Efficient Google Workspace Offboarding: Securely Transitioning Departing Users

When an employee leaves a company, properly offboarding their Google Workspace account is crucial for security and accessibility. With the right offboarding process, admins can ensure that departed users no longer have access to sensitive company data while keeping business operations running smoothly.

If you're curious about how to safely offboard a Google account to keep your organization secure, we've got you covered. Let's review a step-by-step process for offboarding in Workspace.

Device Wipes

If the departing employee had access to company-owned Chromebooks, smartphones, or tablets, these devices should be wiped to avoid data leaks. The Google Admin Console allows remote wipe commands for devices managed through your Workspace domain.

For Android devices, factory resetting with a remote wipe ensures they are unenrolled from management and wiped. The Windows, MacOS and iOS platforms also enable remote corporate wipe of company profiles and data.

Transfer Drive File Ownership

Google Drive often contains important company documentation that the departing employee may have created or had access to. To ensure data protection and prevent information loss, ownership and management of Drive files need to be transferred to other employees before the account is disabled.

The Drive Transfer tool allows admins to bulk change ownership of files. Ownership can be transferred to a single user or to a shared drive where multiple users have access.

For larger transfers, the Drive API is better suited than the Admin Console. The Transfer tool also maintains original upload timestamps and metadata to further prevent data loss.

Set Up Email Forwarding

To keep business operations running smoothly, set up an auto-reply and create email forwarding rules from the departing user's Gmail account. Auto-replies notify anyone emailing them about the employee leaving. Forwarding rules route their emails to someone who can handle them or a group mailbox.

For example, rules could forward emails to the new hire replacing them or their manager. Make sure to apply filters broadly to avoid missing emails. The Google Admin SDK Directory API allows automating forwarding rule creation.

Remove Calendar Access

Review what Google Calendars the employee had access to and remove them as guests. This prevents them from seeing event details and calendar contents. If calendars contain proprietary details like meeting notes or strategy plans, it's especially important they no longer have visibility.

The Calendar Settings sharing tab lists all calendars the employee was granted access to. Remove their permissions and double-check that any calendar resources they created are transferred to relevant employees.

Take Off Distribution Lists

Next, go through and remove the departing user from any Google Groups or email distribution lists they were part of. This cleans up group membership and prevents them from continuing to receive emails.

The Groups settings list group members and allow admins to selectively remove users. If they managed any groups, transfer ownership using the Groups API to another admin before deleting them from the groups.

Revoke Admin Console Access

If the departing employee had Admin Console access, make sure to demote them to a Standard user and revoke admin privileges. Users with the Super Admin role have the highest level of control, so it's critical they are demoted before deletion.

In the Admin Console user list, edit the user's info and change the Role to Standard end user. For Super Admins, you may need another Super Admin to edit their role. Removing admin rights ensures they cannot access or modify company data and settings.

Follow a Security Checklist

Maintaining a consistent offboarding process is key to avoiding potential oversight. Create a Google Workspace offboarding checklist detailing each step, and store it in a shared drive accessible by admins and HR.

The checklist should include:

• Disabling account
• Remote wiping of devices
• Transferring Drive files
• Setting forwarding rules
• Removing calendar access
• Taking off distribution lists
• Revoking admin roles
• Confirming Multi-Factor Authentication is enabled on all admin accounts

Following the checklist from start to finish for each departing employee hardens security and ensures nothing gets missed.

Automate Where Possible

Certain steps of Google Workspace offboarding can be automated to make the process more efficient. Scripts and services for Workspace can programmatically handle removal from groups, file transfers, wiping devices, forwarding emails, and more based on an employee's status.

Automation reduces manual processes for IT teams and decreases potential human error.

Verify Completion

Once the offboarding process is complete, have another admin double-check the employee's Google Workspace account and permissions to validate everything has been handled. Log in to their account and confirm access is denied, files are transferred, forwarding is set up, and admin roles revoked.

Also, check for any remaining calendar access or lingering group memberships. This verification as a final step helps document due diligence in case any issues arise in the future. Thoroughly confirming offboarding completion provides peace of mind.

Best Practices for Data Security After Offboarding

As you work through the offboarding steps, it's important to go back and check your work to ensure you've done a thorough job. Here are the best practices for offboarding to ensure your organization's security:

1. Wipe Mobile Devices: You can remotely remove data from a user's device through the Admin Console. Remote wipe the entire device or only erase your organization's data.
2. Revoke Password Recovery Access: Remove the user's recovery email and phone number so they cannot use the password recovery feature to access their old account.
3. Change the User's Password: By changing the user's password, you can reduce the risk of unauthorized access to their old account.
4. Revoke all Auth 2.0 Application Tokens: Changing a user's password also revokes Auth 2.0 tokens issued for accessing certain products. Ensure you review authorized access and revoke any other authorized applications.
5. Reset the User's Sign-in Cookies: This further reduces the risk of unauthorized access.
6. Revoke Security Keys and App Password Access: Revoke any security keys or application-specific passwords granted access to the user's account.
7. Delete the Account: Finally, move any of the user's data you wish to save to another account and delete their original account entirely.

Look to Promevo for End-to-End Workspace Support

If you want to get more out of your Google Workspace subscription, Promevo is here to help. As a certified Google partner, we provide end-to-end support with all things Google, from setting up Workspace to deploying ChromeOS devices.

We recognize that some organizations require more robust features than are available in the Google Admin Console to manage their Workspace environments. That's why we created gPanel®, our exclusive management and reporting software designed to help you streamline communication and automate admin work.

When you choose gPanel® for your organization, you can:

• Streamline user management with easy control of Docs, Groups, Gmail settings, and more
• Modify Gmail signatures for anyone in your organization
• Sync contacts from one user to another and vice versa
• View and manage the devices users have access to
• Search text in any Drive document owned by any user in the domain
• Generate comprehensive reports for documents, emails, groups, and more
• Customize user and admin roles and specify the actions they can take

gPanel®️ is more than just a standard, one-size-fits-all Google Workplace service — it’s a constantly evolving solution improved by feedback and suggestions from real clients. gPanel®️ is the perfect compliment to Admin Console, helping you harness the robust capabilities of Google to reinvent the way you do business and accelerate the growth of your company.

We are proud to be a 100% Google-focused partner helping you succeed wherever you are in your Google journey. Contact us today to get started.

FAQs: Google Workspace Offboarding

How long should you keep a former employee's Google Workspace account before deleting it?

Accounts should be kept active for at least 90 days after offboarding to redirect emails and retain access to old files. Delete the account only after confirming all data is appropriately handled.

Can you transfer ownership of Google Drive files to users outside your organization?

No, Drive file transfers are limited to users within the same Google Workspace domain for security reasons. For external file sharing, contents must be downloaded and sent manually.

What's the difference between suspending and deleting a Google Workspace account?

Suspending an account denies access while retaining data for recovery. Deleting permanently erases the account and data after a short holding period. Suspend first, then delete once offboarding is complete.