Process Documentation and Links

• HR Processes
• Staff Member Onboarding
• Receiving new hire info from HR
• Administration Processes
• Contract Signature Process
• Staff Processes
• New Hire - Onboarding
• Change in Staff Member Role
• Exit Staff - Entire Process
• Account Creation Automation - Flow Pseudo Code
• Receiving New Hire Info From Hiring Manager
• Sabbatical
• Wipe and Return Lease Laptop
• Traveling Internationally
• Volunteers
• Account Creation

HR Processes

Staff Member Onboarding

Grace HR On.docx

Receiving new hire info from HR

1. Is the New Hire a volunteer, intern, or staff member?
2. First Name
3. Last Name
4. Job Title
5. Expected First Day
6. Expected Orientation Date
7. Department
8. Is the new hire working for "All Campuses (30in30)"? Not just one Campus?
9. Office Campus (Main Location)
10. Desk Location
11. Manager
12. Any funding necessities? This may be Campus, Shared, or 30in30 related.

Administration Processes

Contract Signature Process

As our Ministries grow, the requests for my signature on contracts have increased and the need to organize/track all contracts for all of our campuses is becoming increasingly difficult. As you may already know, as the Director of Administration for Grace Church, I am the only individual who can legally bind Grace Church into any/all legal agreements.

• Which means without my permission, no one can sign a contract on behalf of your Ministry or Grace Church
• If a situation occurs where a signature is needed and I am unable to sign the agreement, I will help you work out a solution

Therefore, the Finance Team and I have been working to design a user friendly process to simplify obtaining my signature for all contracts.

To Request a Signature on a contract:

For every contract or agreement, please read and review all terms and conditions of the contract and complete a Contract Detail Form which can be located in the Financial Toolbox  HERE.

• Once this form has been completed, your request for a signature is complete.
• Please have a PDF of the contract ready to upload to this form.
• Chelsea Amstutz will receive a notification that you have completed the form, will obtain my signature, and will return the contract back to you.
• For contracts or agreements that require an electronic signature, Chelsea will receive a notification and will reach out to you for the document. Please expect an approximate 1 week turnaround for all contracts.

This new process, while requiring you to read and understand your contract terms, should be very easy for you to use. It should eliminate the need to send Chelsea or myself an email. All you need to do is fill out a form and upload the contract. This new process will be effective immediately. Please let myself or Chelsea know if you have any questions or concerns about the form.

Staff Processes

New Hire - Onboarding

These steps of adding new hires to our IT resources are recorded and also outlined on the GraceLink proccess page here: People | Grace Church (ccbchurch.com) (Weblinks don't work on GraceLink descriptions currently). Notes can also be added on there as well.

This book helps document the way IT gets new hires setup technology wise, and aims to streamline this process as efficiently and accurately as possible. It is important to keep this book up to date as much as possible since it ties in several sub processes. It gives a list of each sub process of the Hire process and gives links to the pages that describe each sub process more in detail. Each link opens a new tab that you can close once you are done with a sub process.

Prerequisites 

This information we require from HR and the Hiring Manager before doing the Applicant Process: 

• Information from HR: 
• Information from Hiring Manager:

Right now, This information can be gathered from a form that HR can fill out here: https://forms.office.com/Pages/DesignPage.aspx?fragment=FormId%3DtmkE-IFaT0am8UrY5KxEih_2uv0Um4BOp9YIP8-5CSFUNVk5RjQ5RjZYN0VKTkZZMlRKN1pWOVM4OC4u

Application Process

These candidates are in the midst of the hiring process. There may be a tentative hire date while they are going through the process.

• Enter potential/certain hire date in the notes.
• Once their hiring is certain and a date is set, mark them as Done. This will move them to both the Hired and Orientation Queues.
• IT, GraceLink (GL), and Campus Office will also be alerted.

Applicant

This person is in the application process and will likely be hired.

• Determine if we have a laptop available that meets the requirements
• URL to Laptop Guidelines
  https://kb.gracechurches.org/books/it-policies-and-guidelines/page/laptop-licensing-and-support-guidelines
• If laptop is available, add model and serial number to the notes
  
  • if not then add plan for acquiring a laptop to notes

Create Microsoft Account

We used to create local AD accounts for everyone, but now we are just creating online Azure AD accounts for new hires.

