This is a complete checklist for IT teams setting up a new employee's device. It covers everything from unboxing to handing over a ready-to-use machine. Fork it, adapt it to your org, and use it every time.

The checklist is written to be platform-agnostic. Where steps differ between macOS and Windows, both are noted. Skip sections that don't apply to your environment.

Hardware setup

• [ ] Unbox device and inspect for physical damage (screen, ports, hinges, chassis)
• [ ] Power on and complete initial OS setup (language, region, keyboard layout)
• [ ] Connect to Wi-Fi or ethernet
• [ ] Verify all ports work (USB, USB-C, HDMI, headphone jack) – plug something into each one
• [ ] Check the display for dead pixels or discoloration
• [ ] Test the keyboard, trackpad, speakers, and webcam
• [ ] Record the serial number and asset tag in your inventory system
• [ ] Assign the device to the employee in your asset management tool

For quick hardware checks, TheTest.com has browser-based tests for keyboard, camera, microphone, speakers, and display.

OS updates

• [ ] Run all available OS updates before doing anything else
  • macOS: System Settings > General > Software Update
  • Windows: Settings > Windows Update > Check for updates
• [ ] Restart after updates and check for additional updates (some require multiple passes)
• [ ] Verify the device is on the latest stable OS version

See Updating Your OS for troubleshooting stuck updates.

Account setup

• [ ] Create or assign the employee's company email account (Microsoft 365 or Google Workspace)
• [ ] Sign in to the device with the employee's work account
  • macOS: Add the work Apple Account in System Settings > Apple Account if applicable, or skip if using directory services
  • Windows: Sign in with the Entra ID (Azure AD) work account during setup, or join the domain
• [ ] Verify email access by sending a test message
• [ ] Confirm calendar and contacts sync is working

Security essentials

This is the most important section. Don't skip anything here.

• [ ] Enable full-disk encryption
  • macOS: FileVault – usually enforced by MDM, verify in System Settings > Privacy & Security > FileVault
  • Windows: BitLocker – verify in Settings > Privacy & security > Device encryption or search "BitLocker" in the Start menu
  • See BitLocker and FileVault for details and recovery key management
• [ ] Set up two-factor authentication on the employee's work account
  • Enroll an authenticator app (Microsoft Authenticator, Google Authenticator, or your org's standard)
  • Register a hardware key if your org uses them (YubiKey, etc.)
  • See Two-Factor Authentication for setup guides
• [ ] Install and configure the company password manager
  • Add the employee to your team vault or shared folders
  • See Password Managers for options and setup
• [ ] Set screen lock timeout (5 minutes or less is standard)
• [ ] Ensure the firewall is enabled
  • macOS: System Settings > Network > Firewall
  • Windows: Enabled by default via Windows Security. Verify in Settings > Privacy & security > Windows Security > Firewall & network protection
• [ ] Verify automatic OS updates are enabled

MDM enrollment

Skip this section if your organization doesn't use mobile device management.

• [ ] Enroll the device in your MDM platform (Jamf, Intune, Kandji, JumpCloud, etc.)
  • macOS + Jamf: If using Apple Business Manager, enrollment happens automatically during setup. Otherwise, navigate to the enrollment URL provided by IT
  • Windows + Intune: Sign in with the work account during setup, or go to Settings > Accounts > Access work or school > Connect and sign in
• [ ] Wait for all MDM profiles and policies to apply (this can take several minutes)
• [ ] Verify the device shows as compliant in your MDM console
• [ ] Confirm configuration profiles are installed (Wi-Fi, VPN, certificates, restrictions)

Essential apps

Install your organization's standard software. The exact list varies, but most orgs need these categories covered:

• [ ] Web browser: Chrome, Edge, Firefox, or your org's standard. Set as default if applicable. See Default Apps
• [ ] Office suite: Microsoft 365 apps (Word, Excel, PowerPoint, Outlook) or Google Workspace (typically web-based)
• [ ] Communication tools: Install whichever your org uses:
  • Microsoft Teams
  • Slack
  • Zoom
  • See Teams and Zoom Basics for setup
• [ ] VPN client: If the employee works remotely or needs access to internal resources, install and configure the VPN client (GlobalProtect, Cisco Secure Client, etc.). See VPN Basics
• [ ] Endpoint protection: Install your antivirus/EDR solution (CrowdStrike, SentinelOne, Defender for Endpoint, etc.)
• [ ] Password manager app: Install the desktop app or browser extension for your org's password manager
• [ ] Any role-specific software: IDEs for engineers, CRM for sales, design tools for creative, etc.

Email and calendar setup

• [ ] Configure email in the desktop client if applicable
  • Outlook: See Outlook Setup
  • Gmail: See Gmail Tips
  • Apple Mail: Add the work account in System Settings > Internet Accounts
• [ ] Set up the employee's email signature with company branding. See Email Signatures
• [ ] Verify calendar invites send and receive correctly
• [ ] Add shared calendars (team calendars, room calendars, company events)

Printer setup

• [ ] Add network printers the employee will need
  • macOS: System Settings > Printers & Scanners > Add Printer
  • Windows: Settings > Bluetooth & devices > Printers & scanners > Add device
• [ ] Print a test page to confirm it works
• [ ] See Connecting Printers for troubleshooting

Backup configuration

• [ ] Enable or configure backup
  • macOS: Set up Time Machine if your org provides backup drives or NAS, or confirm cloud backup via MDM
  • Windows: Enable Windows Backup or configure your org's backup solution
  • Confirm cloud storage sync is working (OneDrive, Google Drive, etc.)
• [ ] See Backup Your Computer for options

Security training pointers

Don't just hand over the device – make sure the employee knows the basics.

• [ ] Share your org's security policy document
• [ ] Point them to phishing awareness resources. See Avoiding Phishing
• [ ] Cover social engineering risks. See Social Engineering
• [ ] Explain your org's incident reporting process (who to contact, what to do if they click something suspicious)
• [ ] Remind them to lock their screen when stepping away (Cmd + Q on Mac does not lock – it's Ctrl + Cmd + Q. On Windows it's Win + L)

User orientation

The employee has a working device. Now make sure they know how to use it and where to get help.

• [ ] Walk through how to connect to Wi-Fi and VPN
• [ ] Show them how to access internal tools (intranet, ticketing system, knowledge base)
• [ ] Share relevant KB articles for self-service troubleshooting:
  • Keyboard Shortcuts for essential shortcuts
  • Screenshots and Screen Recording for capturing their screen
  • Writing Good IT Tickets so they know how to ask for help
• [ ] Provide IT support contact info (helpdesk email, chat channel, phone number)
• [ ] Schedule a check-in for the first week to catch any issues early

short

• [ ] Inspect hardware, power on, connect to network
• [ ] Run all OS updates and restart
• [ ] Sign in with work account, verify email and calendar
• [ ] Enable disk encryption, set up 2FA, install password manager
• [ ] Enroll in MDM (if applicable), wait for policies to apply
• [ ] Install browser, office suite, communication tools, VPN, endpoint protection
• [ ] Configure email, signature, and calendar
• [ ] Add printers, configure backup
• [ ] Cover security training (phishing, social engineering, screen locking)
• [ ] Walk through tools, share KB links, provide IT support contact info