When an employee leaves your company, you have 48 hours to secure their mobile devices, revoke access, and protect company data. This checklist covers the 12 MDM actions every IT team should execute during employee offboarding, from device wipe to license reclamation, with the specific steps for iOS, Android, and BYOD scenarios. Missing one step can expose sensitive data for weeks: according to the 2024 IBM Cost of a Data Breach Report, 40% of mobile data leaks come from former employees whose access was not revoked in time.
This guide assumes you have an MDM solution already in place. If not, start there.
Why does MDM offboarding matter?
Employee offboarding is a critical security window. Former employees often retain access to:
- Corporate email on their personal device (BYOD)
- Cached credentials for SaaS tools (Slack, Salesforce, internal apps)
- VPN certificates and Wi-Fi profiles
- Confidential files stored locally on mobile apps
- Licensed applications (VPP, Managed Google Play) that remain assigned to them
The cost of a single mobile data leak reached 4.88M USD in 2024 (IBM). An MDM solution cuts the offboarding time from hours to minutes and leaves a full audit trail for compliance.
The 12-step MDM offboarding checklist
| # | Action | Timing | Who |
|---|---|---|---|
| 1 | Receive HR termination notice | Day -1 to 0 | HR → IT |
| 2 | Identify all mobile devices linked to the employee | Hour 0 | IT |
| 3 | Disable corporate email and SSO account | Hour 0 | IT / IAM |
| 4 | Revoke VPN certificates and Wi-Fi profiles | Hour 1 | IT |
| 5 | Push selective wipe (corporate data only) for BYOD | Hour 1-2 | IT |
| 6 | Push full factory reset for corporate-owned devices | After return | IT |
| 7 | Retrieve assigned licenses (VPP, Managed Google Play) | Hour 2 | IT |
| 8 | Reclaim Apple ID / Managed Google Account | Day 1 | IT |
| 9 | Remove user from MDM enrollment group | Day 1 | IT |
| 10 | Document the actions in an audit log | Day 1 | IT |
| 11 | Reassign or retire the device | Day 2-7 | IT / Asset mgr |
| 12 | Confirm offboarding with HR and Finance | Day 7 | IT → HR |
How to handle BYOD vs corporate-owned devices
The offboarding workflow depends on device ownership:
- Corporate-owned (COBO or COPE): the employee must return the device. Perform a full factory reset via your MDM console, then re-enroll it for the next user. Zero-touch enrollment saves significant time on reassignment.
- BYOD: you cannot wipe personal data. Use selective wipe (also called enterprise wipe) to remove only corporate email, work apps, certificates, and managed data. The employee keeps their personal photos, contacts, and apps.
- CYOD (choose your own device): technically owned by the company but emotionally attached to the user. Negotiate a buy-back policy if the employee wants to keep the device, then treat as BYOD.
Which MDM features are essential for offboarding?
Your MDM must support five core capabilities:
- Selective wipe: remove corporate data without touching personal data on BYOD devices.
- Remote lock and wipe: immediate action if the employee has left without returning the device.
- Access revocation: integration with your IAM (Azure AD, Okta, Google Workspace) to sync the disable account event to MDM automatically.
- License management: Apple VPP and Managed Google Play integration to reclaim assigned licenses back into your pool.
- Audit trail: full log of who performed which offboarding action, when, and on which device. Required for SOC 2 and ISO 27001 audits.
How long does MDM offboarding take?
With a well-configured MDM, the core actions (email disable, selective wipe, license reclaim) take under 10 minutes per employee. Without MDM, the same workflow takes 2 to 4 hours and often leaves residual access. For large flotillas (500+ employees per year), automation via HR system webhooks brings the handling time close to zero.
What are the biggest offboarding mistakes?
- Waiting for the device to be returned before revoking access: revoke email, VPN, and SSO immediately. The device can be wiped later, but access must be cut on day zero.
- Full wipe on BYOD: illegal in most jurisdictions and a PR disaster. Always use selective wipe on personal devices.
- Forgetting license reclaim: leaving VPP or Managed Google Play licenses assigned to former employees inflates your bill.
- No audit trail: during a compliance audit, the inability to prove that access was revoked on a specific date is a major finding.
- Manual process: a spreadsheet-based offboarding procedure has a 30 to 50% error rate. Automation via MDM and HR system integration is mandatory above 100 employees.
How to automate MDM offboarding with your HRIS
The most resilient offboarding flow comes from a three-way integration:
- HRIS (Workday, BambooHR, Lucca) triggers a termination event on employee exit date.
- IAM (Azure AD, Okta) receives the event and disables the account, which syncs to MDM as an enrollment removal.
- MDM automatically executes the configured offboarding policy: selective wipe, license reclaim, audit log entry.
This pipeline removes human error and reduces the mean time to revocation to under 5 minutes. For organizations with < 100 employees, a manual checklist suffices if the responsible IT admin follows it rigorously.
FAQ
Can I wipe a BYOD device completely when an employee leaves?
No. Wiping personal data without explicit written consent in the BYOD policy is illegal in most countries (GDPR, CCPA). Use selective wipe to remove corporate data only.
What happens to apps purchased via VPP when an employee leaves?
VPP licenses are transferable if you reclaim them before unassigning the user. Your MDM should automate this reclaim as part of the offboarding workflow.
How quickly should I revoke access after termination?
Within one hour. The 2024 Verizon DBIR shows that 13% of breaches involve former employees, and most occur within 72 hours of termination.
Do I need to reset a returned corporate device before reassigning it?
Yes, always. Perform a factory reset via MDM, then re-enroll the device cleanly for the next user. Zero-touch enrollment makes this 15-minute task instead of 2 hours.