New Employee Security Onboarding: The IT and Security Checklist That Actually Covers Everything

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The first week of an employee's tenure determines their security baseline for their entire time at the organization. Access granted broadly for convenience at onboarding persists. Devices enrolled in MDM on day one operate with consistent security configuration throughout; devices enrolled a month later have an early period of inconsistent configuration. Security habits established through clear first-week training carry forward; the absence of training leaves employees to develop their own security intuition, which is frequently inadequate.
Onboarding is also one of the most auditable control areas for compliance frameworks — auditors specifically look for evidence that access was provisioned correctly, security training was completed, and policies were acknowledged for sampled employees. A clean onboarding process produces this evidence automatically.
Pre-day-one preparation
Security onboarding that begins when a new employee walks through the door is already behind. Device enrollment, account creation, and role-based access group assignment should all be completed before the start date so that the employee's first experience is receiving a fully configured, policy-compliant device and setting up MFA rather than waiting for IT to provision access. This section covers the two critical pre-start tasks: device preparation using Apple Business Manager zero-touch enrollment or Windows Autopilot, and IdP account creation with SCIM provisioning from the HRIS. Getting both right means the first-day security sequence starts from a known-good baseline rather than catching up on prerequisites.
Device preparation and MDM enrollment before start date
For in-office starts: prepare the device at least two business days before the start date. Enroll in MDM (Intune, Jamf), apply the security configuration profile (screen lock, disk encryption, patch policy, EDR agent), and verify enrollment status in the MDM console before the device is handed to the employee. For remote starts with shipped devices: use Apple Business Manager (ABM) or Windows Autopilot to configure zero-touch enrollment — the device enrolls automatically when the employee turns it on and connects to the internet, without requiring any IT setup step. The employee's first experience is entering their credentials on a device that is already fully configured and compliant.
Account provisioning and access group assignment
If your HRIS is connected to your IdP via SCIM provisioning: the account may be automatically created and assigned to the correct role-based group when the HR team adds the new hire to the system. Verify SCIM provisioning completed correctly: confirm the account exists in Okta/Entra ID, the correct groups are assigned, MFA enrollment is pending (not complete — the employee will complete it on day one), and the account is activated but not yet used. If SCIM is not configured: create the IdP account manually before day one, assign the role-based access groups, and set an initial temporary password that must be changed on first login. The access provisioning ticket should be created by the manager and completed by IT before the start date, not during the onboarding meeting.
Day-one onboarding sequence
The day-one security sequence works best when each step is a hard prerequisite for the next, eliminating the possibility that a step is skipped under time pressure. MFA enrollment must complete before application access is granted; security training must be assigned before the employee leaves orientation; and policy acknowledgment must be recorded in the HRIS before IT credentials are handed over. This section covers the MFA enrollment workflow in Okta and Microsoft Authenticator, and the training platform assignment process in KnowBe4 and Proofpoint Security Awareness, including how to produce the completion records that auditors require as evidence for your security awareness training control.
MFA enrollment before full application access
The first security action on day one: MFA enrollment in the IdP. Walk the employee through enrolling their authenticator (Okta Verify, Microsoft Authenticator, or hardware FIDO2 key) before they receive any application access. In Okta: the employee signs in with their temporary password, is immediately prompted to enroll an MFA factor, and cannot proceed to any application until MFA enrollment is complete. This design ensures MFA is never 'I'll do it later' — it is a prerequisite to access. For organizations requiring hardware FIDO2 keys for privileged users: hand the YubiKey to the employee at the same time as the laptop and walk through enrollment. Record MFA enrollment completion in the onboarding checklist.
Security training completion tracking
Assign security training in your training platform (KnowBe4, Proofpoint Security Awareness, or your compliance platform's built-in training) before day one so the employee has an assigned course when they first log in. Set a completion deadline of 5 business days from start date. Track completion: your compliance platform should automatically check training completion status and flag incomplete training as a finding. For auditors: produce a report showing each employee's assigned training, completion date, and score. The completion record is the evidence for your security awareness training control — 'we tell people about security' is not a satisfying answer; 'we have documented completion records for 98% of employees within 30 days of hire' is.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The bottom line
New employee security onboarding is a compliance and security control, not an administrative formality. The device configuration, access provisioning, MFA enrollment, policy acknowledgment, and security training that happen in the first week create evidence for auditors, establish access patterns that persist throughout the employee's tenure, and set security expectations that influence behavior. Automate as much as possible: HRIS-to-IdP SCIM provisioning for account creation, MDM zero-touch enrollment for device configuration, and compliance platform integration for training completion tracking. What cannot be automated should be on a documented checklist with a completion record. Treat the offboarding process with equal rigor — lingering access after termination is one of the most common audit findings and one of the most straightforward to prevent with automation.
Frequently asked questions
What device security configuration must be completed before a new employee gets system access?
Minimum device security configuration before first access: (1) MDM enrollment (Intune, Jamf, or Kandji): the device must be enrolled before credentials are distributed so that all subsequent MDM policies (screen lock, disk encryption enforcement, patch management) are applied from the first login. (2) Disk encryption: FileVault on macOS, BitLocker on Windows, enabled and encryption key escrowed to the MDM platform. (3) EDR agent installed and reporting to your security platform (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne). (4) OS fully patched: verify the device is running the current OS version before handing it to the employee. (5) Screen lock configured: automatic lock after 5 minutes of idle (enforce via MDM policy). (6) For remote hires receiving a shipped device: include setup instructions and block credential issuance until MDM enrollment is confirmed in the platform. These five configuration items are verifiable in your MDM console before the employee's first login.
