A complete IT setup checklist for employees - how to pre-allocate hardware and software licenses before Day 1 to remove friction, save IT hours, and give new hires the rare experience of joining a company where everything actually works.
What’s in this guide
- Why Day 1 makes or breaks employee experience
- The pre-allocation principle
- The 3-phase IT onboarding timeline
- Hardware checklist - what to provision before Day 1
- Software & license checklist
- Role-based provisioning templates
- Remote & hybrid specifics
- Common pitfalls (and how to avoid them)
- Tools that make pre-allocation automatic
- FAQ
Why Day 1 makes or breaks employee experience
A new hire’s first day is the most informative day of their career at your company. They are paying full attention, they have nothing to compare it against yet, and every signal lands hard. A laptop that doesn’t arrive, a login that doesn’t work, a Slack invite that never came - these aren’t small annoyances on Day 1. They are evidence.
The numbers are stark. Only 12% of employees say their company does onboarding well. 20% of all new-hire turnover happens in the first 45 days. 4% of new hires quit after a disastrous first day. 17% of departures within the first 90 days cite “poor onboarding experience” as the reason. Companies with structured onboarding see 82% better retention and 70%+ higher productivity.
And yet most IT onboarding still runs reactively: HR tells IT on Friday afternoon that someone starts Monday, the laptop ships Monday morning, the accounts get created Tuesday, and the new hire spends their first three days asking Slack channels they haven’t been invited to whether their password manager works.
The fix is structural, not heroic. It’s called pre-allocation, and it’s the single highest-leverage change most IT teams can make to remote and hybrid onboarding.
The pre-allocation principle
Pre-allocation is the practice of assigning every piece of hardware, every software license, and every system permission to a new hire before their start date, instead of reacting to requests on Day 1.
The goal is simple. On Day 1, the new hire:
- Powers on a pre-configured laptop
- Signs in once with credentials they received the day before
- Sees every tool they need, already installed and authenticated
- Has a 60-minute welcome call with IT to confirm everything works
- Starts their actual job by lunch
That’s it. Anything more elaborate is a sign that work was pushed right when it should have been pushed left.
The shift in mental model: Day 1 isn’t when IT onboarding happens. It’s when IT onboarding gets verified. By the time the new hire opens the laptop, the work is already done.
Pre-allocation does four things at once. It reduces Day 1 IT support load to near-zero. It compresses time-to-productivity from days to hours. It signals to the new hire that the company is competent and respects their time. And it forces upstream clean-up - you cannot pre-allocate a license you don’t know you have, or assign a laptop you can’t find in your asset register.
The 3-phase IT onboarding timeline
A clean remote employee IT onboarding process runs in three phases. The bulk of the work - 80% of it - happens in Phase 1, before the new hire’s first day.
Phase 1 - Pre-boarding (T-7 to T-3 business days)
Triggered automatically the moment the signed offer arrives in HRIS. This is where the actual onboarding happens.
Within 24 hours of offer acceptance
- HR notifies IT via automated HRIS trigger (not a Slack DM)
- Role-based provisioning template selected (see templates below)
- Hardware allocated from inventory or ordered if out of stock
- Shipping address confirmed with the new hire (including phone number)
T-7 to T-5 days
- Laptop pre-imaged or enrolled for zero-touch deployment (Apple Business Manager, Windows Autopilot, Android zero-touch)
- Asset register entry created with serial number, asset tag, assignee, and ship date
- Laptop shipped with tracking - domestic to arrive 3+ business days early; international 7+ days early
- Welcome package included: setup instructions, IT contact card, return label for any future moves
T-3 days
- Identity created in identity provider (Entra ID, Okta, Google Workspace)
- Group memberships assigned via role template (no individual access requests)
- Software licenses provisioned: Microsoft 365 / Google Workspace, Slack/Teams, role-specific SaaS, password manager, VPN
- Email account created with auto-reply set for the first week
- MFA enrollment instructions pre-staged
- Slack/Teams channels: new hire pre-invited to team channel, general, and any role-specific spaces
- Calendar invites sent for Day 1 welcome call, first team meeting, and Week 1 check-in
T-1 day
- Confirm laptop has been delivered (tracking number)
- Send credentials securely (one-time link, password manager invite, or sealed envelope for in-office)
- Send Day 1 welcome email with: setup video, IT contact, schedule, what to do if anything fails
- Buddy / onboarding partner assigned and briefed
Phase 2 - Day 1 setup (60–90 minutes total)
Day 1 is a verification session, not a setup session. The new hire should be able to do most of this on their own, with IT as a backup.
