A bulletproof employee offboarding IT checklist for getting every laptop, monitor, and security token back - including a sample laptop return policy for remote employees, a four-wave recovery timeline, and what to do when the gear doesn’t come back.
What’s in this guide
- Why offboarding is where hardware leaks
- Set the foundation at onboarding (not at exit)
- The 4-wave offboarding timeline
- Hardware-specific recovery playbooks
- Sample laptop return policy (copy & adapt)
- Special cases: international, involuntary, BYOD
- When the laptop doesn’t come back
- Tools that make recovery automatic
- FAQ
Why offboarding is where hardware leaks
Most company laptops aren’t stolen. They’re just… not returned. A Capterra survey found that 71% of HR professionals said departing employees didn’t return company-owned equipment. Studies of remote teams show recovery rates of 70–85% without a structured process - meaning roughly one in five to one in seven laptops simply vanishes during offboarding.
The cost compounds quickly:
- Hardware: $800–$2,000 per laptop, plus accessories, in straight replacement cost.
- IT labour: $196–$334 per device when offboarding is handled ad-hoc, mostly in chasing emails and coordinating shipping.
- Security: 41% of data breaches involve lost or stolen devices. An unreturned laptop with active credentials, cached email, or local files is a breach waiting to be disclosed.
- Audit risk: Asset registers drift. The next SOC 2, ISO 27001, or HIPAA review uncovers the gap and you’re explaining it under deadline pressure - the same gap a proper IT asset inventory audit is designed to close.
The good news: hardware recovery is one of the most solvable problems in IT operations. Companies with a structured employee offboarding IT checklist routinely hit 95–100% recovery rates. The fix isn’t expensive - it’s procedural.
Set the foundation at onboarding (not at exit)
Every successful offboarding starts on day one of the employee’s tenure. Trying to invent a recovery process during a termination is too late - emotions are high, timelines are tight, and you have no agreement to point to.
Build these four things into onboarding, before the employee ever touches a laptop:
- Signed equipment agreement. A short, plain-language document listing every piece of company hardware issued, its serial number, and the employee’s acknowledgement that it must be returned at the end of employment. Keep it in HR records.
- Laptop return policy. One page. Covers the return window, who pays for shipping (you), how the device must be packaged, and what happens if it’s not returned. (Sample below.)
- Asset register entry from day one. The asset isn’t “issued to Alex” - it’s “issued to Alex on 2026-01-15, MacBook Pro 14” M3, serial F2L4Y2QXG3, asset tag LAP-0142.” If you can’t pull this with one query, you’re not ready to offboard. Teams still on a spreadsheet for asset tracking feel this pain first at exit.
- Standard issue list. A documented list of what every role gets (laptop, charger, dock, monitor, mouse, keyboard, security key, etc.) so offboarding starts with a complete checklist rather than an inventory hunt.
The single highest-leverage habit: when you ship a laptop to a new hire, ship them everything they’ll need to ship it back. Pre-paid return label, packaging instructions, the lot. Tape it inside the lid of the laptop box. Two-thirds of late returns are caused by employees not having packaging materials on hand - fix that on day one.
The 4-wave offboarding timeline
Successful asset recovery runs in four waves, each with its own owner, deadline, and verification. Each wave is short. None of them is optional.
Wave 1 - Lock down access (T+0 to T+1 hour)
The moment the termination decision is made - and especially for involuntary terminations, before the employee is notified - access is revoked. This protects company data even if the device itself doesn’t come back for weeks.
- Identity provider disabled (Entra ID, Okta, Google Workspace) - single source of truth for SSO
- Force sign-out from all active sessions across SaaS tools
- Email forwarding configured to manager or generic mailbox (per legal/data policy)
- VPN access revoked
- Admin or production system access revoked first if applicable (highest blast radius)
- MDM remote lock triggered (or scheduled for end of last working day for voluntary departures)
- Security keys (YubiKey, Titan) revoked at the IdP level - the physical key still works in your hand, but is useless without an active account
- Door access cards / building keys deactivated
- Asset register updated: status “pending return” with timestamp and owner
Sequencing matters: for involuntary terminations, complete access revocation before the conversation happens. For voluntary departures, time it for end-of-day on the last working day so the employee can wrap up cleanly without being locked out mid-task.
