Staff Processes

• New Hire - Onboarding
• Change in Staff Member Role
• Exit Staff - Entire Process
• Account Creation Automation - Flow Pseudo Code
• Receiving New Hire Info From Hiring Manager

New Hire - Onboarding

These steps of adding new hires to our IT resources are recorded and also outlined on the GraceLink proccess page here: People | Grace Church (ccbchurch.com) (Weblinks don't work on GraceLink descriptions currently). Notes can also be added on there as well.

This book helps document the way IT gets new hires setup technology wise, and aims to streamline this process as efficiently and accurately as possible. It is important to keep this book up to date as much as possible since it ties in several sub processes. It gives a list of each sub process of the Hire process and gives links to the pages that describe each sub process more in detail. Each link opens a new tab that you can close once you are done with a sub process.

Prerequisites 

This information we require from HR and the Hiring Manager before doing the Applicant Process: 

• Information from HR: 
• Information from Hiring Manager:

Right now, This information can be gathered from a form that HR can fill out here: https://forms.office.com/Pages/DesignPage.aspx?fragment=FormId%3DtmkE-IFaT0am8UrY5KxEih_2uv0Um4BOp9YIP8-5CSFUNVk5RjQ5RjZYN0VKTkZZMlRKN1pWOVM4OC4u

Application Process

These candidates are in the midst of the hiring process. There may be a tentative hire date while they are going through the process.

• Enter potential/certain hire date in the notes.
• Once their hiring is certain and a date is set, mark them as Done. This will move them to both the Hired and Orientation Queues.
• IT, GraceLink (GL), and Campus Office will also be alerted.

Applicant

This person is in the application process and will likely be hired.

• Determine if we have a laptop available that meets the requirements
• URL to Laptop Guidelines
  https://kb.gracechurches.org/books/it-policies-and-guidelines/page/laptop-licensing-and-support-guidelines
• If laptop is available, add model and serial number to the notes
  
  • if not then add plan for acquiring a laptop to notes

Create Microsoft Account

We used to create local AD accounts for everyone, but now we are just creating online Azure AD accounts for new hires.

• Create Microsoft account in AD
  • Fields to fill in
• Create account in cloud AD
• License them based on their role
• Add them to distribution groups
• Following this guide, Procedure to Update Li... | Grace Church KB (gracechurches.org);
  • Update User Info in User List: Grace IT - Chargeback - All Documents (sharepoint.com)
  • This will automatically create a SSO account for them in Uniflow: uniFLOW Online, and if they are in the correct Campus group they will have direct access to the corresponding campus printer(s) automatically. 
• Add User to proper Licensing Group:
  • Licenses - User Email Only: Use for Part Time staff who won't be using computers, but just need Outlook on their personal device. 
  • Licenses - User Standard: Assign other staff to this. 

For more information on how to manually create a Microsoft Account on the Office365 admin page click here.

This sub process is going to be automated some by this Microsoft Flow. This flow also adds the some of the non-automated steps as 'tasks' in the Grace IT Group Planner.

Image Laptop

We are currently looking into Microsoft AutoPilot to help us streamline this step more. It is definitely not required, but it helps in accessibility since theoretically all that a staff member needs to do, who is enrolled in AutoPilot, is grab their "new" computer (either from Grace IT or Best Buy, etc), and just sign into their 365 account. And then their profile/stuff is automatically setup/pulled down.

Prepare laptop for use by staff member

Follow this checklist: 
https://forms.office.com/Pages/ResponsePage.aspx?id=tmkE-IFaT0am8UrY5KxEikQWbS9FJylApu8VjjPKnb5UQVhaVTBKMllOVzNGTjA1VExZNUhOWFc5VSQlQCN0PWcu

• If imaging Windows Laptop
  • Follow this prepare Win Laptop article
• If imaging Macbook
  • If New
    • Follow this article.
  • Else If Used:
    • Follow this article.

Create Phone Account

Create phone account if required

• Create a Telzio phone account for the new staff member
• Follow these instructions Create Telzio Account | Grace Church KB (gracechurches.org)

Deploy Laptop

Give the laptop to the staff member

Again, we are looking to use AutoPilot to automate some of this.

• Give them the laptop
• Get them logged in the first time.
• Change password
• Setup MFA (Our Policy Outlined here)

Orientation

• New hire orientation is scheduled (Link to Orientation packets given to new hire here)
• Sign equipment release form (Link Here)
  • HR will have them sign equipment release form 
  • Information we give them for Equipment Release form:
    • Laptop
    • Model
    • SN
•  

Change in Staff Member Role

Change Staff Member

• HR to add staff member to this queue when there is a change required such as name, title, funding, campus, etc.
• Make requested changes
• Update User Info in License Charges Distribution Sheet: Grace IT - Chargeback - All Documents (sharepoint.com)

Exit Staff - Entire Process

These steps of exiting staff  are recorded and also outlined on the GraceLink proccess page here: People | Grace Church (ccbchurch.com) (Weblinks don't work on GraceLink descriptions currently). Notes can also be added on there as well.

This book helps document the way IT cleans up the tech for exiting staff, and aims to streamline this process as efficiently and accurately as possible. It is important to keep this book up to date as much as possible since it ties in several sub processes. It gives a list of each sub process of the Exit Staff process and gives links to the pages that describe each sub process more in detail. Each link opens a new tab that you can close once you are done with a sub process.

Exit Staff Member

When a person is marked as "Done", they will be automatically placed into HR's Offboarding "IT Complete" Queue to let them know that IT has finished the off boarding process for this employee.

