Assets not deprovisioning properly and ex-employee accounts staying active are the two most common symptoms of the same root problem: provisioning and deprovisioning aren't triggered automatically by the employment event, so they depend on a human remembering to do them. For a 2-person IT team managing 200+ devices, the question isn't just which all-in-one platform is best — it's which architecture closes those specific gaps without requiring heavy custom configuration to maintain.

JumpCloud vs. Rippling IT: What the Thread Actually Says

The thread on this question generated a lot of opinions, and the honest picture is more nuanced than either vendor's positioning.

JumpCloud is consistently described as solid for tying device management, SSO, and user provisioning together for smaller organizations. Multiple commenters with hands-on experience at similar company sizes described it as reliable for provisioning and deprovisioning once the HRIS integration is set up cleanly, and smooth for offboarding when everything is linked. The setup time and IT expertise requirement is higher than Rippling — one commenter flagged this as a potential burden for a leaner team — but for an IT-first team that wants control over identity and device management, it's a more natural fit than an HR-first platform.

Rippling IT received strong endorsements, including from a Rippling employee who was transparent about their affiliation. The genuine strengths: the tie to HR data makes provisioning and deprovisioning automatic, the MDM can automatically distribute devices, enforce security policies, and remotely lock or wipe them, and the dashboard consolidates devices, credentials, and IT tasks in one place. The consistent caveats from non-affiliated commenters: it's fundamentally HR-first, which can feel limiting when your primary need is device and identity control rather than HR workflow management. The pricing structure penalizes organizations not already using Rippling's HR system — one commenter noted significant additional cost for IT features without the HR suite. For a company where HR is already considering Rippling as their HRIS, the IT add-on is a logical choice. For a company that isn't, the pricing calculus changes.

The Intune + Entra ID combination comes up repeatedly as the Microsoft-stack path — device management, SSO, conditional access, and user lifecycle management within the Microsoft ecosystem. For organizations already paying for M365, this is often the lowest incremental cost option. The trade-off is that it requires more configuration work to integrate with non-Microsoft HR systems and SaaS applications outside the M365 ecosystem.

JumpCloud + Kandji/Intune + a lightweight orchestration layer was described by one 2-person IT team as their working combination: JumpCloud for SSO, Kandji or Intune for device configuration, and a workflow tool added to handle the pieces that fell through the cracks. The observation was that offboarding "stopped slipping through the cracks" once the orchestration layer was in place — which points to the core issue more precisely than any individual tool choice.

n8n for automation and webhook-triggered provisioning came up from a commenter who pairs Cisco DUO for SSO with NinjaOne for inventory and n8n for provisioning and deprovisioning automation. This is the custom-build path — more flexible, more control, more maintenance.

Why Ex-Employee Accounts Stay Active (And Why All-in-One Platforms Don't Fully Solve It)

The ex-employee accounts problem is worth examining specifically, because it's the use case that most clearly shows the limits of the all-in-one platform framing.

JumpCloud can deprovision a user from SSO-connected applications when the account is disabled. Rippling IT can trigger deprovisioning when HR marks someone as terminated. The gap that neither fully closes on its own: the applications that aren't connected to SSO. Shadow IT tools that employees adopted without IT involvement. SaaS subscriptions that finance manages. Applications where the employee has separate credentials that were never federated through the identity provider.

The account that stays active after someone leaves is almost never the Slack account or the Google Workspace account — those are SSO-connected and get cut when the identity is disabled. The accounts that linger are the ones IT didn't know about. A tool adopted by one team on a free tier. A vendor portal with separate login credentials. A niche SaaS application that predates the SSO rollout. Discovering those at offboarding requires either a discovery mechanism that goes beyond SSO logs, or a periodic access review process that checks for accounts outside SSO coverage.

Zluri's discovery engine addresses this specifically by identifying application access through multiple sources: SSO logs, HRMS data, browser activity, and financial transaction data (which reveals SaaS subscriptions paid via expense reports or corporate cards). The offboarding workflow is populated from this complete access picture, not just what the identity provider knows about. That's the mechanism that closes the lingering-account gap rather than reducing it.

How an IGA Orchestration Layer Connects Your Existing Stack

The architecture that multiple experienced commenters in the thread arrived at independently — keep dedicated best-in-class tools for their specific functions and connect them through an orchestration layer — is worth explaining concretely.

JumpCloud handles SSO and cloud directory functions well. Kandji or Intune handles Apple or Windows device management at the depth that a generalist platform can't match. The gap between these tools and a clean, automatic provisioning and deprovisioning workflow is the integration layer: something that receives the HRIS hire or termination event and routes the appropriate actions to each downstream system without requiring a human to coordinate the sequence.

