Desktop Configuration Checklist

Log the manufacturer, model, serial, MAC address, and firm asset tag in the CMDB or RMM (NinjaOne, Datto RMM, IT Glue). Untracked devices are a recurring SOC 2 access-review finding — every endpoint must be tied to an owner of record before it leaves the bench.

Verify keyboard, mouse, monitor(s), dock, and power adapter match the build sheet. Note any DOA items so the vendor RMA window (typically 30 days) doesn't lapse.

Confirm dock firmware is current and monitors are running the standard EDID profile. Mismatched DisplayPort versions are the most common Day-1 ticket — flash the dock before handoff.

Use Apple Business Manager / Automated Device Enrollment for Macs or Windows Autopilot for PCs. Manually-enrolled devices skip the supervised profile and lose remote-wipe capability — always check the supervision flag in the MDM console after first boot.

If MDM enrollment failed or didn't show as supervised, wipe the device with Apple Configurator or Windows Autopilot reset and start enrollment over. Don't ship a manually-enrolled endpoint — it will fail the next access review.

Push the baseline profile: FileVault / BitLocker on, screen lock at 5 minutes, firewall enabled, Gatekeeper / SmartScreen on, automatic updates enforced. Verify the profile shows compliant in the MDM dashboard before moving on.

Deploy via MDM app catalog: Office / Microsoft 365 Apps, browser of record, Slack or Teams, 1Password or Bitwarden, Zoom. Avoid installer .exe / .pkg files outside MDM — uninventoried apps fail SOC 2 software-asset evidence.

Create the user in Okta / Entra ID / Google Workspace and confirm SCIM provisioning fired downstream apps. Manual one-off accounts in connected SaaS are the leading offboarding gap — every app should sit behind the IdP.

Issue and register a YubiKey or Titan key as the primary MFA factor. SMS and email codes don't meet the phishing-resistant bar — disable them in the IdP factor policy for this user before handoff.

Add the user to the role-based groups that drive downstream RBAC (e.g., eng-prod-readonly, finance-erp-users). Direct app assignments outside groups bypass the access-review process — always provision through groups.

Verify CrowdStrike, SentinelOne, or Defender for Endpoint reports the device as online and policy-compliant in the console. A device whose EDR is uninstalled but still showing in MDM is a common drift case — check both consoles.

If the agent is missing or unhealthy, push reinstall via MDM and confirm the sensor reports back to the EDR console. Don't release the device until status reads healthy — an unprotected endpoint on the corporate network is a P2 finding.

Confirm the FileVault or BitLocker recovery key is escrowed in the MDM console — not stored locally or with the user. Lost recovery keys are the most expensive ticket at offboarding; verify before handoff, not after.

Force a patch run via Action1, Automox, or MDM software-update commands; reboot; confirm OS build matches the current baseline. Cross-check against CISA KEV — any KEV-listed CVE pending must clear before user handoff.

Cover SSO sign-in, hardware-key tap, password manager unlock, and the helpdesk channel. New hires who get a laptop with no walkthrough generate 3-5 Day-1 tickets that a 15-minute session avoids.

Set the assigned-user, location, deployment date, and warranty expiry in the CMDB (IT Glue, Hudu, ServiceNow). This record drives the next access review and the eventual offboarding ticket.

Tier-2 lead reviews the build evidence — MDM compliance screenshot, EDR healthy screenshot, recovery-key escrow confirmation — and signs off. This package is the SOC 2 / ISO 27001 evidence for endpoint-provisioning controls.