How to Build a Secure Offboarding System in JSM

The onboarding paradox: Companies spend weeks perfecting how employees join. Then when they leave? Chaos.

Real story: That same 1,500-person insurance company I've mentioned in this series? Their offboarding was taking 2-3 weeks. Employees left with active access. Laptops disappeared. No audit trail. Compliance nightmares during audits.

We got it down to 2 days with complete accountability.

This is Part 3 of the employee lifecycle series. If you've read Part 1: Onboarding System and Part 2: Onboarding with Assets, this completes the picture. If you haven't, no problem - this article stands alone.

Today's focus: Building a secure, compliant offboarding system that tracks equipment returns, revokes access automatically, and creates a complete audit trail.

Why Offboarding Is Different (And Often Harder)

Most teams think: "Offboarding is just onboarding in reverse, right?"

Wrong.

Onboarding vs Offboarding: Critical Differences

Onboarding:

• Positive experience (welcoming)
• Additive process (grant access, provide equipment)
• Mistakes are annoying but fixable
• Timeline is flexible (can delay start if needed)

Offboarding:

• Can be sensitive (terminations, resignations)
• Subtractive process (revoke access, recover equipment)
• Mistakes are security risks and compliance violations
• Timeline is critical (can't leave access active)

What Makes Offboarding Risky

Security holes:

• Ex-employee with active VPN access
• Email forwarding still enabled
• Admin privileges not revoked
• API tokens still valid

Financial loss:

• Equipment not recovered (£1,500+ per laptop)
• Software licenses not reclaimed (£50-500/month per license)
• Continued payroll system access

Compliance violations:

• GDPR requires timely access revocation
• SOC 2 audits check offboarding procedures
• Industry regulations (finance, healthcare) mandate strict controls

Knowledge loss:

• No handoff documentation
• Projects abandoned mid-stream
• Tribal knowledge walks out the door

This is why offboarding needs its own dedicated system.

What We're Building

Here's the complete offboarding system:

Frontend:

• Clean offboarding request form
• Manager-initiated (not HR-initiated in this case)
• Minimal required information (speed matters)

Workflow:

• Approval process (optional but recommended)
• Access review stage
• Equipment return tracking
• Exit interview scheduling
• Final verification

Automation:

• Automatic access revocation (webhook to Azure/AD)
• Manager notifications (Teams/Slack)
• Equipment tracking
• Compliance documentation

Assets Integration (Premium):

• Track equipment assigned to employee
• Verify all items returned
• Update asset status automatically

Result: Two-day offboarding with zero access gaps and complete audit trail.

The Offboarding Workflow Structure

Here's the workflow that works:

1. Offboarding Request Created
   ↓
2. Pending Approval (optional)
   ↓
3. Approved
   ↓
4. Access Review
   ↓
5. Revoke Access (automation triggers here)
   ↓
6. Equipment Return
   ↓
7. Exit Interview
   ↓
8. Final Verification
   ↓
9. Complete

Key difference from onboarding: Notice there's no "Declined" status after approval. Why?

When offboarding is initiated, it's happening. Either the employee resigned, was terminated, or is retiring. You can't "decline" the offboarding. If approval is delayed, the ticket stays in "Pending Approval" until it's sorted out, or moves to "Resolved" if it was submitted in error.

Step 1: Create the Offboarding Form

Like onboarding, I use Forms (not traditional request types).

Why Forms for offboarding:

• Speed (form builds in minutes)
• Simplicity (no dynamic content needed here)
• Easy modifications (one-click field type changes)
• Professional appearance

Essential Form Fields

Section 1: Employee Information

• Employee Name (Short text, required)
• Employee ID (Short text, required)
• Department (Dropdown, required)
• Last Working Day (Date picker, required)
• Manager (User picker, required)

Section 2: Offboarding Type

• Reason for Leaving (Dropdown)
  • Resignation
  • Retirement
  • Termination
  • End of Contract
  • Internal Transfer

Section 3: Access & Systems

• Email Account (Checkbox - should be checked by default)
• VPN Access (Checkbox)
• Building Access (Checkbox)
• System Access to Revoke (Multi-line text)
  • "List all systems this employee has access to"

Section 4: Knowledge Transfer

• Direct Reports (Yes/No)
• Ongoing Projects (Multi-line text)
• Knowledge Transfer Required (Yes/No)
• Handoff Notes (Long text, optional)

Section 5: Exit Interview

• Exit Interview Requested (Yes/No)
• Preferred Date (Date picker, conditional on above)

The Hardware Question: Why It's NOT on the Form

You might notice: No hardware fields.