• Create Microsoft account in AD
  • Fields to fill in
• Create account in cloud AD
• License them based on their role
• Add them to distribution groups
• Following this guide, Procedure to Update Li... | Grace Church KB (gracechurches.org);
  • Update User Info in User List: Grace IT - Chargeback - All Documents (sharepoint.com)
  • This will automatically create a SSO account for them in Uniflow: uniFLOW Online, and if they are in the correct Campus group they will have direct access to the corresponding campus printer(s) automatically. 
• Add User to proper Licensing Group:
  • Licenses - User Email Only: Use for Part Time staff who won't be using computers, but just need Outlook on their personal device. 
  • Licenses - User Standard: Assign other staff to this. 

For more information on how to manually create a Microsoft Account on the Office365 admin page click here.

This sub process is going to be automated some by this Microsoft Flow. This flow also adds the some of the non-automated steps as 'tasks' in the Grace IT Group Planner.

Image Laptop

We are currently looking into Microsoft AutoPilot to help us streamline this step more. It is definitely not required, but it helps in accessibility since theoretically all that a staff member needs to do, who is enrolled in AutoPilot, is grab their "new" computer (either from Grace IT or Best Buy, etc), and just sign into their 365 account. And then their profile/stuff is automatically setup/pulled down.

Prepare laptop for use by staff member

Follow this checklist: 
https://forms.office.com/Pages/ResponsePage.aspx?id=tmkE-IFaT0am8UrY5KxEikQWbS9FJylApu8VjjPKnb5UQVhaVTBKMllOVzNGTjA1VExZNUhOWFc5VSQlQCN0PWcu

• If imaging Windows Laptop
  • Follow this prepare Win Laptop article
• If imaging Macbook
  • If New
    • Follow this article.
  • Else If Used:
    • Follow this article.

Create Phone Account

Create phone account if required

• Create a Telzio phone account for the new staff member
• Follow these instructions Create Telzio Account | Grace Church KB (gracechurches.org)

Deploy Laptop

Give the laptop to the staff member

Again, we are looking to use AutoPilot to automate some of this.

• Give them the laptop
• Get them logged in the first time.
• Change password
• Setup MFA (Our Policy Outlined here)

Orientation

• New hire orientation is scheduled (Link to Orientation packets given to new hire here)
• Sign equipment release form (Link Here)
  • HR will have them sign equipment release form 
  • Information we give them for Equipment Release form:
    • Laptop
    • Model
    • SN
•  

Change in Staff Member Role

Change Staff Member

• HR to add staff member to this queue when there is a change required such as name, title, funding, campus, etc.
• Make requested changes
• Update User Info in License Charges Distribution Sheet: Grace IT - Chargeback - All Documents (sharepoint.com)

Exit Staff - Entire Process

These steps of exiting staff  are recorded and also outlined on the GraceLink proccess page here: People | Grace Church (ccbchurch.com) (Weblinks don't work on GraceLink descriptions currently). Notes can also be added on there as well.

This book helps document the way IT cleans up the tech for exiting staff, and aims to streamline this process as efficiently and accurately as possible. It is important to keep this book up to date as much as possible since it ties in several sub processes. It gives a list of each sub process of the Exit Staff process and gives links to the pages that describe each sub process more in detail. Each link opens a new tab that you can close once you are done with a sub process.

Exit Staff Member

When a person is marked as "Done", they will be automatically placed into HR's Offboarding "IT Complete" Queue to let them know that IT has finished the off boarding process for this employee.

