The Perfect Employee Onboarding Process

Posted byMichael WierciochPosted inOkta, OnboardingTags:, , , , , , , , , , ,
Onboarding, Okta

The Perfect Employee Onboarding Process: Getting New Hires Productive From Day One

Picture this.

It is Monday morning. Your new software engineer starts today. She is talented, expensive to hire and genuinely excited about the role. Her manager has been talking her up for weeks. She is remote, based in Porto, joining a London team, so everything depends on the laptop arriving on time.

It does not.

Nobody tracked the shipment. The courier’s system had flagged it as held at a customs facility on Friday afternoon, caught in post-Brexit cross-border delays between the UK and Portugal, but no one noticed. The laptop sat in a warehouse all weekend while the new hire waited at home in Porto, refreshing her email for joining instructions that assumed a device she did not have.

She sends a message to HR on Monday morning. An apologetic reply comes back two hours later. Apparently this happens sometimes. Someone will sort it out.

The laptop arrives Tuesday.

By now she has spent a full working day doing nothing. She has already messaged two friends who work in tech to tell them about her first day. The story is not flattering.

When the laptop arrives, nothing is ready

When the laptop finally arrives, the IT setup begins. Except nothing is ready. The device has not been enrolled in the company MDM. There is no single sign-on configured.
Nobody provisioned her Okta account before she started. Without Okta, none of the automated provisioning ran. No Google Workspace account was created, no app assignments were pushed, no group memberships were configured.

Slack is connected to Okta SSO. Without her Okta account being active and her Slack app assignment configured, she cannot log in. The manager tries to invite her directly but the company has enforced SSO-only login, so the invitation fails silently. Nobody knows why.

By Wednesday lunchtime, her third day, she has email and Slack. GitHub access comes Thursday. She still cannot access the project management tool her team uses because it requires an Okta group assignment that nobody has set up yet.

She does not quit that week. But something has shifted. The excitement she felt when she signed the offer letter has been replaced by a quiet, nagging doubt. Is this what working here is actually like?

70% of employees decide whether a job is the right fit within the first month. 29% know within the first week. That means you have roughly 44 days, and arguably just a few hours, to show a new hire that joining your company was the right decision.
The story above is not unusual. It is, in most businesses, completely normal. And every single part of it was avoidable.

The real cost of a broken onboarding process

Onboarding failure is not just uncomfortable. It is expensive.

A failed hire in the first year costs approximately £12,000 when you factor in recruiting, onboarding, training, lost productivity and re-hiring costs. For specialist or technical roles, this can exceed £40,000.

One in three new hires leave within 90 days. Only 12% of employees say their company does onboarding well.

And yet the fix is not complicated. It does not require a new HR platform, a rebrand of your company culture or an onboarding retreat in the Cotswolds. Most of the problem comes down to a single failure point: the device and access setup that should happen before day one but almost always does not.

This post is about fixing that, and what the perfect employee onboarding process actually looks like when IT, HR and management are all working from the same plan.

Why IT is the make-or-break moment

Ask any new hire what went wrong in their first week and the answer is almost always the same. IT delays are a prevalent issue. New hires are left without laptops, software access, email accounts and security credentials, sometimes for days or even weeks, leading to frustration and a negative first impression.

This is not a people problem. It is a process problem. Specifically, it is a provisioning problem.

In most businesses, a new hire’s device and access setup is triggered manually. Someone in IT or HR sends an email, someone else orders the laptop, someone else creates the Okta account, someone else raises a ticket to configure Google Workspace and assign the right groups. Every step requires a human to remember to do something, which makes every step a dependency, and every dependency a potential point of failure.

The result is what almost everyone experiences: a new hire sitting at a desk, watching IT scramble, while their first impressions of the company form in real time.

More than half of employees, 52%, reported that administrative tasks dominated their onboarding experience. Instead of learning the job and connecting with colleagues, they spent their first days buried in paperwork and waiting for systems access.

The businesses that get onboarding right have removed the manual steps entirely. Here is how they do it.

The perfect employee onboarding process: hour by hour

This is not a hypothetical. This is what onboarding looks like when it is done well.

Before day one

The new hire’s details are entered into HR. That single action triggers everything else automatically.

An identity is provisioned in Okta. Group memberships are assigned based on role. Every app the employee needs, Slack, GitHub, your project management platform, your expense tool, is pushed to their Okta dashboard automatically. Google Workspace is provisioned with the right organisational unit, the right shared drives and the right group memberships. Her email account is live, her calendar is set up and her access is ready before she has opened a browser.

