How to Offboard employees in Google G Suite
An employee left the company. How do you off-board them in G Suite? Here’s our recommended 10-step process for G Suite Administrators. This guide assumes: 1) You are a G Suite Account Administrator, and 2) Your company is managing users/groups directly through the G Suite Admin Console. If your company uses an LDAP/SSO service with G Suite, please contact us for a more tailored checklist for your enterprise. This guide is grouped into three main phases:
- Secure (steps 1–4)
- Delegate (steps 5 & 6)
- Delete (Steps 7–10)
Step #1: Reset G Suite Account Password
Log into the G Suite Admin Console and change the account password. Make a note of the new password. You can now log into the G suite account on behalf of the terminated employee.
Step #2: Wipe Any Mobile Devices
This step assumes that you’re pre-configured mobile device management in the G Suite Admin Console. For company issued devices, you can remote wipe the entire device. For personal devices, you can wipe company data from their personal device. They will no longer be able to open their G Suite Apps with their work account. Google Support Resource: https://support.google.com/a/answer/173390
Step #3: Change Recovery Phone & Email
By default, only admins can reset passwords, so this step will not apply to many organizations. However, it’s worth checking as a terminated employee could use their recovery phone/email to get access after the admin has reset the password. Remove the recovery/phone email. Google Support Resource: https://support.google.com/accounts/answer/183723
Step #4: Revoke Third-Party Apps
Resetting passwords will often break the connection with 3rd party apps, but make sure to manually review and disable any services tied to their Google account. Google Support Resource:
Step #5: Create Auto-Reply Message.
Login as the former employees, and use the “Vacation Responder” to create an auto-reply message. Direct all inquiries to the former employees’ manager.
Step #6: Delegate Account Access to a Manager
Delegate account access to a manager through the Gmail Settings Panel.
Step #7: Export All Email Data
As an administrator, log into the employee account and navigate to: google.com/takeout. Select “Email” and Google will generate a downloadable archive of email data. The mail will download in the .mbox format, within a zip file. You can then store this archive anywhere you like (maybe within your G Suite Admin Account in Google Drive?). If you need to access this archive at a later date, you can use email clients like Thunderbird and import all mail on a local machine and then perform a search. Alternatively, you can upload the mail back into a G Suite user account (both options work well)
Step #8: Suspend Access to the account.
Suspending the account will block new emails & calendar invites, and disable login access. The account has been deleted and historical email/files can be searched through the Google Vault Service. Many companies keep the user account suspended for 6 –12 months so they can easily search through old email records. The catch — a ‘suspended’ user still requires a G Suite license. If you want to re-purpose the license for a new hire, you must delete the G Suite account entirely. If you don’t foresee a need for employee email/files to be searchable via Google Vault, proceed to step #9 immediately.
Step #9: Transfer Remaining Data (Drive/Docs, etc)
From the Admin Console, Navigate to Apps → Google Drive. Under Drive Settings, you’ll see an option to transfer files. Transferring ownership will not affect the existing permissions on the files/folders.
Step #10: Delete User Account
Once the account is deleted, you can repurpose the license for a new hire.
Want to be more efficient with this process? You can use tools like GAM or BetterCloud to automate several of these steps, or at least reduce the number of pages/clicks in the admin console. Contact us for more information!