Hardware Lifecycle: The Device Category We Kept Losing Track Of
- Contractor laptop asset tracking fails at offboarding because three separate systems (HR, the contracting agency, and IT) manage contractors without sharing a workflow trigger. Without a discovery-backed verification step at offboarding, devices can remain active on the corporate network for months after a contract ends, with valid VPN credentials and access to internal file shares.
- The scenario below, drawn from patterns across enterprise IT environments, shows how this gap compounds in practice. In a typical mid-market estate managing 400+ contractor laptops: permanent employees return hardware at offboarding 97% of the time. Office-based contractors return at 94%. Remote, project-based contractors (the devices furthest from IT’s direct visibility) return at just 66%. The other third disappears into the gap between IT, HR, and the contracting agencies that none of them fully owns.
Why Contractor Laptops Were Different
- This is not about the full device lifecycle. It is about the offboarding phase, the point where most contractor devices disappear.
- The problem with contractor hardware was not unique to any one system. It was a consequence of how contractors were managed across systems that did not communicate with each other.
- When a permanent employee was offboarded, HR triggered a workflow that included a mandatory device return step. The IT support desk logged the device back into the ITAM system and issued a return receipt.
- When a contractor’s engagement ended, the contracting agency notified the business unit. The business unit notified HR. HR sent the contractor a return shipping label. Nobody notified IT until the laptop either arrived in the receiving queue or did not. Most went unrecovered, and only two of every three devices returned.
- Contractor device management fell outside any single team’s ownership. Our IT asset management system showed 412 laptops assigned to contractors across our estate at any given time. Our actual loss rate for that category, calculated over an 18-month audit, was 34%. That meant 140 laptops had been written off or gone unrecovered over the preceding three fiscal years. At an average replacement cost of $1,400 per device, that was $196,000 in hardware we could not account for.
| In Brief: Why Contractor Devices Have Higher Loss Rates Than Employee Devices Contractor device returns rely on a notification chain between HR, business units, and agencies that frequently excludes IT. Without a discovery-backed check at offboarding, no system flags the device as unreturned — and most contractors simply keep it. |
What Discovery Found After Offboarding
The loss rate alone was the visible problem. What IT discovery uncovered was the security problem underneath it.
During a quarterly network scan, discovery identified 47 devices that appeared in our active device inventory with contractor names attached to users whom HR had formally offboarded. These devices were authenticating to the network. In 31 cases, the offboarding record in HR showed a completion date more than 90 days prior. Eleven had been written off as lost more than a year earlier. Their VPN credentials were still active, and the devices were still connecting to the corporate network.


Timeline diagram showing 47 contractor devices remaining active on the network for 6-14 months after formal HR offboarding.
The discovery result triggered an immediate security response. We revoked VPN access for all 47 accounts within 4 hours. Eight contractors subsequently returned their devices after engagement end, apparently unaware of the return requirement. We recovered eleven from contracting agencies that had reassigned them without notifying us. Twenty-eight were unrecoverable. Of those 28, network activity logs showed continued access to internal file shares for periods ranging from 6 to 14 months post-offboarding.
The hardware loss was expensive. The unauthorized network access was worse.
| In Brief: The Security Risk from Unreturned Contractor Devices Still on the Network Unreturned contractor laptops that retain active VPN credentials continue authenticating to the corporate network after offboarding. Without credential-to-device linkage in ITAM, IT teams have no automated alert when an offboarded user’s device is still accessing internal file shares. In documented cases, unauthorized access continued for 6 to 14 months post-offboarding before network discovery scans surfaced the active sessions. |
Where the ITAM Process Broke Down
The root cause was not contractor behavior. Most contractors assumed someone would contact them if the device return mattered. Our ITAM process had no visibility into whether a device assigned to a contractor was still active on the network after the offboarding date.
Our CMDB recorded device assignment by employee ID. When HR closed the contractor record, nothing triggered an ITAM check on the associated devices. The lifecycle state of the device (assigned, in transit, recovered, or decommissioned) depended entirely on whether IT received a physical return or a written notice of return.
Three specific gaps drove the problem:
No Discovery-to-Offboarding Trigger
There was no process that ran a network presence check on contractor-assigned devices when an offboarding event fired. Discovery found them 90+ days later during a routine scan.
No Credential-to-Device Linkage in ITAM
The 47 devices that were authenticating post-offboarding had active VPN credentials. ITAM tracked device assignments. Identity management tracked credentials. The two systems did not talk to each other.
No Category-Level Loss Reporting
Our ITAM reporting looked at overall hardware loss rates without segmenting by device category. The aggregate number had concealed the contractor laptop problem for three years.
Industry data reflects how common this gap is. According to a 2025 Teqtivity study, 71% of HR professionals report departing employees do not return company-owned equipment. For remote contractors specifically, the agency notification layer compounds the loss rate. The fragmented chain between HR, business units, and agencies adds a step that permanent employee offboarding does not have.
Organizations that segment hardware lifecycle metrics by device category and user type identify asset loss risks that aggregate inventory numbers consistently obscure. The contractor laptop category surfaces first most often, because it carries the most decentralized offboarding responsibility.
