Why is the JML Process your best friend?

and Before I start, I’d like to point out that the benefits of the Joiners, Movers and Leavers process are huge with the subscription and Cloud environments. For the purpose of this blog I’m going to focus on the few vendors that we have made real wins with through the JML process recently.

If you have great examples or wins with your JML process, please feel free to comment below and share your experiences!


When I knew I wanted to write a blog about the Joiners, Movers and Leavers process, there was one person I wanted advice from – Rory Canavan. Rory is even more passionate and knowledgeable about SAM process than I am (just!), and has created a number of guides including The SAM Process Toolkit.

“A Joiners, Movers and Leavers Process will really start to add and show value to the SAM function when ‘as-a-service’ becomes more commonplace within your software portfolio,” stated Rory. If you think back to the old, perpetual days where the common license type was around the device, you could just re-coup the license when (or if in some cases) the user returned their equipment back to the Service Desk or IT. It’s not quite as easy as that now.

Joiners, Movers, Leavers process? Not for us, thanks!

Not implementing a JML process for software assets can result in your organisation wasting an awful lot of money on Cloud and software related assets. With a lot of Cloud and subscription applications, the license is associated to the user. If that user leaves, and your Service Desk or Software Asset Management team is not informed, you’ll end up continuing to pay for licenses and Cloud access for someone who has left.

To put this into perspective, Microsoft Office E3 or E5 licenses are hundreds of pounds per year, per user. Say for example you are an organisation that has 20,000 users. You identify 25,000 active E3/E5 users. The numbers don’t add-up! You identify test accounts, shared accounts that may exaggerate the number.

However, you also identify a number of users who no longer work at the organisation. Let’s say you find 1,000 assigned E3/E5 licenses to leavers. Straight away, not only is that 1,000 licenses you can reclaim, but also £250k (based on £250. Seems to be middle ground between E3 & E5!). Quick win for the JML process, but also the SAM team.

You’ve then got the sprawling element with virtual machines or Cloud services. A user who managed a Cloud service or multiple VMs may leave without informing the SAM Manager. This means you’ll continue to pay for a Cloud service that isn’t even in use!

Cash, cash, cash!

Rory gave a brilliant example of how the financial impact can be managed. “Companies are naturally very keen to stop paying employees once they leave, so HR have the Joiners, Movers and Leavers process sorted.

Imagine not being paid when you first start a new job, not getting that pay-rise when you move roles or still getting paid when you leave? It doesn’t (or shouldn’t!) happen.”

“Therefore, we at SAM Charter are seeing a similar relationship with IT Services. The process is becoming synced with the HR element of the process, so a tight relationship is forming!

Using the process to track HR activity will help IT OPEX financial reporting become clearer, easier and removes the risk of OPEX becoming the ever-spiralling drain on budgets!”

Security impact

I’m going to use O365 as an example again, but an active user has Cloud storage, access to the company SharePoint and access to OneDrive. If they still have a license, then they could potentially still access corporate data, and If they really wanted to be malicious, they could even steal or compromise said data.

So if a leavers account isn’t de-provisioned correctly, then they may also still have access to your Azure or Amazon AWS platform. This gives them the potential to disrupt or stop key services you have running in the Cloud, causing havoc to your business.

You should work closely with your IT Security teams to ensure you mitigate and manage this risk. A strong relationship with IT Security is vitally important for SAM anyway, especially with the new (EU) GDPR ruling coming into effect in May 2018.

C-Level Impact

Your C-Level executives would no doubt be mortified to know if you’re paying for licenses for users who no longer work for your organisation, or that leavers still have access to certain applications or services, and rightly so!

C-Levels are focused on budgets and money, especially at budget planning for next year. Budgets get squeezed and reduced all the time as organisations look to make more with less. I’m sure they’ll be more than happy for the SAM team to provide a report on the number of subscription based licenses or Cloud services that they’ll no longer have to pay for!

The JML process should take care of that automatically, but you should still check to ensure all leavers have had their licenses and Cloud services reclaimed.

Not sure what a Joiners, Movers & Leavers process should look like?

Fortunately, there is a lot of information on the web that will help you create or update your JML process. This will ensure it is effective and best practice from a Software Asset Management point of view.

There is a video if you would rather watch an explanation of the Joiners, Movers, Leavers process. This can be viewed on YouTube here, with expert commentary from Kylie Fowler.

As I said at the beginning, please share your wins and experiences with your Joiners, Movers and Leavers process! We’re all here to learn and help each other in the SAM world!

5 comments

  1. For joiners and movers, there must be a fast and simple process for a user to gain access to the applications and resources they need to carry out their daily tasks. If there is not then employees with simply bypass the process and lack of control will ensue. This would include locally installed software, remote access, Citrix/RDS services, access to third party portals, shared network drives, email distribution lists, O365 groups, etc. The most frustrating thing for a new starter is to arrive on your first day and spend the whole time on the phone to the service desk trying to get access to what you need. This is especially important is you are employing expensive contractors who need to hit the ground running as soon as they start.

    Regarding O365 access for leavers. This is pretty easy to manage by ensuring the AD account is blocked at the point the user leaves. Whilst the account may still hold a licence, the AD account can no longer be accessed by the user thus ensuring that services such as email, onedrive, SharePoint are not available to that user. Once the data is secure, you can then go about reclaiming the subscription to avoid buying additional licences for new starters.

    Sometimes blocking the account is not enough. Blocking will prevent access to subscription services such as O365, Azure, AWS, Creative Cloud, Marketing Cloud, Document Cloud, that use AD or AAD accounts but to control remote application access such as via Citrix, deleting the account will remove it from the Citrix group thus reducing your risk of exceeding the number of accounts that have access to an application via that route. Deleting the AD account also reduces your exposure for those products that are licenced by AD objects. Failure to effectively manage Citrix groups and AD objects will impact all elements of joiners, movers and leavers.

    Perhaps the biggest risk, and the one most difficult to manage, sits outside of your organisation. Sites such as VLSC, myvmware, IBM Passport Advantage, autodesk, minitab, Adobe Enterprise Dashboard, Azure, my visual studio, Red Hat, JetBrains, and many many more use their own IDs that sit outside of your AD and do not integrate, to provide access to software and licence keys. How do you ensure that you know exactly who has access to what while they are an employee and that access to these sites is blocked when a user leaves?

    1. Hi Ian,

      Couldn’t agree more – although slickness of operation relating to joiners, is predominantly a Service Management preserve, but readily states the case for the creation and maintenance of a CMDB (or Hardware and Software Asset Registers as a minimum). Being able to link user requirements to those software titles that sit beyond the control of AD should also act as a clarion call to SAM & Service Management professionals to tag those initial requests to a user profile, so that when staff moves and leaves take place, IT is well placed to scale down services accordingly. A good shout, Sir!

Comments are closed.