How I Automated 80% of IT Onboarding at a 500-Person Company

When I joined as the IT engineer at a fast-growing fintech company, onboarding a new hire took IT the better part of a morning. Laptop setup, account creation, app provisioning, security policies — all done manually, one step at a time, across five different platforms. A year later, most of that work happens automatically before IT even knows a new hire is starting. Here's exactly how we got there.

3hr

Before

25min

After

80%

Automated

500+

Users covered

The starting point

The manual onboarding process looked like this: HR sends IT a new hire notification (usually a Slack message the day before). IT opens a checklist doc, creates a Google Workspace account, sets up Okta, assigns apps, provisions Slack and Zoom, orders a laptop, configures it when it arrives, ships it, and follows up to make sure everything works. If something fell through the cracks — a missing app assignment, a wrong group membership, a Zoom license not assigned — the new hire raised a ticket on day one.

It wasn't catastrophic. But it was inconsistent, time-consuming, and completely dependent on whoever was covering IT that week. If we had three new hires starting the same Monday, it was a rough morning.

The stack we had to work with

We weren't starting from scratch. The company already had Okta as the identity provider, Google Workspace for email and collaboration, Jamf Pro for Mac management, Slack and Zoom for communication, and an HRIS (BambooHR) as the system of record for employee data. The infrastructure was there — it just wasn't connected.

The key insight: you don't need to buy new tools to automate onboarding. You need to connect the tools you already have and decide which system is the source of truth. For us, that was the HRIS. When a record appeared in BambooHR with a start date, that was the trigger for everything else.

Layer 1 — Identity, automated

The first thing we tackled was Okta provisioning. We set up an HRIS integration between BambooHR and Okta so that when HR marks someone as hired with a start date, Okta automatically creates their account — with the right profile attributes (department, title, manager, location) pulled directly from the HRIS record.

From there, Okta group rules handle app assignments. We built rules like: if department = Engineering, add to the Engineering Okta group — which automatically provisions GitHub, Jira, Confluence, and the other engineering tools. If department = Sales, add to Sales group — Salesforce, Gong, LinkedIn Sales Navigator. The rules run in real time whenever a user's profile updates.

What this automated

Account creation + app provisioning

Previously 45–60 minutes of manual work per hire. Now zero. The Okta account exists before the new hire's first day, all apps are assigned based on department, and single sign-on means they access everything with one login from day one.

💡 The most common gap here is the "exceptions" — roles that don't fit neatly into a department bucket. We handle these with a separate Okta group that IT can manually add users to for one-off app assignments.

Layer 2 — The laptop, automated

Mac setup was the most time-consuming part of onboarding before automation. IT received the laptop, spent 45–60 minutes configuring it, and either shipped it or handed it over. With Jamf Pro and Apple Business Manager (ABM), we eliminated that entirely.

Every Mac the company purchases is linked to our ABM organisation at the point of purchase through our Apple reseller. When a new Mac is powered on, it automatically enrolls in Jamf via Automated Device Enrollment. A prestage configuration handles the Setup Assistant — most screens are skipped, supervised mode is enabled, and the device is enrolled in management before the user even creates their account.

Jamf then takes over: configuration profiles apply FileVault encryption, screen lock policies, and our corporate Wi-Fi settings automatically. A policy scoped to newly enrolled devices installs our core apps — Slack, Zoom, Chrome, 1Password, and the endpoint security agent — silently in the background.

What this automated

Laptop configuration + app installation

The new hire opens the box, signs in with their Okta credentials via Jamf Connect, and the laptop configures itself. IT never touches the device. We ship directly from Apple to the new hire's home — the laptop is ready before IT even knows it arrived.

Layer 3 — The gaps, handled with Okta Workflows

Okta and Jamf handled the heavy lifting, but there were still gaps. Zoom license assignment wasn't covered by Okta group rules. Slack channels — we have department-specific channels new hires should be added to automatically. The IT team needed a notification when someone was starting. None of this had a clean automated path.