Key features
- Runs its own agent + agentless multi-source discovery (100+ probes across on-prem, cloud, and remote), so records reflect the live estate not just what someone manually entered
- Live CMDB with CI lifecycle tracking from deploy through decommission, so asset state (assigned → in transit → recovered decommissioned) updates automatically instead of waiting on a physical return
- ViVID™ service mapping with a communication view that surfaces “ghost machines” still talking on the network but missing from the CMDB
- Two-way sync and integrations with ServiceNow, Jira, Ivanti, Okta, and more — the hook that lets you tie credential/identity records to asset records under a shared identifier
Pros
- Catches devices still on the network even when no one filed a return — the exact failure mode above
- Full hardware/software lifecycle in one record, with license compliance and end-of-service alerts
- Turnkey SaaS; fast to stand up, with dependency mapping available early
Cons
- Granular software-usage data leans on the Windows discovery agent; agentless scans confirm presence with less detail
- Fewer advanced SAM features (e.g. automated license harvesting, effective license position generation) than a dedicated SAM suite
- Built for larger, hybrid estates likely more than a very small IT shop need
Best for
- Mid-to-large enterprises with distributed estates and decentralized offboarding (contractors, remote staff, multiple staffing agencies) that need discovery, CMDB, and ITAM working off one source of truth
Building a Discovery-Backed Return Process
- After the security remediation, we redesigned the contractor offboarding process around discovery data as the verification layer.
- The new process works as follows. When HR closes a contractor record, an automated ticket opens in ITSM requesting IT to run a network presence check on all devices assigned to that contractor. Discovery confirms whether the device is still active on the network. If it is, IT revokes credentials within 24 hours and sends a return shipping request directly to the contractor and their agency. The ITAM record updates to reflect the new status.
- We connected the contractor offboarding workflow in ServiceNow to device assignment records in ITAM. This HRIS-to-ITSM offboarding trigger with discovery verification closed the gap between HR, IT, and the contracting agencies.
Results: Contractor Recovery Rate After 12 Months
In the 12 months following that implementation, our contractor laptop recovery rate improved from 66% to 91%. Devices that contractors did not return within 14 days triggered agency escalation, with a formal cost recovery process for unrecovered hardware. We removed two contracting agencies from our preferred vendor list after they failed to meet the return SLA three times.
| In Brief: How IT Discovery Improves Contractor Device Recovery at Offboarding IT discovery improves contractor device recovery by running a network presence check on all devices assigned to a contractor at the moment an offboarding event fires in HR. If the device is still authenticating to the network past the offboarding date, discovery triggers credential revocation and a return request, closing the gap between HR records and ITAM lifecycle status. |
What Category-Level Analysis Changed
The contractor laptop investigation prompted us to segment our full ITAM inventory by device category and run loss rate analysis across each one. We found two other categories with elevated loss rates that the aggregate number had hidden:
• Spare laptops in manager pools: 22% loss rate, primarily from informal lateral assignments not recorded in ITAM
• Peripherals assigned at employee home offices: 41% loss rate at offboarding, with most peripherals neither returned nor formally written off
Neither category had a discovery-backed return process. Both now do.
For ITAM teams that report on overall hardware loss rates without category segmentation, breaking the number down by device type and user category surfaces hidden loss patterns that aggregate loss rates obscure. The categories with the highest rates are often the ones with the least structured lifecycle process, and they rarely appear in aggregate numbers.
Frequently Asked Questions
What Recovery Rate Should IT Teams Target for Contractor Laptops?
Organizations with structured contractor offboarding processes typically achieve 90-95% hardware recovery rates, comparable to permanent employee rates. A recovery rate below 85% for any device category indicates a process gap rather than individual contractor behavior. Category-level benchmarking, separate from aggregate inventory loss rates, helps identify which categories need process improvement.
Why Don’t ITAM Systems Automatically Flag Devices After Offboarding?
Most ITAM systems track device assignment by employee record, not by network presence. They depend on manual updates or HR system triggers to reflect offboarding events. Unless you connect ITAM to discovery, identity management, and HR workflows in a single data model, the three systems operate independently and none of them can cross-reference offboarding status against active network authentication. serviceNow, Halo, Ivanti, Jira service management, Hornbill, Xurrent.
Can Contracting Agencies Be Held Financially Liable for Unreturned Hardware?
Yes, if the contracting agreement includes a hardware return SLA and a cost recovery clause. Organizations that have experienced significant contractor hardware loss should review their agency contracts. Consult your legal team on enforceability in your jurisdiction to ensure return obligations are explicitly defined, with financial penalties for non-compliance. Without contractual terms covering hardware return, you have limited cost recovery options beyond voluntary reimbursement.
What Belongs on a Contractor Device Offboarding Checklist?
A contractor device offboarding checklist should include: (1) HR offboarding event fires an ITSM ticket to IT; (2) IT runs a network presence check on all devices assigned to the contractor; (3) IT revokes active device credentials within 24 hours of offboarding; (4) IT sends a return shipping request directly to the contractor and their agency; (5) the ITAM record updates to ‘in transit’ or ‘recovered’ status. For contractors unresponsive after 14 days, include agency escalation and cost recovery initiation.
How Does Virima Help Identify Unreturned Contractor Devices?
Virima’s IT discovery runs network presence checks that surface active devices assigned to users whose HR records show an offboarding date. When discovery results match against ITAM assignment records and HR offboarding data, devices that should have returned but are still authenticating to the network appear as open lifecycle actions.
Which ITAM Metrics Should IT Teams Track Separately for Contractor Devices?
For contractor devices, track: assignment count by category, active network presence count, recovery rate at offboarding, days from offboarding to device return, and count of devices active on network post-offboarding date. These metrics, segmented by device category and contractor type, surface category-level loss patterns that aggregate inventory loss rates obscure. Virima’s discovery engine keeps these counts current without manual updates to the ITAM record.
| Get live, explainable runtime truth across your entire estate, without platform lock-in.Schedule a Demo |






