Device Onboarding & Offboarding Checklist (2026)

1Tell us where to send it
Your name and work email — nothing more.
2Check your inbox
Your checklist arrives in seconds, not days.
3Use it with your team
Editable and ready to share — make it your own.

A peek inside

See exactly what you're getting

Free PDF

Spotsaas · 2026

Device Onboarding & Offboarding Checklist

✓ Onboarding (Provisioning)

✓ Offboarding (Deprovisioning)

✓ Lifecycle Hygiene

Get the checklist →

What it is

A Device Onboarding and Offboarding Checklist is the operational playbook for moving an endpoint securely through its full lifecycle, from the moment it ships to a user to the day it is wiped, retrieved, and its license reclaimed. This checklist runs through your UEM or MDM and covers both ends of the journey: zero-touch enrollment and app assignment on day one, and a clean wipe, recovery-key capture, access revocation, and inventory update when a device or user leaves. It exists to make sure neither side of the lifecycle is improvised, because both onboarding and offboarding are where mistakes turn into security gaps and wasted spend.

The checklist treats the asset register as the spine of the process. Inventory and the CMDB are updated at every state change so records never drift from reality, stale and never-checked-in devices are reviewed and retired regularly, and the license count is reconciled against active devices so you stop paying for endpoints that were decommissioned months ago. Encryption keys and certificates are handled consistently on both onboarding and offboarding, so a device is never left either unprotected at provisioning or unrecoverable at retirement. For high-risk leavers, offboarding is expedited with a documented same-day wipe and access revocation rather than left to the normal queue.

The blunt insight this checklist is built around is that offboarding is where data and money leak. The right order is to revoke access first, capture recovery keys before wiping, and reclaim the license, because a device that is marked retired in the asset list but is still in billing, or still trusted by conditional access, is a gap that compounds across the fleet. Onboarding gets the attention because it is visible and exciting; offboarding is where the quiet, expensive failures live.

What it's used for

Organizations use a device lifecycle checklist to make provisioning and deprovisioning repeatable, secure, and accountable instead of dependent on whoever happens to handle a given device. It supports a clear set of jobs:

✓ Standing up new devices via zero-touch enrollment so they self-configure into the MDM on first boot, with the correct apps, profiles, and security baseline assigned before the user ever touches them.
✓ Driving every device state change, onboard, reassign, retire, back into the inventory and CMDB so the asset record always matches the physical and managed reality of the fleet.
✓ Reviewing stale, lost, and never-checked-in devices on a regular cadence and retiring them, so the register does not silently fill with ghosts that distort compliance and license numbers.
✓ Handling encryption keys and certificates consistently across the lifecycle, escrowing on onboarding and capturing recovery keys before any wipe on offboarding so nothing is stranded.
✓ Reconciling license counts against active devices so you stop paying for seats tied to retired endpoints, turning offboarding into a recurring cost recovery, not just a security task.
✓ Expediting offboarding for high-risk leavers with a documented same-day wipe and access revocation, so a departing employee with elevated access never keeps a live, trusted device.
✓ Establishing the correct offboarding order, revoke access first, capture keys, then wipe, then reclaim license, so a retired device is never still trusted by conditional access or still in billing.

Who uses it

Device lifecycle management spans IT, security, HR, and finance because a device's journey touches provisioning, data protection, employee transitions, and spend. The checklist gives each function its handoff:

IT Operations / Endpoint AdminsThey run the enrollment and wipe actions, keep the inventory and CMDB current at every state change, and physically retrieve and retire hardware.

Security teamsThey define the offboarding order, ensure access is revoked before wipe and recovery keys are captured first, and expedite high-risk leaver offboarding.

HR / People OperationsThey trigger offboarding the moment a departure is known, so IT and security can revoke access and wipe devices same-day rather than days later.

IT Asset Management / FinanceThey reconcile license counts against active devices and reclaim seats on retirement so the organization stops paying for decommissioned endpoints.

Help DeskThey are often the first to provision a new device or receive a returned one, and the checklist gives them a consistent, auditable handoff at both ends.

Compliance / Audit teamsThey use the lifecycle records to prove that departed users lost access and that data-bearing devices were wiped, a common audit and breach-prevention requirement.

Context & good to know

Device lifecycle gaps are one of the most common and least glamorous sources of risk in any organization. A laptop handed to a departing employee but never wiped, a phone marked retired in the asset list while it still holds an active certificate, a software license that keeps billing for a machine that was recycled, each of these is small in isolation and quietly expensive at scale. The lifecycle checklist exists because these failures rarely come from negligence; they come from the absence of a defined, repeatable process that says exactly what happens, and in what order, every single time a device or user moves.