Self-serve setup (15-30 minutes, before the welcome call)
- Power on laptop; complete zero-touch enrollment
- Sign in with provided credentials
- Complete forced MFA enrollment (Authenticator app + backup security key where applicable)
- Set up password manager
- Test VPN connection
Welcome call with IT (30-45 minutes, video)
- Confirm everything self-serve worked
- Walk through Slack/Teams, email, calendar, ticketing system
- Review security basics: phishing reporting, password manager use, no passwords in chat
- Review acceptable use policy (a 5-minute conversation, not a 30-minute PDF)
- Demonstrate how to open an IT ticket and where the self-service portal lives
- Confirm hardware (laptop, peripherals, security key) is on file in the asset register, signed for by the employee
Hand-off (15 minutes)
- Introduce buddy / onboarding partner
- Confirm Week 1 check-in is on the calendar
- Provide the IT contact card / Slack channel for issues
- Welcome them properly - Day 1 isn’t only about logins
Phase 3 - Week 1 verification (Day 5–7)
The gaps you don’t catch in Week 1 become Week 4 tickets. Close the loop deliberately.
- 15-minute check-in: anything not working? Any access missing?
- Verify the new hire can reach every tool listed in their role template
- Confirm hardware is in the right condition (no shipping damage discovered late)
- Collect feedback on the onboarding experience (one question: “what was confusing?”)
- Close the IT onboarding ticket with HR; archive evidence
- Update the role template if anything was missing - this is how the process improves
The math on this timeline: 3-5 hours of total active IT time per new hire, spread across two weeks. Done well, you’ll spend less time onboarding 10 hires this quarter than most teams spend onboarding 3 the old way.
Hardware checklist - what to provision before Day 1
This is the baseline kit for a knowledge worker on a remote or hybrid team. Adjust for role (see role templates below).
Core kit (every new hire)
- Laptop, pre-imaged or zero-touch enrolled
- Power adapter and the right charging cable for the device
- Carrying sleeve or case
- External mouse
- External keyboard (mechanical or low-profile, employee choice within a list)
- Webcam (if not built-in or if quality is poor)
- Headset with mic, USB or Bluetooth
- Hardware security key (YubiKey, Titan) where MFA policy requires
Home-office kit (for full-remote roles)
- External monitor (24” or 27” - match the in-office standard)
- HDMI/DisplayPort/USB-C cable for the monitor
- Docking station or USB-C hub
- Monitor arm or laptop stand (ergonomics matter; cheap insurance against future RSI claims)
- Optional: ergonomic chair stipend or pre-approved purchase
Optional, role-dependent
- Company phone or eSIM line (sales, support, on-call engineering)
- Tablet (design, field roles)
- Drawing tablet or stylus (design)
- Additional monitor (engineering, finance, design)
- Privacy screen (roles handling regulated data)
The packaging matters more than you think. A clean, branded unboxing experience on Day 1 is one of the highest-ROI emotional moments of the entire employee lifecycle. Use real packaging materials, include a handwritten or printed welcome card, and treat the laptop box like the first impression it is.
Software & license checklist
Every license below should be assigned to the new hire before Day 1, not after they ask for it. Build them into role templates so it’s one click, not ten emails.
Foundations (every new hire)
- Identity provider account (Entra ID, Okta, Google Workspace) with MFA enforced
- Productivity suite (Microsoft 365 or Google Workspace) - email, calendar, docs
- Team chat (Slack, Teams, or equivalent) with pre-set channel memberships
- Password manager (1Password, Bitwarden, Dashlane) with shared vaults assigned by role
- VPN client and credentials (if applicable)
- Video conferencing (Zoom, Google Meet, Teams)
- Ticketing / helpdesk (Jira Service Management, Zendesk, Linear, etc.)
- HRIS account for time-off, payroll, benefits
- Knowledge base / wiki (Notion, Confluence, Slab)
Role-specific licenses (assigned via template)
- Engineering: source control (GitHub, GitLab), IDE licenses, observability tools, cloud console access
- Sales: CRM (Salesforce, HubSpot), email outreach, dialer, sales intelligence
- Marketing: CMS, analytics, design tools, social management
- Finance: ERP, accounting software, expense management
- Customer support: helpdesk, knowledge base, screen recording
- Design: design system tool (Figma, Sketch), asset library
License hygiene matters here. Pre-allocation is also when you discover you’ve been paying for 47 seats of a tool that only 23 people use. Run a license reconciliation once a quarter against your asset register - see our guide on the IT asset inventory checklist for the audit process.
Role-based provisioning templates
The fastest pre-allocation is the one you don’t have to think about. Build a template per role, then provisioning becomes “select role → apply” instead of “let me ask the manager what they need.” Below are starting points - adapt to your stack.