How do I provision access for a new employee using least privilege?
Least-privilege provisioning requires a role-based access model before it can be applied consistently. Before the first new hire joins in a role: define what applications and permissions that role requires for normal job functions. Document this in a role-access matrix (role name, applications required, permission level in each application). When provisioning: add the employee to the role-based group in your IdP (Okta group, Entra ID group, Google Workspace OU) that grants exactly the applications defined for that role. Do not grant any access beyond the role definition without manager approval and an access request ticket. Common mistake: provisioning with 'full admin' on internal tools 'for now' to avoid the delay of scoping appropriate access — this access almost never gets reduced. The provisioning delay for proper scoping is worth it at onboarding because scoping access after the fact is harder.
What security training should new employees complete in the first week?
First-week security training priorities: (1) Phishing recognition (30-45 minutes): how to identify phishing emails, what to do when they receive a suspicious email (report button or IT alias), and the company's simulated phishing program. (2) Password and MFA setup (15 minutes, hands-on): set up the company's MFA application, understand the company's password requirements, confirm they have enrolled in MFA for their email and IdP account. (3) Acceptable use policy walkthrough (15 minutes): what is and is not permitted with company devices and data — cloud storage, personal device use for company data, screen sharing during video calls. (4) Incident reporting procedure (10 minutes): how to report a security incident (phishing click, lost device, suspicious activity) — the IT/security team's contact, the reporting channel, and the 'no blame' reporting culture. Completion of all four items should be tracked in your HRIS or compliance platform and required before the employee is confirmed as fully onboarded.
How do I collect policy acknowledgments from new employees and track compliance?
Policy acknowledgment collection: (1) Build acknowledgment into the HR onboarding workflow: in BambooHR, Workday, or Rippling, add a required task on day 1 before IT credentials are issued — 'Review and acknowledge Information Security Policy, Acceptable Use Policy, and Data Classification Policy.' This creates an automatically tracked acknowledgment with a timestamp. (2) For organizations without HR workflow integration: use a Google Form or DocuSign e-signature with the policy text or a link to the policy, storing the completion record. (3) Annual recertification: use the same mechanism annually, triggered automatically by a rule in your HRIS (all employees who have been employed for more than 1 year must recertify by [date]). (4) Evidence for auditors: your compliance platform (Drata, Vanta) or HRIS can produce a report showing: employee name, policy acknowledged, date of acknowledgment, version of policy acknowledged. This report is the primary artifact for auditors reviewing your access control and training control areas.
How does the new employee security onboarding process differ for contractors and temporary workers?
Contractors and temporary workers require modified onboarding: (1) Access scope: contractors typically receive access limited to the specific project they are engaged for, not the full role-based access given to employees. Create a contractor access group that includes only the applications and repositories relevant to the engagement. (2) Access duration: configure access expiry that matches the contract end date — most IdPs support automatic account expiry dates (Okta temporary accounts, Entra ID account expiration). Set the expiry on the account itself, not as a calendar reminder. (3) Device handling: if the contractor uses their own device (BYOD), apply MDM-managed app policies rather than full device enrollment — Intune and Jamf support app-level management on unmanaged devices that keeps corporate data in managed apps without controlling the personal device. (4) Policy acknowledgment: contractors should acknowledge the same policies as employees — their access to your systems creates the same security obligation. (5) NDA and data handling: your legal team should confirm the contractor agreement includes appropriate data handling and confidentiality provisions before any system access is granted.
What is the offboarding security checklist that mirrors the onboarding checklist?
Offboarding must be as structured as onboarding or access lingers indefinitely. On the day of termination notification: (1) Disable the IdP account immediately (Okta, Entra ID, Google Workspace) — this revokes access to all applications federated through the IdP in a single action. (2) Revoke all sessions: force sign-out of all active sessions in the IdP (Okta: Security > Session and Authentication Policies > Revoke all sessions for user; Entra ID: Revoke refresh tokens via Graph API or admin portal). (3) Disable MFA devices: if the employee had hardware MFA tokens, mark them as lost or revoked. (4) Remove from all distribution groups, Slack workspaces, and shared communication channels. (5) Retrieve or wipe the company device: MDM remote wipe command for unreturned devices. (6) Revoke any API tokens, SSH keys, or service credentials associated with the employee (this requires searching your secrets management system and source control for credentials associated with their account). (7) Transfer ownership of files and data in Google Drive, SharePoint, or GitHub before account deletion. Document completion of each step in the offboarding ticket.
What tools do I need to automate security onboarding and reduce manual steps?
Automation opportunities by tool category: (1) MDM (Intune, Jamf, Kandji): automated enrollment via DEP/Apple Business Manager for macOS, Windows Autopilot for Windows — devices bootstrap their security configuration automatically without IT touching each machine. (2) Identity platform (Okta, Entra ID, Google Workspace): SCIM provisioning from your HRIS automatically creates the IdP account and assigns groups when a new employee is added to the HR system, eliminating manual account creation. (3) HR system (BambooHR, Workday, Rippling): workflow triggers for new hire onboarding tasks including policy acknowledgment, training completion, and IT ticket generation for hardware. (4) Compliance platform (Drata, Vanta, Thoropass): tracks onboarding task completion, policy acknowledgment, security training completion, and device enrollment as continuous evidence for SOC 2. The most impactful single integration: HRIS to IdP SCIM provisioning that creates accounts and assigns roles automatically when a new employee is added to the HRIS on their start date.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