Here's why this is deliberate:

Problem: Managers often don't know what equipment employees have.

• "Does Sarah have a MacBook or Dell?"
• "Did we give him a second monitor?"
• "I think he has a phone but I'm not sure which model"

Solution: Let IT/Admin populate hardware from the backend using Assets.

The workflow:

1. Manager submits offboarding request (minimal info)
2. IT agent opens ticket
3. Agent views linked assets (if using Premium)
4. Agent sees exactly what equipment is assigned
5. Agent updates asset status to "Pending Return"
6. Equipment recovery process begins

This is faster and more accurate than asking managers to guess.

Creating the Form

1. Go to Forms in your JSM project
2. Click Create Form
3. Name it: "Employee Offboarding Request"
4. Add the sections and fields above
5. Keep it minimal - you can always add fields later
6. Click Save

Step 2: Create the Dedicated Request Type

Critical: Offboarding needs its own request type. Don't combine it with onboarding or general IT requests.

Why separate:

• Different workflow (revoke vs grant)
• Different SLAs (stricter timelines)
• Different security requirements
• Different automation rules

To create:

1. Go to Project Settings > Request Types
2. Click Create Request Type
3. Name: "Employee Offboarding"
4. Description: "Submit this request when an employee is leaving the organization"
5. Choose icon (exit/logout icon)
6. Link your offboarding form
7. Click Save

Step 3: Build the Offboarding Workflow

This is where security and compliance happen.

Create Custom Workflow

1. Project Settings > Workflows
2. Click Add Workflow
3. Name: "Employee Offboarding Workflow"
4. Create from scratch
5. Click Create

Add Statuses

Status 1: Offboarding Requested

• Category: To Do
• Starting status

Status 2: Pending Approval

• Category: To Do
• Includes approval functionality

Status 3: Approved

• Category: In Progress

Status 4: Access Review

• Category: In Progress
• IT reviews all access points

Status 5: Revoke Access

• Category: In Progress
• THIS IS WHERE AUTOMATION TRIGGERS
• Critical security step

Status 6: Equipment Return

• Category: In Progress
• Track physical asset recovery

Status 7: Exit Interview

• Category: In Progress
• Optional but valuable

Status 8: Final Verification

• Category: In Progress
• All checklist items complete

Status 9: Complete

• Category: Done
• Employee fully offboarded

The Approval Process (Important Design Decision)

Should you include approval? Depends on your organization.

Use approval if:

• Terminations require HR/Legal sign-off
• Manager-initiated offboarding needs validation
• Budget/financial approval needed

Our implementation: Single approver (manager or HR lead).

Key design choice: No "Declined" transition.

Why? When offboarding is initiated:

• Employee already resigned, OR
• Termination already decided, OR
• Contract ending

You can't "decline" someone leaving.

If approval is stuck, ticket stays "Pending Approval" until resolved. If submitted in error, manually resolve with notes.

Transitions

• Offboarding Requested → Pending Approval
• Pending Approval → Approved (when approved)
• Pending Approval → Back to Pending Approval (if more info needed)
• Approved → Access Review
• Access Review → Revoke Access
• Revoke Access → Equipment Return
• Equipment Return → Exit Interview
• Exit Interview → Final Verification
• Final Verification → Complete

Also add: Any status → Resolved (for error cases)

Step 4: Configure Critical Automations

Offboarding automation is about security and compliance, not just convenience.

Automation 1: Auto-Assign Based on Department

What it does: Routes offboarding tickets to the right team immediately.

Rule setup:

1. Trigger: Issue Created
2. Condition: Request Type = "Employee Offboarding"
3. Condition: Department = "Engineering"
4. Action: Assign to "IT Security Team"
5. Name: "Auto-assign offboarding - Engineering"

Repeat for each department.

Automation 2: Manager Notification via Teams/Slack

What it does: Notifies employee's manager when offboarding starts.

Why not email? Reducing email fatigue. Webhook notifications to Teams/Slack work better.

