Automated IT asset recovery wires your HR termination trigger directly to every downstream recovery action — inventory lookup, return notification, remote wipe, and license reclamation — so nothing depends on human memory or an IT ticket. The sequence runs in Make.com, completing in minutes rather than the days a manual process requires.

Manual asset recovery fails the same way every time: HR notifies IT a day late, a ticket sits in a queue, someone emails the employee, and the laptop is already at their home office. What follows is a write-off, a live security threat, and a software license billing indefinitely for a deactivated account. The six steps below eliminate that sequence.

Before You Build: Three Prerequisites

Three systems must be in place before any automation fires correctly. Missing any one of them means the workflow runs against incomplete data and produces incomplete results.

• A queryable asset inventory linked to employee records. Every device, peripheral, and software license assigned to a named employee must be accessible via API. A structured spreadsheet connected through a Make.com HTTP module works as a starting point if a full ITAM platform is not yet in place.
• An identity provider connected to your SaaS stack. SCIM provisioning or direct API integrations between your IdP and your SaaS applications are required for automated license reclamation. Without this connection, license revocation stays manual.
• An MDM tool enrolled on all company hardware. Remote wipe executes only on enrolled devices. Any device not enrolled at onboarding cannot be wiped at offboarding — add MDM enrollment to your onboarding checklist immediately, before the next termination.

This prerequisite pass is the IT-specific version of an OpsMap™ — the discovery step that surfaces every gap before you commit to building. Skipping it produces an automation that fires and fails silently. See What Is OpsMap? for the full discovery framework.

1. Audit Your Asset Inventory

The automation recovers only what it knows exists. Pull every assigned asset from your current tracking system — dedicated ITAM platform, HRIS, or spreadsheet — and confirm four fields for each record: the assigned employee, the asset serial number or unique identifier, the current physical location, and the associated software licenses tied to that employee’s account.

Once the inventory is accurate, connect it to Make.com via API or native module so the workflow queries it dynamically at trigger time. A static spreadsheet pulled manually defeats the automation entirely.

Accuracy gate: Pull 10 random employee records and physically verify every listed asset. If your accuracy rate falls below 95%, clean the data before proceeding to Step 2.

2. Configure the Termination Trigger in Make.com

The trigger is the first module in your Make.com scenario — the signal that launches every downstream action. The two reliable trigger sources are a status change in your HRIS (employee status moves to “Terminated”) and a webhook fired from your HR approval workflow when a termination is confirmed.

HRIS-based triggers are cleaner because they pass structured data — employee ID, department, manager, last day — directly into the scenario without additional parsing. Webhook triggers work when your HRIS does not expose a native Make.com module.

Set the trigger to fire on confirmed terminations only, not on resignations or leave-of-absence events. The downstream actions — device wipe, license revocation, access removal — are irreversible on most platforms.

3. Automate the Device Return Notification

The moment the trigger fires, Make.com sends a return notification to the departing employee and their manager with clear instructions, a return deadline, and a prepaid shipping label if applicable. This step runs before any wipe is initiated.

Build in a file-transfer window — 24 to 48 hours is standard — so the employee transfers any legitimate work files before the device is locked. Include a confirmation step: the notification email contains a link the employee clicks to confirm the file transfer is complete. The wipe module does not execute until that confirmation is received or the deadline expires.

This sequence eliminates data-loss disputes, which are the most common legal exposure point in device recovery programs.

4. Execute Remote Wipe via MDM

Once the file-transfer confirmation is received — or the deadline window closes — Make.com calls your MDM’s API to initiate a remote wipe on every enrolled device assigned to that employee. The module passes the device serial number from the asset inventory lookup completed in Step 1.

Configure the MDM module with a three-attempt retry at a 60-second interval. If the device is offline when the wipe command fires, the retry handles reconnection. Log every wipe attempt and outcome to the asset inventory record — this creates the audit trail required for insurance claims, compliance reviews, and security incident reports.

For devices that fail to wipe after three attempts, route the Make.com scenario to flag the IT manager via email or Slack. Failed wipes that disappear silently become active security threats.

5. Reclaim Software Licenses

License reclamation runs in parallel with the wipe sequence. Make.com calls your IdP’s API to deprovision the employee’s account, cascading to every connected SaaS application via SCIM. Applications without SCIM integration require individual API calls — list every non-SCIM SaaS tool in your stack and build a dedicated module for each one.

License reclamation is where offboarding automation pays for itself fastest. A single unreclaimed seat in a mid-market SaaS stack runs $50–$200 per month. Across a 500-person company with 15% annual turnover, those orphaned seats accumulate into a significant line item before anyone notices. For a documented example of what systematic process standardization recovers, see the TalentEdge case study — $312K recovered, 207% ROI, driven in part by exactly this type of reclamation work.

6. Close Access and Log Completion

The final module in the Make.com scenario updates the asset inventory to mark all devices as recovered or flagged, confirms license reclamation is complete, and writes a timestamped completion record to your HRIS. This record is your audit trail for compliance reviews and insurance documentation.

Send a completion notification to HR and IT confirming every action taken: devices wiped, licenses reclaimed, access revoked. If any step failed, the notification lists the failures with assigned owners for manual resolution. No failure disappears silently.

The entire sequence — from termination trigger to completion log — runs without a single human touch when all prerequisites are in place. For teams ready to extend this into a broader HR automation stack, six ways the Make MCP changes automation work for HR teams covers the next layer of buildouts.

Frequently Asked Questions

What triggers automated IT asset recovery?

A termination status change in your HRIS or a webhook from your HR approval workflow. The trigger passes employee ID, last day, and assigned asset data to every downstream module in the Make.com scenario.

What happens if the device is offline when the wipe command fires?

Configure a three-attempt retry in your MDM module with a 60-second interval. If the device stays offline after three attempts, Make.com routes the scenario to notify IT for manual follow-up. Every attempt is logged for the audit trail.

How long does the full offboarding automation sequence take to run?

The notification, license reclamation, and access revocation steps execute within minutes of the trigger. Device wipe depends on MDM connectivity and the file-transfer confirmation window — plan 24 to 48 hours from trigger to completed wipe.

Can this workflow handle contractors and part-time employees?

Yes, with one modification. Add a conditional branch in Make.com that checks employment type at trigger time. Contractors on non-company devices route to access revocation and license reclamation only — the MDM wipe branch is skipped.

What is the biggest compliance risk in automated offboarding?

Executing a remote wipe before the employee transfers legitimate work files. Build a confirmed file-transfer step before any wipe module executes. That single gate eliminates the most common legal exposure in device recovery programs.