Okta Workflows filled these gaps without needing custom code. We built flows triggered by the "User Added to Group" event in Okta. When someone is added to the Engineering group, a Workflow assigns them a Zoom Pro license via the Zoom API, adds them to the #engineering and #dev-general Slack channels via the Slack API, and sends a notification to the IT Slack channel with the new hire's details and start date.

What this automated

Zoom, Slack, and IT notifications

Previously these were manual steps that got missed when IT was busy. Now they're triggered automatically the moment Okta processes the new hire — which happens the day HR inputs them into BambooHR, not the day they start.

💡 Okta Workflows has native connectors for Slack, Zoom, and most major SaaS tools. If yours isn't listed, the HTTP connector lets you call any API directly.

What the 20% still requires a human

Automation handles the predictable parts. The remaining 20% is the stuff that genuinely needs human judgment — and that's fine. This includes:

→Hardware exceptions — some roles need specific peripherals, monitors, or non-standard setups that can't be templated

→Access that crosses department boundaries — contractors, cross-functional leads, or roles that span multiple teams

→Security exceptions — elevated access to production systems, admin roles, or sensitive data requires a human approval step

→The first-day check-in — a 10-minute call to make sure everything works and the new hire knows where to go if it doesn't

What actually changed

The numbers are good — 3 hours down to 25 minutes — but the more meaningful change was reliability. Before automation, onboarding quality depended on who was on IT duty that day, how many other fires were burning, and whether the checklist was actually followed. After automation, every new hire gets the same setup, in the same order, every time.

The IT team shifted from doing onboarding to designing it. Instead of clicking through setup screens, we spend that time improving the automation — adding new tools to the provisioning flow, refining the Jamf policies, updating the Okta group rules when the org structure changes. That's a much better use of time.

The feedback from the business was immediate. Hiring managers stopped getting "IT still needs to set up the laptop" messages from new hires. HR stopped chasing IT to confirm accounts were ready. New hires in remote locations — we have a distributed team — got the same quality setup as people in the office, without IT needing to ship a pre-configured device.

Where to start if you're doing this from scratch

Start here

Pick one source of truth and connect it to your IdP

If you have an HRIS (BambooHR, Workday, Rippling, HiBob), connect it to Okta or your identity provider first. This single integration eliminates manual account creation and gives you accurate profile data to drive everything else. Everything downstream — group membership, app provisioning, device assignment — flows from this connection.

Then

Map your departments to app sets

Sit down with a spreadsheet: list every department, list every app, mark which apps each department needs. This is your provisioning matrix. Translate it into Okta group rules. It takes a few hours to build but pays off immediately — and it forces the conversation about whether everyone actually needs access to everything they currently have.

Then

Set up zero-touch device enrollment

If you're a Mac shop, Jamf + Apple Business Manager is the path. If you're Windows, Intune + Windows Autopilot is the equivalent. Either way, the goal is the same: device enrolls in MDM on first boot, configuration applies automatically, core apps install silently. This is the highest effort part of the setup but the one that saves the most time per hire.

Finally

Fill the gaps with lightweight automation

Once identity and devices are handled, use Okta Workflows, Zapier, or a simple script to handle the remaining pieces — Zoom licenses, Slack channels, IT notifications, calendar invites for the first-day check-in. These are quick to build and make the whole process feel seamless.

💡 Don't try to automate everything at once. Start with account creation, get that solid, then add device automation, then the smaller pieces. Each layer compounds on the previous one.

Onboarding automation isn't a one-time project — it's something you iterate on as the company grows and the tech stack changes. The version we have today looks very different from what we built 12 months ago. But starting was the hard part. Once the first layer was in place, each additional piece got easier to add.

If you're building something similar and want to compare notes, reach out at izzi@izzirenan.com or connect on LinkedIn.

Izzi Renan

IT Systems Administrator at Forter. Managing Okta, Google Workspace, and Jamf Pro for 500+ users across EMEA, APAC, and Israel. 10 years in IT.