This is a complete checklist for IT teams handling a departing employee. It covers backing up their data, deactivating accounts, recovering hardware, and reclaiming licenses. Fork it, adapt it to your org, and run it every time someone leaves.

Timing matters. Start the pre-departure tasks before the employee's last day and coordinate with HR on the exit timeline. For involuntary departures, you may need to execute the entire checklist in a single session.

This is the companion to the Onboarding Device Checklist. That one gets a device ready for day one. This one cleans up after the last day.

Before the last day

Handle these while the employee still has access and can help with transfers.

• [ ] Back up the employee's device – see Backup Your Computer for methods
• [ ] Export or archive their email and calendar data if your org requires retention
• [ ] Transfer ownership of shared files and documents (Google Drive, OneDrive, SharePoint, Dropbox)
  • Reassign ownership to their manager or a team member
  • Don't just share – transfer ownership so nothing disappears when the account is deactivated
• [ ] Document any unique credentials the employee managed (service accounts, API keys, vendor logins)
  • These should be in the company password manager, but ask explicitly – people stash passwords in notes, bookmarks, and browser autofill
• [ ] Identify any personal files the employee needs to retrieve from the work device
• [ ] Confirm the last day and time with HR so you can coordinate account deactivation

Account deactivation

Do this on or immediately after the employee's last day. Don't delete accounts right away – you may need access to their email and files during the transition period.

• [ ] Disable or suspend the employee's primary work account (Microsoft 365, Google Workspace, or your directory service)
  • Microsoft 365: Set the account to blocked sign-in in the admin center, or use Entra ID to disable the account
  • Google Workspace: Suspend the user in the admin console (suspended users retain data but can't sign in)
• [ ] Revoke all active SSO sessions so they're immediately signed out of connected apps
• [ ] Remove the employee from security groups, distribution lists, and shared mailboxes
• [ ] Set up email forwarding or an auto-reply on their mailbox ("X is no longer with the company, please contact Y")
  • Keep the mailbox active for 30-90 days depending on your retention policy
• [ ] Revoke 2FA tokens and remove their devices from the authenticator app enrollment
• [ ] Disable or revoke access to third-party SaaS apps (Slack, Zoom, Salesforce, Jira, etc.)
  • Check your SSO dashboard for all apps they had access to
• [ ] Remove the employee from any shared password manager vaults

Device recovery

• [ ] Collect the company laptop or desktop
• [ ] Collect external monitors, docking stations, and display adapters
• [ ] Collect peripherals: keyboard, mouse, headset, webcam
• [ ] Collect chargers, cables, and power adapters
• [ ] Collect any security keys or hardware tokens (YubiKey, RSA token)
• [ ] Collect any company-issued mobile devices or SIM cards
• [ ] Update your asset management system to reflect the return

For remote employees, arrange a shipping label and prepaid box. Track the shipment and follow up if it doesn't arrive within the expected window.

Device cleanup

• [ ] Remove the device from your MDM platform (Jamf, Intune, Kandji, JumpCloud, etc.)
• [ ] Remove any configuration profiles (Wi-Fi, VPN, certificates, restrictions)
• [ ] Factory reset or reimage the device
  • macOS: Erase the Mac from System Settings > General > Transfer or Reset > Erase All Content and Settings, or boot to Recovery (hold power button on Apple Silicon, Cmd + R on Intel) and erase from Disk Utility
  • Windows: Settings > System > Recovery > Reset this PC > Remove everything
• [ ] Remove the device from Apple Business Manager, Windows Autopilot, or any zero-touch enrollment programs if the device is being retired
• [ ] Remove the device from your asset management or inventory system (or mark it as available for reassignment)
• [ ] Revoke any device-specific certificates

License recovery

• [ ] Reclaim the Microsoft 365 license (remove from the user in the admin center)
• [ ] Reclaim Adobe Creative Cloud, Figma, or other design tool licenses
• [ ] Remove the employee from any shared software subscriptions
• [ ] Deauthorize the device from any per-device licensed software (e.g., Adobe, JetBrains, AutoCAD)
• [ ] Review your license dashboard to catch anything assigned to the departing user

Unused licenses sitting on deactivated accounts still cost money. Reclaim them promptly so they can be reassigned.

Security

• [ ] Change any shared passwords the employee had access to (team accounts, vendor portals, social media credentials, service accounts)
• [ ] Revoke VPN access and remove their VPN profile
• [ ] Review and revoke any admin privileges they held (domain admin, cloud admin, database access, server access)
• [ ] Check for any personal devices the employee enrolled in BYOD or MDM – remove company profiles from those
• [ ] Review recent access logs for any unusual activity during the notice period
• [ ] If the departure is involuntary or contentious, consider an immediate security review of file access, email forwarding rules, and data exports

Final verification

• [ ] Confirm the employee can no longer sign in to any company systems (test their credentials against SSO)
• [ ] Verify email forwarding or auto-reply is working
• [ ] Confirm the recovered device is wiped and ready for reassignment or storage
• [ ] Confirm all licenses have been reclaimed in your admin dashboards
• [ ] File the offboarding record (date completed, assets returned, accounts deactivated) for compliance

short

• [ ] Back up user data, transfer file ownership, document unique credentials
• [ ] Disable/suspend accounts (don't delete yet), revoke SSO sessions, set up email forwarding
• [ ] Remove from groups, shared vaults, and SaaS apps
• [ ] Collect device, monitors, peripherals, chargers, security keys
• [ ] Remove from MDM, factory reset device, remove from asset management
• [ ] Reclaim software licenses (Office 365, Adobe, etc.)
• [ ] Change shared passwords, revoke VPN and admin access
• [ ] Verify: no sign-in possible, email forwarding works, device wiped, licenses reclaimed