Software Engineer
Hardware: 16” laptop (developer-spec RAM/storage), external monitor, mechanical keyboard, mouse, dock, security key.
Accounts & access: IdP + MFA, source control (GitHub/GitLab), CI/CD, cloud provider console (read-only by default), observability tools, IDE license, package registry credentials, on-call paging tool.
Permissions: Engineering team channel, repo access for assigned squad, read-only production access, write access to dev/staging.
Account Executive (Sales)
Hardware: 14” laptop, headset (high-quality mic), webcam, company phone or eSIM, dock, monitor.
Accounts & access: CRM, sales engagement platform, dialer, calendar scheduler, e-signature, sales intelligence (LinkedIn Sales Nav, ZoomInfo), commission tool.
Permissions: Sales team channel, territory-based CRM access, read access to product roadmap.
Customer Support
Hardware: Laptop, dual monitors, high-quality headset, webcam, ergonomic accessories.
Accounts & access: Helpdesk/ticketing, internal knowledge base, screen recording, customer database (with access scoped to support tier).
Permissions: Support team channel, escalation paths to engineering, customer chat tool.
Designer
Hardware: 16” laptop (graphics-spec), large external monitor, drawing tablet or stylus, color-calibrated display where relevant.
Accounts & access: Design system tool (Figma), asset library, prototyping tool, design review platform, brand guidelines.
Permissions: Design team channel, product team channels for assigned squads, edit access to design files.
Operations / People Ops
Hardware: Standard kit; if HR, include privacy screen for sensitive data handling.
Accounts & access: HRIS admin level, payroll, benefits admin, expense management, ATS, internal wiki edit rights.
Permissions: People ops channel, leadership channel access where applicable, scoped access to employee records.
Once these templates exist, onboarding a new sales hire becomes: HRIS sends the trigger, the template fires, hardware is allocated, accounts are created, group memberships are applied, the shipment leaves. Total IT time: 20-30 minutes of verification.
Remote & hybrid specifics
The base process works for everyone, but remote and hybrid hires need a few extra considerations.
Zero-touch deployment is non-negotiable
For remote hires, the laptop must arrive at their door and “just work.” That means using Apple Business Manager + your MDM (Jamf, Kandji, Mosyle), Windows Autopilot, or Android zero-touch enrollment so the device pre-configures itself on first power-on. The alternative - shipping an un-imaged laptop and walking the new hire through setup over Zoom - is a Day 1 disaster waiting to happen.
Ship to arrive 3 business days early
“3+ days early” is the rule, not “by start date.” Shipping delays happen. Customs delays happen. A laptop that arrives on Day 1 is a laptop that didn’t arrive at all from the employee’s perspective. Add a buffer.
Time zone handling
- Schedule the Day 1 welcome call in the new hire’s local working hours, not yours
- Have a backup IT contact in the new hire’s time zone if you span continents
- Pre-record a “what to do if something fails” video so the new hire isn’t stuck waiting 8 hours for an answer
International hires
- Extend the pre-boarding timeline to 10-14 business days for hardware to clear customs
- Use a local IT supplier or international IT-as-a-service partner for high-friction regions
- Pre-fill customs forms with accurate declared value
- Confirm power adapter compatibility (yes, this still trips people up)
- Consider local data residency requirements before assigning cloud regions
Hybrid (some office days, some home days)
- Issue both home and office peripheral sets, or budget a stipend for the second location
- Pre-book a desk for in-office days in Week 1
- Brief the new hire on hot-desking, office WiFi, and visitor access
- Confirm office security access (badge, building system) is ready Day 1
Onboarding pairs with offboarding
The asset register entry you create at onboarding is the same record you’ll close out at offboarding. If you do this right, the new-hire’s exit two years later is a five-minute reconciliation, not a panic. See our offboarding recovery playbook for the matching process.
Common pitfalls (and how to avoid them)
- HR notifying IT too late. The most common failure mode. Fix it with an automated HRIS trigger that creates an IT onboarding ticket the moment a signed offer is recorded - not the day before the start date.
- One-off access requests instead of role templates. Every “can you also add me to X?” ticket in Week 1 is a sign that the template is incomplete. Update the template each time, so the next hire in that role doesn’t ask.
- Shipping the laptop to arrive on Day 1. See above - 3+ days early is the rule. Late laptops are also the #1 cause of new hires logging in from a personal device, which is a security problem.
- No buddy assigned. IT can’t fix loneliness. Pair every new hire with a named onboarding partner from the team for the first 30 days - it’s the single highest-impact non-IT intervention.
- Skipping the Week 1 check-in. Without it, you discover gaps four weeks later via a frustrated manager. The 15-minute check-in is one of the cheapest IT investments you can make.