Wave 2 - Trigger the return (T+24 to T+48 hours)
A pre-paid return kit goes out within 48 hours of the offboarding decision. The single biggest predictor of recovery rate is how easy you make the return - not how strict your policy is.
- Return kit shipped with prepaid label, padded box, foam inserts, and bubble wrap
- Written instructions: what to pack, in what order, with photos
- Clear return deadline (5–10 business days domestic, 15–20 international)
- Tracking number recorded in the asset register against each item
- Automated reminder scheduled at deadline minus 3 days
- Single point of contact named (one person, with email + phone) for questions
- Asset register status updated: “in-transit”
Convenience drives compliance more than policy does. A confused employee with no box ends up returning the laptop “when they have time.” A confused employee with no box never returns it. Make it stupidly easy.
Wave 3 - Receive & verify (T+5 to T+10 days)
Every returned item gets inspected, photographed, wiped, and reconciled against the asset register. Skip this step and you’ll discover the missing charger six months later when you redeploy the laptop and nobody can find one.
- Open package on receipt; photograph contents before unpacking
- Match every item against the asset register entry (laptop, charger, dock, monitor, peripherals, security key, etc.)
- Power on; verify it boots; check for visible damage
- Run secure data wipe (DFU restore for Mac, recovery + reset for Windows, or vendor erase utility for IT-managed devices)
- If MDM-managed: confirm device removed from MDM after wipe
- Update asset register: status “returned” with date, condition, and inspector’s name
- Stage device for redeployment, refurbishment, or end-of-life disposal
- Send written confirmation to HR that all items are accounted for (or list what’s missing)
Wave 4 - Escalate non-returns (T+14 days and beyond)
If the deadline passes without a return - escalate immediately. Every day you wait, the odds of recovery drop. The escalation should already exist as a documented process, not a one-off decision.
- Day 14: formal written recovery notice (email + registered post if non-responsive). Reference the equipment agreement and policy.
- Day 21: HR involvement; cite final-paycheck policy where legally applicable (varies by jurisdiction - verify before acting)
- Day 30: legal counsel review for high-value devices or repeat non-responders
- Day 30: file insurance claim if applicable
- Day 45: write off the asset in the register with reason “non-returned”
- Document every communication attempt with dates and content - this is your evidence file
- Open a security incident if the device held sensitive data, even after access revocation
Legal note: Withholding a final paycheck for unreturned equipment is illegal in some jurisdictions (e.g. California, much of the EU/UK without explicit written consent at hire). Don’t write a policy that violates local employment law. Check with HR and legal before you ever cite paycheck deduction as a remedy.
Hardware-specific recovery playbooks
Different hardware classes have different recovery profiles. The four-wave timeline above applies to all of them, but the details vary.
Laptops
The highest-risk item. Highest value, contains the most data, most likely to “get lost in the mail.”
- Revoke identity before initiating the return (Wave 1)
- Remote lock via MDM where possible
- Ship a return kit sized specifically for the laptop model
- Require photographic proof of packing before shipment (one phone snap)
- Inspect screen, ports, keyboard, and battery health on arrival
- Secure data wipe is mandatory before redeployment, no exceptions
- Retain Certificate of Erasure (or equivalent log) for compliance evidence
Monitors and large peripherals
Big, awkward, expensive to ship, easy to “forget.” The recovery rate on monitors is consistently lower than on laptops because employees hesitate to box up a 27” display.
- Decide in advance whether monitors are recovered or written off as a perk (some companies do the latter for tax/morale reasons - make it an explicit policy)
- If recovering: send the original packaging or a flat-pack replacement box
- Use a courier with a pickup service, not a drop-off model
- Bundle with other items in a single pickup to reduce friction
- Inspect for dead pixels, scratches, and panel damage on arrival
Phones and tablets
- Remove the device from MDM and remotely wipe before requesting physical return
- Confirm the cellular line is transferred or terminated
- Check for screen damage and battery health on arrival
- If using activation lock (Apple) or factory reset protection (Google), confirm the personal account is removed before wipe - otherwise the device becomes a brick
Security keys and hardware tokens (YubiKey, Titan, RSA)
- Revoke the key at the identity provider in Wave 1 - this is the security-critical step
- Physical return is preferred but secondary; the key is useless without the IdP registration
- Track serial numbers in the asset register; reissue to the next holder only after physical receipt
- For unreturned keys, document the revocation log as your evidence of mitigation
Docking stations, chargers, cables, accessories
- List every item explicitly in the return kit instructions (employees forget what they have)
- Set a value threshold - under it, don’t chase; over it, treat like a peripheral
- Inspect on arrival; don’t redeploy frayed cables or damaged docks
Sample laptop return policy (copy & adapt)
Use this as a starting point. Adapt for your jurisdiction, your shipping setup, and your existing employee handbook. Have legal review before you publish.
