate physical logistics
Automating offboarding has saved us many hours formerly spent on last-minute trips to the post office and other physical logistics processes related to laptop and device returns.
In this step, our automation considers the employee’s country. If they’re located in the US, we call the Retriever API to handle the process of labeling and shipping a box to the employee so they can return their laptop. Retriever passes the employee’s address via the API to the shipping company, who then takes care of the rest.
Though Retriever is currently only available in the US and Canada, our offices in Korea typically have former employees return their machines in person.
Step 5: Staying compliant
IT automation for offboarding is a great help with compliance. It generates detailed Jira tickets at every step of the offboarding process. These Jira tickets reflect the real-time progress of the onboarding process, documenting successful and failed tasks. They also contain laptop tracking and other information that might be needed in the offboarding process.
Jira plays a critical role for our compliance team, which uses it extensively to streamline operations, improve efficiency, and manage compliance requirements with the confidence that process records and key information are always at hand in case of an audit.
Final step: closing the loop
Once Retriever sends the employee a shipping box for their laptop, our JIRA service ticket receives real-time updates with tracking information. Since Retriever ships items via multiple carriers, we use a universal package tracking service to handle any chosen carrier.
Once IT receives the laptop, we lock it, erase it as needed, and add it back to our asset inventory.
Embracing ChatOps for automated offboarding
While Jira helps us track the documentation and compliance for automated offboarding, we also use Slack to maintain visibility and handle urgent security issues.
Slack for process visibility
When a new onboarding process is triggered, Okta Workflows starts a Slack conversation in a private channel to document the progress of each step in the onboarding process. These Slack chat updates mirror the updates in the Jira ticket but allow our IT team to monitor and document each step in the process in real-time for added security and compliance. The end result looks like this:
We lean toward being as detailed as possible, including the individual who initiated the process and the time the process began. A detailed report, including any failures, is then sent to Slack. While the process runs automatically when a user is deactivated, we also wanted a process to force it to run via Slack.
Custom Slack triggers for urgent security cases
Recently, due to immediate security concerns, we had to urgently offboard an employee. We created a Slack app that can call the Okta Workflow via an /offboard email@sendbird.com command, allowing us to initiate the offboarding process even while away from our computer.
Using the /offboard Slack command, the IT team was able to deactivate the employee’s account within minutes, despite being away from their computers. A real-time response like this would have been impossible with our previous process.
When /offboard is typed in Slack, Okta Workflows verifies that the user is authorized to run this command, and a notification that the command was run is sent to a private IT channel. The workflow then checks a list of authorized users we created in Okta Workflows. Once the user initiating the offboarding is verified as on the list, the automation proceeds with deactivating the specified employee’s Okta account, which then triggers the rest of the IT automation offboarding process.
Next steps for offboarding automation
Automating our employee offboarding at Sendbird has increased efficiency, reduced errors, and significantly improved compliance and security. Our IT team can call up the device return section in our automation process to ensure an employee’s device is returned quickly and seamlessly. Automation also comes in handy when employees need to return machines for non-offboarding reasons, such as laptop refreshes or machine malfunctions.
In a future iteration, the Sendbird team will build in device returns via Slack commands to further streamline our automated employee offboarding process. As we continue to grow and refine our processes, we invite you to consider how IT automation can help you transform your workflows and be more efficient.