Should an employee lose a phone or work computer, sensitive workplace information must be wiped clean from the vulnerable device. Follow the steps below in order to log them out of sensitive workspaces and change sensitive information so that no one can access workplace data. This can also be utilized or modified to act as an offboarding workflow.
Create a workflow using a trigger such as Slack Slash Commands or Discord Slash Commands that will trigger upon a slash command such as /lostdevice or /missingdevice.
Optionally, alert the Slack, Discord, or Microsoft IT channel, the CISO, or the IT manager that the workflow has been initiated using the appropriate vendor's Send Message step.
Use a Get Employee step with the triggering employee email, according to whichever HR system your organization uses:
Hibob
BambooHR
Or use a custom HTTP step and the API of your organization's HR system.
Ask the employee what device was lost: a mobile phone or a computer.
Gather all JumpCloud user details to match them most efficiently to the appropriate email and device. The following group of steps can be turned into a nested workflow to enable maximum efficiency:
Variable > Set Variable
Name: Data
Data type: Number
Value number: 0
Operator > Loop
Type: Range
Start: 1
End: 100
Jumpcloud > List Users
Offset: {{ $.set_variable.data}}
Operator > If
{{ $.list_users.api_object.results }} = Not Empty
False: Operator > Break loop
True: Continue
Operator > Collect
Input: {{ $.list_users.api_object.results }}
Math utils > Solve Equation
Input: {{ $.set_variable.data }}+100
Variable > Set Variable
Name: Data
Data type: Number
Value number: {{ $.solve_equation.result }}
Outside of the loop, place an Operator > Exit step
Workflow Output: {{$.collect_1.result}}
Parallel loop through {{ $.list_all_jumpcloud_users.output }}
Inside the loop, put two If operators.
In the first If, collect the {{ $.loop_value }} if {{ $.loop_value.displayname }} equals the {{ $.get_full_details_of_employee.api_object.displayName }}
In the second If, collect the {{ $.loop_value }} if {{ $.loop_value.displayname }} equals the {{ $.get_full_details_of_employee.api_object.work.manager }}
Optionally, use Slack, Teams, Discord, Zoom, or whatever chat message service you want to send messages to the employee's manager, the company CISO, and the IT manager to notify them of the lost device.
Using a Switch operator, create two scenarios: one for a lost mobile device and one for a lost company laptop. Add whichever other Switch branches apply to your company.
If a lost mobile device:
Optionally send messages through your communication channel to the CISO & head of IT.
Reply to the user who initiated the lost device a message such as:
*It is recommended that you take the following actions:*
-- Contact your cellular company to block your sim.
-- Reset your passwords for your cloud services: email, PayPal, Bank account, and any social network you use.
-- Cancel any credit card assigned to your mobile device's wallet.
If the mobile device is a company phone, or the employee was logged into company resources on their personal phone, follow step 10.
If a lost company laptop:
Use the JumpCloud step List systems associated with user to find all the employee's devices.
Optionally, send the list of devices to your CISO and IT manager.
For both lost items, add the following steps to log out users and change the passwords:
Google Workspace: Generate a bearer token step to create a token to use Google Suite steps.
Google Workspace: Get user details to get the details of the user who triggered the workflow.
Using an HTTP Step force sign out the user from Google accounts with this POST request:
https://admin.googleapis.com/admin/directory/v1/users/{{$.get_user_details.api_object.id }}/signOut
Cryptographic Utils: Generate random password with a suggested length of 14.
Using an HTTP step reset the Jumpcloud user password with this PUT request:
https://console.jumpcloud.com/api/systemusers/{{$.employee.result.0._id }}
Use an If operator for if the password reset fails.
For failure, add a message step to the IT manager.
If the password reset works, send a message to the employee's alternative email with the new password information and instruct them to reset the password once logged in.