Laptop & Equipment Return Policy
1. Scope. This policy applies to all company-issued hardware, including laptops, monitors, docking stations, phones, security keys, and accessories listed on the employee’s equipment agreement.
2. Return window. Equipment must be returned within 10 business days of the employee’s last working day for domestic employees, and 20 business days for international employees. Earlier returns are encouraged.
3. Return method. The company will provide a pre-paid shipping label, packaging materials, and step-by-step instructions at company expense. Employees should not pay any shipping cost. Alternative methods (in-person drop-off, courier pickup) are available on request.
4. Condition. Equipment must be returned in working condition, reasonable wear and tear excepted. Employees should not attempt to wipe, reformat, or modify the device - IT will handle data erasure on receipt.
5. Verification. On receipt, equipment will be inspected against the employee’s equipment agreement. The employee will receive written confirmation within 5 business days that all items have been accounted for, or notification of any discrepancy.
6. Non-return. Failure to return equipment within the return window may result in [list permissible consequences in your jurisdiction - e.g. invoicing for replacement cost, legal action, reporting to credit agencies where applicable]. The company will exhaust reasonable recovery efforts before escalating.
7. Data and access. Company access (email, SaaS, VPN) will be revoked on or before the last working day regardless of equipment return status. Employees should expect their company accounts to be inaccessible from the device after this point.
8. Lost or damaged in transit. If equipment is lost or damaged in shipping despite proper packaging, the company will treat it as a shipping incident and pursue carrier insurance. The employee is not personally liable when company-provided packaging and labels are used.
Save this policy. Drop it into your employee handbook, your offer letter pack, and your offboarding ticket template. The same policy referenced in three places at three different times has dramatically better compliance than a one-shot exit email.
Special cases: international, involuntary, BYOD
International employees
International returns add customs complexity, longer shipping windows, and import duties. Plan for it.
- Extend the return window to 15–20 business days
- Use a freight forwarder or specialised international return service for high-value items
- Pre-fill customs forms with accurate declared value and “returned goods” designation
- Confirm import licensing - some countries restrict re-importing IT equipment
- For employees in regions where shipping is unreliable, evaluate local refurbishment partners and don’t ship back at all
Involuntary terminations
The highest-risk recovery scenario. Plan it like a security incident, because that’s what it is.
- Wave 1 happens before the termination conversation, not during it
- Have IT on standby during the conversation to confirm access revocation in real time
- Send the return kit the same day; don’t wait for the dust to settle
- Use registered shipping with signature confirmation
- If the employee had admin access, widen the security review window (audit logs, configuration changes, exfiltration attempts)
- Brief HR and legal in advance on the recovery escalation path
BYOD and personal devices
If you allow personal devices, your “recovery” is access removal, not device retrieval.
- Wipe company data via MAM (mobile application management), not full device wipe
- Revoke conditional access at the identity provider
- Document what data classes resided on the device per your BYOD agreement
- For exiting employees, require written confirmation that company data has been removed
Voluntary resignation with a long notice period
The trickiest case - the employee still needs the device to do their job, but the trust signal has shifted. The right approach is no change to access until the last week, then a tighter monitoring posture, then a clean Wave 1 on the final day. Don’t pre-emptively lock people out during their notice period - it’s bad management and bad signal to the rest of the team.
When the laptop doesn't come back
Even with a perfect process, you’ll occasionally have non-returns. Handle them as a closed loop, not an open question.
Within 30 days of deadline
- Multiple documented contact attempts (email + phone + registered mail)
- Formal recovery notice with reference to the equipment agreement
- HR review of any contractual remedies available in the jurisdiction
- Insurance claim filed if covered
After 45 days
- Write off the asset in the register with reason “non-returned” and date
- Retain all documentation for at least 7 years (typical compliance retention)
- Open a security incident record if the device held sensitive data
- Add the case to your offboarding retrospective - what would have prevented this?