- Forgetting offboarding hooks at onboarding. Capture the signed equipment agreement and asset register entry on Day 1. You’ll thank yourself two years later.
- Sending credentials over insecure channels. Don’t email passwords. Use a one-time secret link, a password manager invitation, or a sealed handover. Forced MFA on first login closes the loop.
Tools that make pre-allocation automatic
The stack that makes 90% of this run without manual intervention:
- HRIS - the trigger. New offer signed → IT onboarding fires automatically (BambooHR, Rippling, HiBob, Workday, etc.).
- Identity provider - the access layer. Group-based provisioning means assigning a role template handles 80% of account creation (Entra ID, Okta, Google Workspace).
- MDM / device management - zero-touch deployment so laptops self-configure on first boot (Microsoft Intune, Jamf, Kandji, Mosyle, Workspace ONE).
- Asset tracking platform - the system that knows which laptop went to which person, when, with what serial. Without this, your onboarding template has nowhere to land. AMPthilly is built for exactly this - a single source of truth for the hardware side of onboarding, with check-in/check-out tracking and a full audit trail.
- Provisioning / IGA tool - for higher-scale teams, an identity governance tool to enforce role-based access (Lumos, Zluri, BetterCloud, SailPoint).
You don’t need all five from day one. But you do need a clean asset register that knows what hardware is allocated to whom - without it, “pre-allocation” is just hope.
Pre-allocation only works if your asset register actually works.
AMPthilly gives you a clean, mobile-friendly asset register that connects hardware to employees, captures check-in/check-out, and produces audit-ready records - so onboarding starts with a known inventory instead of a Slack search.
FAQ
What should be in an IT setup checklist for new employees?
Hardware provisioning (laptop, peripherals, security key), software license assignment (productivity suite, chat, password manager, VPN, role-specific tools), account creation across SSO and SaaS, MDM enrollment, security configuration (MFA, password manager), role-based access permissions, a Day 1 welcome session, and a Week 1 verification check-in. Everything except the welcome session and verification should be done before the new hire’s first day.
How early should IT onboarding start for a remote employee?
IT should be notified within 24 hours of offer acceptance via an automated HRIS trigger. Hardware ships 5-7 business days before the start date for domestic, 10-14 for international. Accounts and licenses are provisioned in the final 3 days. The laptop should arrive in the employee’s hands at least 3 business days before Day 1.
What is pre-allocation in IT onboarding?
Pre-allocation is the practice of assigning every piece of hardware, every software license, and every system permission to a new hire before their start date. The goal is Day 1 verification, not Day 1 setup - the new hire signs in once and everything works.
How do you provision hardware for new hires remotely?
Use zero-touch deployment: Apple Business Manager + your MDM, Windows Autopilot, or Android zero-touch enrollment. The laptop self-configures on first power-on, enrolling in your MDM and installing baseline apps and policies automatically. Ship to arrive 3+ business days early with a printed welcome card, setup instructions, and the IT contact.
How long should IT onboarding take?
If pre-allocation is done well, Day 1 IT onboarding is a 60-90 minute session, not a full day. Total active IT time across pre-boarding, Day 1, and Week 1 verification is 3-5 hours per hire. Most of that is in pre-boarding, before the new hire even logs in.
What’s the difference between IT onboarding and HR onboarding?
IT onboarding is the technology setup track - devices, accounts, access, security configuration. HR onboarding is the broader 30/60/90-day experience - culture, role expectations, team relationships, training. They run in parallel, but IT onboarding is concentrated in pre-boarding and Day 1, while HR onboarding spans the full first quarter.
How do you measure whether IT onboarding is working?
Three metrics: (1) Day 1 ticket count per hire - should approach zero. (2) Time-to-productivity - how long until the new hire is contributing at expected output. (3) New-hire onboarding NPS - a single survey question in Week 2: “how prepared did you feel on Day 1?” If pre-allocation is working, all three improve simultaneously.
The takeaway
The best IT onboarding doesn’t feel like IT onboarding. The new hire opens a box. The laptop turns on. They sign in once. Slack works. Email works. The VPN works. By the time the welcome call ends, they’re already in their first standup.
None of that is magic. It’s pre-allocation - pushing every setup task to the left of Day 1, building role-based templates that turn manual decisions into automatic ones, and keeping a clean asset register so the right laptop reaches the right person on the right day.
Companies that do this well don’t just save IT hours. They retain new hires at dramatically higher rates, reach productivity faster, and signal - on the most informative day of an employee’s career - that they’re competent and they care.
The investment is procedural, not financial. Most teams can ship a streamlined IT onboarding process in a quarter. The hardest part is admitting the current one isn’t working.