Rule setup (Teams):

1. Trigger: Status Changed to "Approved"
2. Action: Send Web Request
3. Webhook URL: [Your Teams incoming webhook]
4. Body (JSON):

{
  "@type": "MessageCard",
  "summary": "Employee Offboarding Started",
  "sections": [{
    "activityTitle": "Offboarding Process Initiated",
    "facts": [{
      "name": "Employee:",
      "value": "{{issue.customfield_employeename}}"
    },{
      "name": "Last Day:",
      "value": "{{issue.customfield_lastworkingday}}"
    },{
      "name": "Ticket:",
      "value": "{{issue.key}}"
    }],
    "markdown": true
  }]
}

1. Name: "Notify manager - offboarding started"

For Slack: Use Slack's webhook format instead.

Automation 3: Access Revocation Webhook (The Critical One)

This is the security automation. When status moves to "Revoke Access," trigger account deactivation.

What it does:

• Triggers Python script (or Azure Function, AWS Lambda, etc.)
• Script connects to Azure AD / Active Directory
• Disables user account
• Revokes VPN access
• Removes from security groups
• Logs action for audit trail

Rule setup:

1. Trigger: Status Changed to "Revoke Access"
2. Action: Send Web Request
3. Webhook URL: [Your Python script endpoint or Azure Function]
4. Method: POST
5. Body (JSON):

{
  "employee_email": "{{issue.customfield_employeeemail}}",
  "employee_id": "{{issue.customfield_employeeid}}",
  "action": "revoke_access",
  "ticket_key": "{{issue.key}}"
}

1. Name: "Trigger access revocation"

Important: I'm releasing a complete Python script tutorial next week showing exactly how to build this webhook receiver and Azure AD integration. Subscribe so you don't miss it.

For now, understand: The webhook sends employee info to your script. Your script handles the actual access revocation in whatever systems you use (AD, Okta, Azure, AWS, etc.).

Automation 4: Equipment Return Checklist

What it does: Adds a comment with equipment return checklist when status moves to "Equipment Return."

Rule setup:

1. Trigger: Status Changed to "Equipment Return"
2. Action: Add Comment
3. Comment:

Equipment Return Checklist:

☐ Laptop returned and inspected
☐ Monitors/peripherals returned
☐ Mobile phone returned
☐ Access badge collected
☐ Keys returned
☐ Company credit card returned
☐ Any other company property returned

Assets updated: [link to Assets]

Tag IT Manager when all items verified.

1. Name: "Add equipment return checklist"

Automation 5: Final Verification Checklist

What it does: Ensures nothing is forgotten before marking complete.

Rule setup:

1. Trigger: Status Changed to "Final Verification"
2. Action: Add Comment
3. Comment:

Final Offboarding Verification:

☐ All system access revoked
☐ Email account disabled
☐ Email forwarding set up (if applicable)
☐ All equipment returned
☐ Exit interview completed
☐ Final paycheck processed
☐ Benefits termination confirmed
☐ NDA/Non-compete acknowledged
☐ Documentation archived

Verify ALL items before marking Complete.

1. Name: "Add final verification checklist"

Step 5: Assets Integration (Premium)

If you have JSM Premium, Assets makes equipment tracking effortless.

How It Works

During Onboarding:

• Employee assigned: MacBook Pro SN789, iPhone 13, Dell Monitor
• Assets linked to employee in system
• Status: "In Use"

During Offboarding:

1. Offboarding ticket created
2. Agent opens ticket
3. Assets appear on right side of ticket (automatically linked because they're assigned to that employee)
4. Agent sees complete list of equipment to recover
5. As items are returned, agent updates asset status:
   • "In Use" → "Pending Return" → "Returned" → "In Stock"

Viewing Assigned Assets

When you open an offboarding ticket, the right sidebar shows:

Assets Assigned to [Employee]:

• MacBook Pro 14" - SN789
• iPhone 13 - SN456
• Dell Monitor 27" - SN123

Click any asset to see full details, history, condition notes.

Adding Assets Manually (If Needed)

If manager didn't specify hardware and you don't have automatic linking:

1. Open the offboarding ticket
2. On the right side, click Link Asset
3. Search for the employee's name or asset serial number
4. Select the assets
5. Click Link

Assets are now tracked in the offboarding ticket.

