There’s a moment every SME hits the first time a fully remote person joins or leaves. The old process assumed someone walked to a desk: handed over a laptop, watched the new starter log in, collected a fob on the way out. Take the desk away and the gaps show. The laptop arrives but the accounts aren’t ready. The leaver’s manager is sure IT “sorted it”, and three weeks later their mailbox is still syncing to a personal phone.

We run a lot of joiner-leaver activity for clients, and remote has raised the stakes on both ends. A slow onboarding wastes a new person’s first week, which is expensive and demoralising. A sloppy offboarding leaves a live account on a device you can’t physically retrieve, which is a security and cyber-insurance problem. The fix is the same in both directions: a written process that assumes nobody is in the building.

Onboarding: ready before day one

The goal is simple to state. On their first morning, the new starter opens a laptop that’s already theirs, signs in once, and finds everything they need. Getting there reliably needs a few things to be true.

The device is enrolled before it ships. Modern laptops can be drop-shipped straight from the supplier and configured over the internet the first time they’re switched on, through Windows Autopilot or Apple’s equivalent (the zero-touch enrolment services that let a device set itself up from the cloud). The machine arrives sealed, the new starter turns it on at home, and it builds itself into a managed, encrypted, policy-compliant device without anyone touching it first. No imaging on a bench, no courier round trips.

Access is provisioned from a role, not from memory. The single biggest cause of a slow first week is access granted ad hoc: someone tries to open a system, finds they can’t, raises a ticket, waits. The fix is to define what each role gets once, as a group, so a new “account manager” inherits the full set on day one. It also makes the leaver side honest, because removing them from the group removes everything at once.

MFA is set up in a guided way, not improvised. Multi-factor authentication (the second factor beyond a password) is non-negotiable, but a remote starter setting it up alone is a common stumbling block. A short written guide, or a fifteen-minute call, saves a frustrating morning and a lockout.

Someone says hello. Not strictly IT, but worth saying: a remote starter with a working laptop and no human contact has a worse first day than the kit deserves. We build a short “you’re set up, here’s who to call” touchpoint into the handover.

Offboarding: the same day, every system

Offboarding is where remote bites hardest, because the safety net of “they brought the laptop back” is gone. The standard we hold is that a leaver loses access on their last day, across every system they actually used, not just the obvious three.

The phrase “actually used” is doing the work. The obvious accounts (email, the main file store) get handled. The ones that get missed are the ones bought by a department without IT in the loop: the design tool, the project board, the finance portal, the external SaaS that authenticates with a company email but isn’t joined up to the central directory. Each of those is a live door after the person’s gone.

A workable leaver sequence, run on the day:

  1. Disable the identity centrally. One action in the directory should kill the sign-in to everything federated to it. This is why the central identity model from onboarding pays off.
  2. Force sign-out on devices. Revoke the active sessions so the laptop at their house can’t keep working on cached tokens for the rest of the afternoon.
  3. Handle the standalone accounts. The SaaS that isn’t joined up needs deactivating one by one. You can only do this if someone wrote down what those are, which is the argument for keeping an application register.
  4. Deal with the mailbox and files. Convert the mailbox so a manager can see anything important, reassign owned documents, and set whatever forwarding the business genuinely needs (and nothing it doesn’t).
  5. Retrieve or wipe the device. If the laptop’s coming back, courier it. If it isn’t coming back soon, a managed device can be remotely wiped, which is the whole reason enrolment at onboarding matters.

Why the two ends are one process

Onboarding and offboarding are the same control viewed from opposite ends. If joiners get access from a defined role and every app is registered centrally, leavers are quick and complete by construction. If joiners get access by improvisation, leavers are a guessing game, and the guesses are what an auditor or an insurer finds.

For a remote and hybrid workforce, that joined-up version isn’t a nice-to-have. It’s the only version that works when you can’t lean on the building to catch your mistakes.

That’s our Managed Services practice. We set up zero-touch enrolment, role-based access, and a joiner-leaver runbook your managers can trigger without waiting on a desk visit.

The day you find out your offboarding has holes is usually the day you’d most like it hadn’t. Build the process for the remote case, and the in-office case takes care of itself.

Hiring or losing remote staff and not sure your process keeps up? Drop us a note at info@jmopartners.co.uk. One of us will read it.

JMO|Partners · Enterprise IT, sized for SMEs.