NetNXT Logo

JumpCloud One-Click User Offboarding and Device Security Enforcement

December 19, 2025
4 min read
ByNetNXT

Overview

When an employee leaves, manual offboarding is risky. Forgetting to revoke a single access point (like a Slack session or a VPN key) can leave the organization vulnerable.

By using JumpCloud as your primary Identity Provider (IdP), you can perform a "One-Click Offboard." This guide explains how to suspend a user effectively and ensures that the suspension propagates to downstream applications (M365, Slack, Zoom) via Identity Management (SCIM) and SSO.

Step 1: The "Kill Switch" (Suspend in JumpCloud)

This is the primary action that triggers the deprovisioning flow.

  1. Log in to the JumpCloud Admin Portal.

  2. Navigate to User Management > Users.

  3. Select the user(s) to be offboarded.

  4. Click the "Suspend" button (not Delete).

    • Why Suspend? Suspending preserves the user's logs and data for audit purposes. "Delete" is destructive and irretrievable.

Immediate Effects:

  • Device Access: The user is immediately logged out of the JumpCloud User Portal. They can no longer unlock their managed Mac or Windows device (if online).

  • RADIUS/VPN: Wi-Fi and VPN authentication keys are immediately revoked.

  • LDAP: Any LDAP-bound services fail immediately.

Step 2: Revocation in SaaS Apps (Google, Slack, Zoom)

The effect on external apps depends on whether you have configured Identity Management (SCIM) or just SSO.

Scenario A: You have SCIM Configured (The Automated Path)

If Identity Management is active for these apps, JumpCloud sends an API signal immediately upon suspension.

  • Microsoft 365: The user is set to "Block Sign-in" in Azure AD/Entra ID. Their refresh tokens are revoked.

  • Slack: The user account is deactivated in Slack. They are booted from all channels.

  • Zoom: The user is set to "Inactive." They cannot host meetings.

Scenario B: You only have SSO Configured (The "Session" Risk)

If you only use SSO (SAML 2.0) without SCIM:

  • New Logins: Blocked immediately. The user cannot start a new session.

  • Existing Sessions: The user might remain logged in until their specific session token expires (which can be hours or days).

    • Action Required: You must manually log into M365/Slack admin panels and hit "Sign out of all sessions" to force immediate termination.

Step 3: Device Security (The Remote Wipe)

After access is cut, you must secure the physical asset.

  1. Go to Device Management > Devices.

  2. Click on the user's laptop (Mac or Windows).

  3. Option A: Lock Device (Soft Block)

    • Use the "Lock Device" command. This forces the user to the login screen. Since their account is suspended (Step 1), they cannot log back in.

  4. Option B: Erase Device (Hard Wipe)

    • If the device is not being returned immediately, click Erase Device.

    • Warning: This factory resets the machine. Ensure no local legal-hold data is needed before doing this.

Step 4: Transferring Data (Google/M365)

Before deleting the account permanently (usually after 30-90 days), ensure data is retained.

  • Google Workspace: Use the Google Admin "Transfer Data" tool to move Drive/Calendar data to a manager.

  • M365: Convert the mailbox to a "Shared Mailbox" (free) and give the manager delegation rights.

Troubleshooting Common Issues

  • User Still Logged into Email on Phone:

    • Mobile devices often use "App Passwords" or cached tokens. If SCIM is not set up, you must initiate a "Revoke Sessions" command in the Google/Microsoft Admin panel explicitly.

  • Mac FileVault Lockout:

    • If you suspend the user, they can't log in. If you need to access their files later, you must use the FileVault Recovery Key stored in the JumpCloud Device Details page.

FAQ

1) How does JumpCloud one-click offboarding work?

JumpCloud Suspend acts as the kill switch. It blocks new logins, revokes VPN RADIUS tokens, breaks LDAP LDAP-bound services, and triggers SCIM API signals to deactivate users in SaaS apps like M365, Slack, and Zoom.

2) Should I Suspend or Delete a user in JumpCloud during offboarding?

Suspend, not Delete. Suspend preserves logs and audit trails, prevents device Wi-Fi VPN authentication, and avoids destructive data loss. Delete is permanent and irrecoverable.

3) Can suspended users remain logged into apps if SCIM is not enabled?

Yes. SSO blocks new sessions instantly, but existing tokens may persist until expiry. You must force sign-out from M365 Google admin panels manually if SCIM is not configured.

4) Can JumpCloud remotely wipe or lock an offboarded user’s device?

Yes. Lock Device forces the login screen where suspended accounts fail. Erase Device performs a factory reset wipe. Both require the device to be Active and online for execution.

Was this article helpful?