Their device is already configured and ready to ship directly to them. For Mac devices, this happens through Apple Business Manager and an MDM platform like Jamf Pro/FleetDM or Iru. The device ships directly from Apple or an authorised reseller to the employee’s address in Porto, or wherever in the world they are based. It arrives enrolled, supervised, encrypted and compliant with your security policies. For Windows devices, the equivalent is Microsoft Autopilot, with devices enrolled in Azure Active Directory and configured automatically via Intune on first boot.

The employee opens the box. They power on the device. They log in with their Google Workspace credentials through Okta single sign-on. Everything is there. Every app, every permission, every policy applied silently in the background before they even started.

This is zero touch deployment. And it works for both Mac and Windows.

8:55am on day one

The new hire logs on from Porto. The device is ready. Her Okta dashboard shows every application she needs, accessible with a single login, and Google Workspace is fully configured with her name, her team’s shared drives and her calendar already populated with her first week’s meetings.
They receive a welcome message from their manager on Slack. It was pre-scheduled to arrive at exactly this moment.

This is what the first hour should feel like. Human connection, not a ticket queue.

9:30am

She opens Google Workspace for the first time. The shared drives are there. The team’s project documentation is accessible. Her calendar is populated with her first week’s meetings, already accepted on her behalf. She has context before anyone has briefed her on anything.

She opens Slack. Her Okta account has pushed her app assignments automatically overnight. She is already in the right channels. A few teammates have dropped a welcome message. She replies.
It has been thirty minutes and she already feels like she works here.

10:00am

The new hire joins their first team standup. She has access to everything she needs, can contribute from minute one, looks competent and feels confident. More importantly, she feels like she made the right decision.

That feeling is worth more than any welcome pack or culture deck.

The identity layer: Okta and Google Workspace working together

The invisible infrastructure behind a smooth onboarding process is the identity layer. This is where most businesses have a gap, and where the most powerful fixes live.

Modern businesses run on cloud services. The average business uses dozens of SaaS applications. Without a centralised identity layer, each of those applications has its own login, its own credentials, its own access control. A new hire needs to be manually added to each one. An employee who leaves needs to be manually removed from each one. Both processes fail regularly.

Okta is the most widely adopted identity platform for businesses running a mix of cloud applications across Mac and Windows. It provides single sign-on across every application, centralised MFA enforcement, and automated provisioning and deprovisioning based on HR system triggers. A new hire starts and Okta provisions their access. An employee leaves and Okta revokes it. There are no manual steps, no orphaned accounts and no ex-employees still able to log into your systems three months after they left.

The integration between Okta and Google Workspace is particularly powerful. Okta acts as the identity provider. Google Workspace acts as the productivity layer. When a new hire is created in Okta, their Google account is provisioned automatically, their group memberships are assigned, their shared drives are accessible and their Google Meet and Google Calendar are live. When they leave, deprovisioning in Okta triggers deprovisioning in Google Workspace simultaneously.

For businesses running both Mac and Windows, Okta handles the identity layer across both platforms consistently. A MacBook user and a Windows laptop user authenticate through the same Okta dashboard, access the same Google Workspace environment and use the same MFA policy. The device type is irrelevant to the experience.

Mac and Windows: the same experience for everyone

One of the most common objections to automating the onboarding process is that running Mac and Windows makes it too complicated.

It does not. Modern identity platforms like Okta manage users across both platforms from a single console. The device type is irrelevant to the identity layer.

On the Mac side, Apple Business Manager handles device enrolment and zero touch deployment through your MDM platform. A Mac purchased through Apple or an authorised reseller can be shipped directly to a new hire in Porto, or anywhere in the world, and on first boot it automatically contacts Apple’s servers, receives its MDM assignment, and applies your organisation’s security profiles, apps and policies. The employee does not need IT to touch the device at any point.

On the Windows side, Microsoft Autopilot does the equivalent. Devices are pre-registered in Azure Active Directory and configured automatically on first login with Okta credentials. Combined with Intune for ongoing policy enforcement, a Windows device can be provisioned with the same zero touch approach as a Mac.

Both platforms, one process. The new hire in Porto gets exactly the same experience as a new hire starting in the London office.

The compliance dimension – why onboarding is a security event

Every new employee is a potential security gap. Not because of anything they have done, but because of what has not been set up correctly.

An account without MFA. A device without full disk encryption. An app installed outside your approved software catalogue. A personal iPhone connecting to corporate email without an MDM profile. Any of these represents a failure in your Cyber Essentials posture, and each of them is most likely to occur in the first week of employment, when setup is rushed and checks are missed.

The businesses that treat onboarding as a security event, not just an HR event, are the ones that maintain a consistent compliance posture as they grow.