• Lock account (https://admin.microsoft.com/Adminportal/Home?#/users)
• Append " - Archived" to User's Display Name in Admin Portal. Remove Office string to remove them from Dynamic Endpoint Groups.
• Convert mailbox to shared. (Active groups - Exchange admin center (microsoft.com) )
  • If requested, give Mailbox access to manager (Give Access to Employe... | Grace Church KB (gracechurches.org))
  • If requested, give Manager access to OneDrive files (Give Access to Employe... | Grace Church KB (gracechurches.org))
• Remove licenses
• Remove them from groups
• Delete phone account: Users - Telzio
• Remove access to Adobe (if licensed) (https://adminconsole.adobe.com/)
• Collect laptop, Clean and update Lease Spreadsheet if applicable (Leased Equipment.xlsx (sharepoint.com)).
• What to do with Equipment release form? (Policies)
• Update entry in Lansweeper ( Main page - Lansweeper (graceohio.org) )
• Update User Info in the License Charges Distribution Excel Sheet ( Grace IT - Chargeback - All Documents (sharepoint.com))
  • Refer to Procedure to Update Li... | Grace Church KB (gracechurches.org) for importing Microsoft reported / Adobe reported licensing info.
• Remove from Wordpress Sites
• Remove from Uniflow Online User list. (https://kb.gracechurches.org/books/user-management/page/manage-uniflow-online-users#bkmrk-manage-offboarded-st)
• Remove access Wordpress.
• Remove access to Ubiquiti UniFi Protect / Network Dashboards.
• Remove access from Canva
• Push to Archive Exited Staff Member Queue

Archive Exited Staff Member

• Archive user's OneDrive files (using User Archive account user_archive@graceohio.org)
  • Follow ( Give Access to Employe... | Grace Church KB (gracechurches.org) ) to give the User Archive Account access to the Exited Staff account. 
  • Login to User_Archive@graceohio.org (credentials in Keepass) and Open up Onedrive.
    • Just dump contents of Exited Staff User's OneDrive into a new folder, named after the User, in the User Archive OneDrive. ( My files - OneDrive (sharepoint.com) )
    • Upload offline Laptop files if necessary as well.
  • Autopilot-Reset / Wipe the laptop afterwards
    
• Push to Cleanup Queue

Cleanup Exited Staff Member

• After 60 days being in the Cleanup queue:
  
• Archive Mailbox (upon request from Manager)
• Delete Microsoft Account ( https://admin.microsoft.com/Adminportal/Home?#/users )
  • 99% we always do this. There are and may be a few exceptions where certain emails will be potentially be called upon (i.e. Kevin Root) which we want to hang on to for longer. 
• Etc.
• Update User Info in the License Charges Distribution Excel Sheet: Grace IT - Chargeback - All Documents (sharepoint.com)
  

Account Creation Automation - Flow Pseudo Code

• Receive and collect request for new Hire. Collect information ofNew Hire (Expected information here) from submitted Microsoft Form
• Load SharePoint List of New Hire's requested through Flow
• Initialize Necessary Variables and Flags
• List members on Grace IT team
  • Then put each member into an Array variable. Join the list with a semicolon separator.
    • This is used so that we can automate emails to the Grace IT Team
• Track the steps status of the New Hire account through the Grace IT Teams New/Exited Users Bucket. 
  • Tasks are created for each New Hire submitted, and are updated and assigned accordingly. Check and reuse any existing tasks generated by previous flow runs that resulted in rejection or other reasons.
• Create an approval and notify IT Team
  • One member can respond on behalf of team. They can review the provided information of the New Hire and then either accept or reject the request to create a new account accordingly. A reason may optionally be included as part of the response.
• Generate a password incase the account will be created. This generation follows the password rules that the Microsoft Admin center uses. 
• If the IT Rep approves the New Hire Information
  • Flow will create the account in Azure with the provided information. It will validate that the account was able to successfully be created and handles error detection with this.
    • If an error happens during Account validation, an email notification will be sent to the IT representative and the requestor. The flow will continue otherwise.
  • The account will be added to any necessary groups from a Group rules perspective (i.e. campus site groups), and then manually by Flow if necessary (i.e. printer groups).
  • The New Hire account information will be logged in the New Hire SharePoint list. 
  • Upon successful account creation, Flow will send a success email to the approver and Responder. 

Flow Success Email

To: [Responder's Email]; [Approver Email]

Subject:  365 Account created

Approver: [Approver Name]

Request for [New Hire First Name] [New Hire Last Name]'s account creation was approved! The user's password is: [Generated Password]

Requestors Email: [Responder's Email]

Account was successfully created!

This message was sent automatically using Microsoft Power Automate.

• • • Bonus: Update Grace IT Planner Task for respective New hire where Account Creation is checked off.
  • If the request is rejected by an IT representative, send a email regarding the rejection and include the rejection reason given by the rep if applicable.

To: [Responder's Email]

Subject: 365 Account Creation Request rejected

Grace Church IT Representative: [Approver name]

Request [ID of response from Form (List of responses)] for [First Name] [Last Name]'s account creation was denied. Reason: [Responses Comments]

This message was sent automatically using Microsoft Power Automate.

• • • After sending the rejection notification, update the SharePoint list accordingly with the information of the newhire, stating that the account creation was rejected and the reason for it.

Receiving New Hire Info From Hiring Manager

1. Need a laptop (Windows, Mac, None)
2. Need a phone extension?
3. Need a desk phone?
4. Need an Adobe CC License?
5. Need a Docking Station?
6. Need a monitor?
7. Are there any Distribution Groups you need them to have access to? 
8. Are there any (SharePoint) Sites you need them to have access to?
9. Are there any other miscellaneous systems that you need them to have access to?