• Lock account (https://admin.microsoft.com/Adminportal/Home?#/users)
• Append " - Archived" to User's Display Name in Admin Portal. Remove Office string to remove them from Dynamic Endpoint Groups.
• Convert mailbox to shared. (Active groups - Exchange admin center (microsoft.com) )
  • If requested, give Mailbox access to manager (Give Access to Employe... | Grace Church KB (gracechurches.org))
  • If requested, give Manager access to OneDrive files (Give Access to Employe... | Grace Church KB (gracechurches.org))
• Remove licenses
• Remove them from groups
• Delete phone account: Users - Telzio
• Remove access to Adobe (if licensed) (https://adminconsole.adobe.com/)
• Collect laptop, Clean and update Lease Spreadsheet if applicable (Leased Equipment.xlsx (sharepoint.com)).
• What to do with Equipment release form? (Policies)
• Update entry in Lansweeper ( Main page - Lansweeper (graceohio.org) )
• Update User Info in the License Charges Distribution Excel Sheet ( Grace IT - Chargeback - All Documents (sharepoint.com))
  • Refer to Procedure to Update Li... | Grace Church KB (gracechurches.org) for importing Microsoft reported / Adobe reported licensing info.
• Remove from Wordpress Sites
• Remove from Uniflow Online User list. (https://kb.gracechurches.org/books/user-management/page/manage-uniflow-online-users#bkmrk-manage-offboarded-st)
• Remove access Wordpress.
• Remove access to Ubiquiti UniFi Protect / Network Dashboards.
• Remove access from Canva
• Push to Archive Exited Staff Member Queue

Archive Exited Staff Member

• Archive user's OneDrive files (using User Archive account user_archive@graceohio.org)
  • Follow ( Give Access to Employe... | Grace Church KB (gracechurches.org) ) to give the User Archive Account access to the Exited Staff account. 
  • Login to User_Archive@graceohio.org (credentials in Keepass) and Open up Onedrive.
    • Just dump contents of Exited Staff User's OneDrive into a new folder, named after the User, in the User Archive OneDrive. ( My files - OneDrive (sharepoint.com) )
    • Upload offline Laptop files if necessary as well.
  • Autopilot-Reset / Wipe the laptop afterwards
    
• Push to Cleanup Queue

Cleanup Exited Staff Member

• After 60 days being in the Cleanup queue:
  
• Archive Mailbox (upon request from Manager)
• Delete Microsoft Account ( https://admin.microsoft.com/Adminportal/Home?#/users )
  • 99% we always do this. There are and may be a few exceptions where certain emails will be potentially be called upon (i.e. Kevin Root) which we want to hang on to for longer. 
• Etc.
• Update User Info in the License Charges Distribution Excel Sheet: Grace IT - Chargeback - All Documents (sharepoint.com)
  

Account Creation Automation - Flow Pseudo Code

• Receive and collect request for new Hire. Collect information ofNew Hire (Expected information here) from submitted Microsoft Form
• Load SharePoint List of New Hire's requested through Flow
• Initialize Necessary Variables and Flags
• List members on Grace IT team
  • Then put each member into an Array variable. Join the list with a semicolon separator.
    • This is used so that we can automate emails to the Grace IT Team
• Track the steps status of the New Hire account through the Grace IT Teams New/Exited Users Bucket. 
  • Tasks are created for each New Hire submitted, and are updated and assigned accordingly. Check and reuse any existing tasks generated by previous flow runs that resulted in rejection or other reasons.
• Create an approval and notify IT Team
  • One member can respond on behalf of team. They can review the provided information of the New Hire and then either accept or reject the request to create a new account accordingly. A reason may optionally be included as part of the response.
• Generate a password incase the account will be created. This generation follows the password rules that the Microsoft Admin center uses. 
• If the IT Rep approves the New Hire Information
  • Flow will create the account in Azure with the provided information. It will validate that the account was able to successfully be created and handles error detection with this.
    • If an error happens during Account validation, an email notification will be sent to the IT representative and the requestor. The flow will continue otherwise.
  • The account will be added to any necessary groups from a Group rules perspective (i.e. campus site groups), and then manually by Flow if necessary (i.e. printer groups).
  • The New Hire account information will be logged in the New Hire SharePoint list. 
  • Upon successful account creation, Flow will send a success email to the approver and Responder. 

Flow Success Email

To: [Responder's Email]; [Approver Email]

Subject:  365 Account created

Approver: [Approver Name]

Request for [New Hire First Name] [New Hire Last Name]'s account creation was approved! The user's password is: [Generated Password]

Requestors Email: [Responder's Email]

Account was successfully created!

This message was sent automatically using Microsoft Power Automate.

• • • Bonus: Update Grace IT Planner Task for respective New hire where Account Creation is checked off.
  • If the request is rejected by an IT representative, send a email regarding the rejection and include the rejection reason given by the rep if applicable.