Updating Asset Status

As equipment is returned:

1. Click on the linked asset
2. Change Status from "In Use" to "Returned"
3. Add notes: "Laptop returned 2026-01-15. Condition: Good. Wiped and ready for reuse."
4. Click Save

This creates an audit trail showing exactly when equipment was returned and its condition.

The Full Lifecycle

Onboarding Ticket #123
└─ Asset: MacBook Pro SN789 assigned to John Smith
   Status: In Use
   
↓ (2 years later)

Offboarding Ticket #456
└─ Asset: MacBook Pro SN789 returned from John Smith
   Status: Returned → In Stock
   
↓ (1 week later)

Onboarding Ticket #789
└─ Asset: MacBook Pro SN789 assigned to Jane Doe
   Status: In Use

Complete equipment lifecycle tracked automatically.

Step 6: Configure Queues

Separate queues keep offboarding visible and prioritized.

Queue 1: All Active Offboarding

JQL:

"Request Type" = "Employee Offboarding" AND status != Complete

Queue 2: Pending Access Revocation

JQL:

"Request Type" = "Employee Offboarding" AND status = "Revoke Access"

This is your critical security queue. Check it multiple times daily.

Queue 3: Pending Equipment Return

JQL:

"Request Type" = "Employee Offboarding" AND status = "Equipment Return"

Queue 4: Departing This Week

JQL:

"Request Type" = "Employee Offboarding" AND "Last Working Day" <= 7d AND status != Complete

High-priority queue. These need immediate attention.

Queue 5: Overdue Offboarding

JQL:

"Request Type" = "Employee Offboarding" AND "Last Working Day" < now() AND status != Complete

Red flag queue. Someone left but offboarding isn't complete. Security risk.

Step 7: Set SLAs

Offboarding SLAs are stricter than onboarding because of security implications.

SLA 1: Time to Access Revocation

Goal: 24 hours (1 business day)
Start: When status = "Approved"
Stop: When status = "Equipment Return"
Why: Access should be revoked before or on last working day

SLA 2: Time to Equipment Return

Goal: 5 business days
Start: When status = "Equipment Return"
Stop: When status = "Final Verification"
Why: Equipment should be recovered quickly

SLA 3: Complete Offboarding

Goal: 10 business days
Start: When issue created
Stop: When status = "Complete"
Why: Full process should close within 2 weeks

To create these:

1. Project Settings > SLAs
2. Click Create SLA
3. Configure as above
4. Click Save

Testing the Complete System

Before going live:

Test Checklist

1. Submit test offboarding request

• Does form work correctly?
• Does ticket create successfully?
• Is it assigned to right team?

2. Move through workflow

• Can you transition between statuses?
• Do SLAs start/stop correctly?
• Does approval work (if enabled)?

3. Verify automations

• Do Teams/Slack notifications send?
• Do checklists add correctly?
• Does webhook trigger? (Test endpoint separately first)

4. Test Assets (if Premium)

• Do linked assets appear?
• Can you update asset status?
• Does audit trail show changes?

5. Check queues

• Does ticket appear in correct queues?
• Do JQL filters work?

Fix any issues before production deployment.

The Security Webhook: How It Works

This deserves its own section because it's critical.

The Architecture

JSM Automation
    ↓ (webhook)
Azure Function / Python Script
    ↓ (API calls)
Azure AD / Active Directory
    → Disable account
    → Revoke VPN
    → Remove security groups
    → Log action
    ↓
Response back to JSM
    → Add comment confirming revocation

What the Webhook Does

1. JSM triggers when status = "Revoke Access"
2. Webhook sends employee email, ID, ticket key
3. Python script receives webhook
4. Script authenticates to Azure AD (or your directory)
5. Script disables user account
6. Script removes from security groups
7. Script revokes VPN certificates
8. Script logs action with timestamp
9. Script responds back to JSM
10. JSM adds comment: "Access revoked at 2026-01-15 14:23 UTC"

Why This Matters

Without automation: Someone manually logs into AD, disables account, updates security groups, documents it. Takes 15-30 minutes. Easy to forget steps.

With automation: Happens in seconds. Complete. Documented. Auditable.

Security benefit: No gap between "employee left" and "access revoked."

Compliance benefit: Timestamp proof for auditors.

Next week's tutorial: I'm releasing the complete Python script, Azure setup, and JSM integration guide. This will be production-ready code you can deploy.