Onboarding has been transformed by zero-touch enrollment, which lets devices ship sealed straight to users and self-configure into the MDM on first boot with no IT imaging. That is genuinely a leap forward, but it has had the side effect of making the offboarding side look neglected by comparison. The checklist deliberately rebalances attention toward the end of the lifecycle, where the consequences are higher: an under-configured device on day one is a productivity annoyance, while a poorly offboarded device is a live security exposure and a recurring cost. Getting the order right, revoke, capture keys, wipe, reclaim, is what closes that exposure.

Within the endpoint stack, this checklist is the connective tissue between enrollment, identity, encryption, and asset management. It assumes a zero-touch enrollment setup, a hardening baseline applied at provisioning, escrowed encryption keys, and an asset inventory that stays in sync. UEM platforms like Intune, Jamf, Kandji, and ManageEngine provide the enrollment and wipe mechanisms; the checklist provides the discipline that keeps the inventory honest and the licenses reconciled. Treated as a recurring operational habit rather than a one-off, it prevents the slow drift between what your records say you have and what you actually own and control.

✓ Independent · vendors can't pay to rank

Built on verified data, not vendor spin

Every Spotsaas resource draws on the Spotsaas Score — a blend of verified review ratings, review volume, and feature depth across 13 endpoint management software tools. Refreshed regularly; data as of June 2026.

FAQ

Questions, answered

What is device onboarding and offboarding?

Device onboarding is the secure provisioning of an endpoint, enrolling it into your MDM, assigning apps and security baselines, and recording it in inventory, so it is ready and compliant before a user touches it. Offboarding is the reverse: revoking access, capturing recovery keys, wiping the device, retrieving the hardware, and reclaiming the license when a device or user leaves. Together they cover the full secure lifecycle of every managed device.

What is the correct order for offboarding a device?

Revoke access first, capture recovery keys before wiping, then wipe the device, then reclaim the license. The order matters: revoking access first prevents a departing user from doing damage during the process, capturing keys before the wipe avoids stranding the data, and reclaiming the license recovers the cost. A device retired in the asset list but still trusted by conditional access or still in billing is a gap that order-of-operations prevents.

Why is offboarding more risky than onboarding?

Because offboarding is where data and money leak. An under-configured new device is mostly a productivity annoyance, but a device that is offboarded poorly, not wiped, still trusted, still licensed, is an active security exposure and a recurring cost at the same time. Onboarding gets attention because it is visible; offboarding failures are quiet and compound across the fleet, which is why the checklist emphasizes the back end.

What is zero-touch enrollment in the lifecycle?

Zero-touch enrollment lets a new device ship sealed directly to the user and self-configure into your MDM on first boot, pulling down its apps, profiles, and security baseline with no IT imaging. In the lifecycle checklist it is the onboarding mechanism that ensures every device starts fully managed and compliant, removing the manual imaging step that used to be a bottleneck and a source of inconsistency.

How do I handle a high-risk employee departure?

Expedite it. For high-risk leavers, the checklist calls for a documented same-day wipe and access revocation rather than waiting in the normal offboarding queue. The priority is to revoke corporate access immediately so the departing person cannot reach data, then wipe the managed device, so an employee with elevated privileges never retains a live, trusted endpoint after their departure is known.

Why reconcile license counts against active devices?

Because software and management licenses keep billing whether or not the device is still in use. If a retired device is never reconciled, you continue paying for a seat tied to hardware that was recycled months ago. Making license reconciliation part of offboarding turns retirement into a recurring cost recovery and keeps your license count an accurate reflection of the active fleet.

What is a stale device and how should I treat it?

A stale device is one that has not checked in to management for an extended period, which usually means it was lost, retired without deprovisioning, or had its agent break. The checklist calls for reviewing stale and never-checked-in devices on a regular cadence and retiring them, because each one is both a potential security gap and a distortion in your compliance and license numbers until it is resolved.

How do encryption keys factor into offboarding?

Recovery keys must be captured before any wipe. If a device is wiped without first confirming its escrowed recovery key, you can lose access to data that may still be needed and lose the ability to recover the device. The checklist handles encryption keys and certificates consistently across onboarding and offboarding so nothing is stranded, escrowing on the way in and capturing before destruction on the way out.

Why keep the inventory and CMDB updated at every state change?

Because records that drift from reality undermine every downstream decision, compliance reporting, license reconciliation, and incident response all depend on knowing exactly which devices exist and what state they are in. Updating inventory at every onboard, reassign, and retire keeps the register trustworthy. Without it, ghosts accumulate, compliance percentages become meaningless, and you cannot answer the basic question of what you actually own.

Which tools support device lifecycle management?

UEM and MDM platforms such as Microsoft Intune, Jamf, Kandji, and ManageEngine provide the enrollment, configuration, and remote-wipe mechanisms the lifecycle depends on, and they integrate with identity providers for access revocation. The checklist sits on top of whichever platform you run, supplying the process discipline, especially the offboarding order and inventory reconciliation, that the tools themselves do not enforce automatically.

Keep exploring