When onboarding is automated through Apple MDM, Okta and Apple Business Manager, the security configuration is not something IT does later. It is applied at the point of enrolment. FileVault encryption enabled. Screen lock enforced. Software update policies active. MFA required through Okta. All of it part of the zero touch deployment workflow, not an afterthought.

For businesses working toward Cyber Essentials/ISO certification or maintaining it between annual assessments, this matters enormously. Every new hire who joins with a properly configured device and a correctly provisioned Okta identity is one fewer gap in your next assessment.

Remote onboarding – the same process, wherever they are

Remote new hires are nearly 50% more likely to say culture was demonstrated poorly or not at all during onboarding, and almost twice as likely to say the onboarding software or tools they used were not helpful.

The technical side of remote onboarding is actually the easiest part to solve. Zero touch deployment means the device ships to the employee’s address anywhere in the world, pre-configured and ready. Okta means their access is live before they log on for the first time. Google Workspace means their productivity tools work identically in Porto as they would in the London office.

The customs delay that opened this post is not an IT problem, strictly speaking. But it is a process problem that IT can solve. When devices are ordered through Apple Business Manager and assigned to the employee’s MDM server before they ship, the device is ready the moment it clears customs. There is no separate setup step. There is no waiting for IT. The employee powers it on, logs in through Okta and they are working.

What makes remote onboarding feel disconnected is not the technology. It is the absence of the human moments that happen naturally in an office. The fix for that is not an IT problem. But the IT setup is the foundation everything else sits on. If a remote new hire in Porto spends their first three days waiting for a laptop and then waiting for access, the human connection problem becomes impossible to solve. If they open their laptop on day one and everything works, you have the full first day to focus on the people side, which is where onboarding wins or loses.

The employee onboarding checklist – what good looks like

A well-structured employee onboarding process covers three phases.

Pre-boarding – before they start

  • Okta identity created and group memberships assigned
  • Google Workspace provisioned with correct organisational unit, shared drives and groups
  • Device ordered through Apple or Authorised Resellers and added to Apple Business Manager, assigned to MDM before shipping
  • MFA policy applied to Okta account on creation
  • Welcome email sent with first day logistics and Okta login instructions
  • Manager briefed and first week meetings scheduled in Google Calendar
  • IT onboarding checklist confirmed complete before start date

Day one

  • Device arrives ready, no IT setup required
  • Okta single sign-on works on first login
  • Google Workspace fully accessible including shared drives and Gmail
  • MFA enrolled in first two minutes
  • New hire introduced to team on Slack and Google Meet
  • First one-to-one with manager
  • Role expectations set clearly

First 30 to 90 days

  • MDM policies actively managed and monitored
  • Okta access reviewed and adjusted as role evolves
  • Any departing team members fully offboarded with Okta and Google Workspace access revoked simultaneously
  • Compliance posture maintained as headcount grows
  • Ongoing end-user support available via Slack

The cost of getting this wrong

Companies that invest in strong onboarding report a 70% boost in new hire productivity. Effective onboarding can reduce time to full productivity by 50% or more. New hires with structured onboarding reach competence in four to six months instead of eight to twelve.

Conversely, a poor onboarding process compounds at scale. New hires who lose confidence in their first week are harder to re-engage. Orphaned Okta accounts from failed offboarding are a security risk. Manually provisioned devices not correctly enrolled in MDM are gaps in your Cyber Essentials posture.

The businesses that automate the onboarding process through MDM, Okta, Google Workspace and zero touch deployment do not just have happier new hires. They have cleaner security, lower IT overhead and a compliance posture that holds as they grow.
Automating the onboarding process can produce up to a 65% increase in new hire productivity, a 50% improvement in employee satisfaction scores and a 77% decrease in turnover within the first three months.

That is not a marginal gain. That is a structural advantage.

How nDuo makes this happen

The story that opened this post does not have to be your story.

We work with UK businesses running Mac, Windows and mixed fleets to design and implement onboarding processes that work from the moment the offer letter is signed. That means Apple MDM implementation through Jamf Pro or Iru, Apple Business Manager enrolment for zero touch Mac deployment, Okta integration for identity and access management, Google Workspace configuration for productivity and collaboration, Cyber Essentials compliance built into device policy from day one, and managed IT support for your team once they are up and running.

New hires who open a laptop in Porto and everything works are not just happier. They are more productive, more likely to stay and more likely to tell others that your business is a great place to work.

That is the return on getting onboarding right.

Book a free consultation to talk through your onboarding setup and find out what it would take to get every new hire productive from minute one.