Don’t leave non-returned devices in “maybe they’ll send it eventually” limbo. An asset register full of unresolved statuses is worse than one with clear write-offs - it pollutes every future audit and hides real problems.
Tools that make recovery automatic
Offboarding is one of the highest-ROI processes to automate. Each automated step removes a place where a busy IT manager forgets, a returning employee gets confused, or an asset slips through the cracks.
The stack that drives 95%+ recovery rates:
- Asset tracking platform - a single source of truth for what was issued, when, to whom, with what serial. The asset register status moves through “assigned → pending return → in-transit → returned → wiped → redeployed” with timestamps and an audit trail. AMPthilly is built for exactly this workflow.
- HRIS - the system of record for who’s leaving and when. Offboarding triggers should originate here, not in someone’s inbox.
- Identity provider - Entra ID, Okta, or Google Workspace as the central kill switch for access.
- MDM / device management - Intune, Jamf, Kandji, or Mosyle for the remote lock and wipe.
- Return logistics service - pre-paid kits, tracking, and pickup coordination, especially for international or high-volume teams.
You don’t need all five on day one. But you do need a single asset register that connects them, so “where is Alex’s laptop?” has one answer, not five.
Stop chasing returns in spreadsheets. If your offboarding process still lives in email threads and shared files, read why Excel fails for asset tracking - then see how AMP gives you a clean asset register, check-in/check-out tracking, and a full audit trail of every status change so offboarding produces a verifiable record instead of a guessing game.
FAQ
What should be in an employee offboarding IT checklist?
Access revocation across all systems, MDM lock and wipe, a complete inventory of issued hardware by serial number, a return kit shipped within 48 hours with prepaid label and packaging, receipt and inspection of every item against the inventory, secure data wipe, asset register status update, and written confirmation to HR. Each step needs a named owner and a deadline.
What is a good laptop return policy for remote employees?
A strong policy is communicated at onboarding (not exit), provides 5–10 business days domestic / 15–20 international, ships prepaid packaging at company expense, requires tracking, sets clear condition expectations, and outlines legally-compliant consequences for non-return. The shorter the policy is, the more likely it gets followed.
What recovery rate should we expect for company laptops?
Without a structured process: 70–85%. With a documented policy, prepaid return kits, automated reminders, and asset register tracking: 95–100% is realistic. The biggest factor is making the return easier for the employee than not returning it - convenience beats policy.
Can you withhold a final paycheck for an unreturned laptop?
It depends entirely on jurisdiction. Illegal in some US states (California is the most cited), restricted in most of the EU and UK without explicit written consent at hire, and broadly permitted in others. Verify with HR and legal counsel before you write a policy that cites this remedy - and put any deduction agreement in the onboarding paperwork, not the exit email.
What happens to data on an unreturned laptop?
By the time the device is “unreturned,” company access should already be revoked at the identity provider (so the device can’t reach company systems), and an MDM-managed device should be remotely locked and ideally wiped. For non-MDM or out-of-contact devices, document what data classes resided on the device and open a security incident. Treat it as a potential breach until proven otherwise.
How do we handle offboarding for international employees?
Extend the return window to 15–20 business days, use freight forwarders or specialised return services for high-value items, pre-fill customs forms with “returned goods” designation, and for unreliable shipping regions, consider local refurbishment partners instead of shipping back at all.
When should access be revoked - before or after the conversation?
For involuntary terminations: before. For voluntary departures: end of the last working day, scheduled in advance. Don’t pre-emptively lock out resigning employees during their notice period - it’s bad management and worse signal to the rest of the team.
The takeaway
100% recovery isn’t about being strict. It’s about being prepared. Every successful offboarding was set up months earlier, at the moment the employee was issued the laptop - with a signed equipment agreement, a clear return policy, a complete asset register entry, and a return kit shipped alongside the device.
By the time someone resigns, the recovery process should be the boring execution of a documented plan. Four waves, owned and timed. A return kit that makes it stupidly easy to comply. An asset register that knows exactly what was issued and to whom. An escalation path that closes the loop on the rare non-return.
That’s how recovery rates go from “we get most of them back” to “we recover 100% and have the paperwork to prove it.”