Common Offboarding Mistakes

Mistake #1: Combining with Onboarding Workflow

Problem: "Onboarding" and "Offboarding" in same request type with conditional workflows.

Why it fails: Too complex. Confusing. Error-prone.

Solution: Separate request types, separate workflows, separate everything.

Mistake #2: No Dedicated Queues

Problem: Offboarding tickets mixed with "printer broken" requests.

Why it fails: Offboarding has strict timelines. Gets lost in noise.

Solution: Dedicated queues with SLA monitoring.

Mistake #3: Manual Access Revocation

Problem: Relying on agents to remember to disable accounts.

Why it fails: Human error. Delays. Forgotten steps.

Solution: Automated webhook to directory service.

Mistake #4: Ignoring Equipment Tracking

Problem: "We'll figure out what equipment they had."

Why it fails: Laptops disappear. Monitors go missing. Thousands lost.

Solution: Assets integration or manual tracking checklist.

Mistake #5: No Final Verification

Problem: Marking complete without checking everything.

Why it fails: Gaps in offboarding. Access still active. Equipment not returned.

Solution: Final verification checklist that must be completed.

Real Results: The 1,500-Employee Company

Let me give you the full story of that insurance company:

Before the System

Offboarding process:

• Manager emails HR
• HR emails IT
• IT manually disables accounts (when they remember)
• Equipment return tracked in spreadsheet
• Process took 2-3 weeks
• Frequent gaps (access still active, equipment not recovered)

Problems discovered during audit:

• 47 ex-employees with active VPN access
• £45,000 in missing equipment over 2 years
• No audit trail for compliance
• Multiple security incidents traced to ex-employee accounts

After Implementation

Offboarding process:

• Manager submits JSM request (2 minutes)
• Auto-assigned to IT Security
• Webhook revokes access within 24 hours
• Equipment tracked via Assets
• Process complete in 2 days average
• Complete audit trail for every step

Results:

• Zero active access for ex-employees
• 100% equipment recovery rate
• Full compliance documentation
• £45K/year savings from recovered equipment
• Passed security audit with zero findings

ROI: System paid for itself in 3 months from equipment recovery alone.

The Complete Employee Lifecycle

With all three parts of this series, you now have:

Part 1: Onboarding System

• New employee requests
• Equipment provisioning
• Access granting
• Onboarding workflows

Part 2: Onboarding with Assets

• Hardware tracking
• Automatic assignment
• Inventory management

Part 3: Offboarding System (Today)

• Exit workflows
• Access revocation
• Equipment recovery
• Audit compliance

Together: Complete employee lifecycle from hire to exit, all tracked, all automated, all compliant.

Next Steps

This Week:

1. Create offboarding form
2. Set up dedicated request type and workflow
3. Configure basic automations (assignment, notifications)
4. Test with dummy data

Next Week:

1. Implement Assets integration (if Premium)
2. Set up webhook for access revocation (my tutorial drops next week)
3. Create dedicated queues
4. Train team on process

Go Live:

1. Pilot with one department
2. Refine based on feedback
3. Roll out organization-wide

Coming Next Week: Python Webhook Script

I'm releasing a complete tutorial on the access revocation webhook:

What I'll cover:

• Complete Python script (production-ready)
• Azure AD integration
• Webhook receiver setup
• JSM automation configuration
• Error handling and logging
• Security best practices
• Deployment guide

This will be copy-paste ready. You'll have working access revocation automation in under an hour.

The Bottom Line

Offboarding isn't optional. It's a security requirement, compliance mandate, and financial necessity.

The system I showed you today:

• Reduces offboarding from weeks to days
• Eliminates access gaps (security)
• Tracks equipment recovery (financial)
• Creates audit trails (compliance)
• Requires no Premium license (though Assets helps)

The 1,500-person company saved £45K/year just from better equipment tracking. The security improvements? Priceless.

If you want this system running in your environment this week—complete workflows, automations, webhook integration, production-ready—book a consultation.

I build complete onboarding + offboarding systems in 3-5 days. You get both processes, fully integrated, fully automated, ready to deploy.

Tomorrow: Python webhook script for automated access revocation. Subscribe so you don't miss it.

Questions about your specific offboarding scenario? Drop them in the comments. I read and respond to every one.

Complete the trilogy:

• Part 1: Complete Onboarding System
• Part 2: Onboarding with Assets
• Part 3: Secure Offboarding (you are here)