Zluri sits in that orchestration layer. When HR adds a new hire or marks a termination in the connected HRIS, Zluri detects the event and triggers playbooks that coordinate across JumpCloud (SSO group assignment), Kandji or Intune (device profile assignment and remote wipe at offboarding), and every SaaS application in the integration library — all within the same automated sequence. The 2-person IT team doesn't receive a provisioning ticket; the workflow runs automatically.

For asset and device management specifically, Zluri's MDM integrations fetch device-to-user mappings so the asset inventory reflects current assignment. At offboarding, the same playbook that disables the JumpCloud account and revokes SaaS access also triggers the MDM to delete the device account and initiate remote wipe. Device deprovisioning happens as part of the same event-driven workflow as access deprovisioning, rather than as a separate manual step.

For the "no heavy custom configuration" requirement: the integration connections require initial setup, and the automation rules and playbooks require configuration for each role and application. That's not the same as writing and maintaining custom scripts. Configuration in a visual, no-code interface is maintainable by any IT admin; custom automation scripts require the person who wrote them to be available when something breaks.

What to Evaluate Before Consolidating

Given that the department head wants to streamline, a few specific questions worth answering before committing to a platform:

What's the identity architecture? Is the current setup cloud-directory-first (JumpCloud or Entra ID), or hybrid with on-prem AD? The answer determines which platforms integrate cleanly and which require additional agents or configuration.

Is HR on board as the provisioning trigger? For automatic provisioning and deprovisioning to work, the HRIS event has to be reliable. If HR is still sending email notifications rather than maintaining a structured HRIS with API access, the automation has no reliable trigger regardless of which platform handles the downstream execution.

What's the deprovisioning scope? If the goal is just to stop ex-employee accounts from lingering in SSO-connected apps, JumpCloud or Rippling with good HRIS integration solves that. If the goal is comprehensive coverage including shadow IT and non-SSO applications, a discovery-based approach is required.

What's the actual device management depth needed? For 200 devices that are primarily Apple, Kandji's depth outclasses any generalist platform's MDM. For primarily Windows, Intune with Autopilot covers most scenarios. For mixed environments, the all-in-one MDM story weakens compared to purpose-built tools.

Frequently Asked Questions

What is the best all-in-one platform for device management, SSO, and asset tracking for a small IT team?

JumpCloud and Rippling IT are the most commonly recommended for sub-500-person environments. JumpCloud is better suited for IT-first teams that want control over identity and device management. Rippling IT is stronger when HR is already using Rippling, making provisioning automatic from the employee record. Intune + Entra ID is the Microsoft-stack path. For teams that want to keep best-in-class tools connected, an IGA orchestration layer like Zluri coordinates provisioning and deprovisioning across existing tools.

Why do ex-employee accounts stay active after offboarding?

Usually because deprovisioning depended on a manual step that got missed, or because the account was in an application outside SSO coverage that IT didn't know about. SSO-connected apps deprovision when the identity is disabled. Non-SSO apps with separate credentials require either a discovery mechanism to identify them or a manual checklist that depends on someone knowing they exist.

How do you fix deprovisioning gaps without replacing your entire IT stack?

An orchestration layer that sits above your existing tools — receiving the HRIS termination event and routing deprovisioning actions to your SSO provider, MDM, and SaaS applications — closes the gap without replacing JumpCloud, Kandji, or Intune. The key is that the trigger comes from the HRIS employment event, not from a human remembering to initiate offboarding.

Is JumpCloud or Rippling better for a 200-device environment?

JumpCloud tends to be preferred by IT-focused teams that aren't using Rippling's HR product, because it's designed around directory and device management rather than HR workflows. Rippling IT is more compelling when HR is already on the platform — the automatic tie between HR data and IT provisioning is the core value. Pricing is a meaningful factor: Rippling IT costs significantly more for IT-only usage without the HR suite.

How do you manage asset tracking alongside user provisioning without a separate tool?

MDM integrations that fetch device-to-user mappings — and update them automatically at provisioning and deprovisioning events — handle asset tracking as a byproduct of the identity lifecycle rather than as a separate manual process. Platforms like Zluri that integrate with Kandji, Intune, and Jamf can surface current device assignments alongside user access data in the same dashboard.

See How Zluri Connects JumpCloud, Intune, or Kandji Into One Provisioning Workflow

Most 2-person IT teams managing 200+ devices find that the deprovisioning gap is smaller in their SSO stack than in the applications outside it. See how Zluri's discovery engine identifies the full access picture and coordinates deprovisioning across your existing tools — including the shadow IT that SSO logs don't capture.