To: [Responder's Email]

Subject: 365 Account Creation Request rejected

Grace Church IT Representative: [Approver name]

Request [ID of response from Form (List of responses)] for [First Name] [Last Name]'s account creation was denied. Reason: [Responses Comments]

This message was sent automatically using Microsoft Power Automate.

• • • After sending the rejection notification, update the SharePoint list accordingly with the information of the newhire, stating that the account creation was rejected and the reason for it.

Receiving New Hire Info From Hiring Manager

1. Need a laptop (Windows, Mac, None)
2. Need a phone extension?
3. Need a desk phone?
4. Need an Adobe CC License?
5. Need a Docking Station?
6. Need a monitor?
7. Are there any Distribution Groups you need them to have access to? 
8. Are there any (SharePoint) Sites you need them to have access to?
9. Are there any other miscellaneous systems that you need them to have access to?

Sabbatical

If there is an unlicensed shared mailbox account in O365, but it has a password and the sign-in status is set to allowed it will behave like a normal mailbox, even allowing Outlook to access it

We receive requests to block Staff members for a period of time from accessing their work account / email. They can still work on their laptop if they choose, they just won't be able to receive new email.

• Putting them in the conditional access policy "Block O365 - Sabbatical" will block access to O365 services on all devices.
• You can add users to this policy by adding them to the Security Group "On Sabbatical"
  
• We will also need to  turn off the Outlook desktop (MAPI) authentication setting under the account's email app settings.
  

  

  
  

Wipe and Return Lease Laptop

You can print out the Return Prep Form and checkmark each step as you clean the laptop

Return Prep Form.docx (sharepoint.com)

Return Prep Form

Lease ____________________________________

Serial # ___________________________________

____Cleaned (Remove from Find Devices on iCloud if applicable) 

____Formatted

____Inspected for Damage

____Photos

____Remove from Lansweeper

____Remove from Teamviewer / AnyDesk

____Remove from End Point Manager & AutoPilot / ABM & Addigy

____Update lease spreadsheet

____Ready for Return

Wipe Methods from KB: Wipe Mac Clean & Reins... | Grace Church KB (gracechurches.org) | Preparing New and Reim... | Grace Church KB (gracechurches.org)

Leases folders to put pictures in: Grace IT - Leases - All Documents (sharepoint.com)

Lansweeper: https://lansweeper.graceohio.org/Assets.aspx

Removing device from Endpoint Manager & Autopliot / ABM : Devices - Microsoft Endpoint Manager admin center | Windows Autopilot devices - Microsoft Endpoint Manager admin center / Apple Business Manager

• I like to archive the Addigy CSV data of the Mac's before deleting them from Addigy. This is useful incase we need to grab an MDM Lock code to unlock a Mac.
  

  

  
  

Lease Spreadsheet: Leased Equipment.xlsx (sharepoint.com)

If you are giving back or releasing a laptop, make sure to delete it from Windows AutoPilot AND Azure AD/Endpoint Manager. Otherwise, the AutoPilot screen will continue to pop up even when you wipe the laptop, preventing the laptop from being able to sign in a non Grace Church user.

If returning a Mac, Apple Financial Services also has this guide to preparing Apple devices for return: Apple Financial Services (yoursolutionspartner.com)

Traveling Internationally

Add and remove people to the "Traveling Internationally" Security Group when they are going outside of North America on a trip. We have a conditional policy setup that blocks any sign in attempts coming from locations outside of the United States, Canada, and Mexico. Adding to the group will let a person bypass the location block set in place from the conditional policy. 

We excluded the DirSync admin account as a backup account so that we aren't locked out of the Tenant.

Settings are in Azure Conditional Access Policy here: https://portal.azure.com/#blade/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/61826f26-b29d-4032-9de7-40c765d588b9/appId//policyName//preConfiguredPolicy/ 

Volunteers

Account Creation

source: Laptop, Licensing, and... | Grace Church KB (gracechurches.org)

• Create user account following 365 account creation guide: Add 365 account user -... | Grace Church KB (gracechurches.org)
• Under Job title, include the keyword "Volunteer". When a User's Job title field has Volunteer in it, the user account is dynamically added to the EM - Staff Volunteers.