Challenge: Software provisioning was manual, fragmented, and slow — long lead times, inconsistent approvals, poor license visibility, and compliance risk. Onboarding relied on manual software selection, risking missed role-critical apps or over-provisioned licenses.
What we did: Built a unified, policy-driven provisioning pipeline on ServiceNow integrated with Azure AD. Users request software on demand; onboarding auto-requests apps based on role mappings. A central automation engine enforces software-model-level approvals, evaluates license entitlement and availability through a decision matrix, and executes zero-touch deployment via Azure AD group membership — with graceful fallback to manual workflows, partial-success handling, and full audit trails.
Result: Fulfillment time dropped from 3–5 days to under 4 hours, vendor procurement touchpoints fell 80%+, and the pipeline delivered an estimated $150K–$250K in annual license cost avoidance across Microsoft 365 E3/E5, Adobe, and specialized tools — with consistent approval governance and a model that scales across onboarding and on-demand requests.
Challenge: License compliance and cost were slipping three ways at once: installations running without valid allocations (audit risk), installations never formally licensed (shadow and legacy software), and licenses sitting idle on inactive users (wasted spend). Manual identification was slow, inconsistent, and error-prone.
What we did: Built a daily, intelligent reclamation framework covering all three cases — unlicensed, unallocated, and usage-based (driven by SCCM usage data against configurable per-product thresholds). Before removing anything, the system first tries to recover or allocate an available license. When removal is needed, it routes automatically: Azure AD group-based zero-touch uninstall where a deployment group exists, or a manual task to the deployment team where it doesn't, with failure fallback. SCCM and the Service Graph Connector verify removal and auto-close candidates, and reclaimed licenses are released back to the available pool.
Result: An estimated $500K–$1M in annual license savings. Initial sweeps recovered hundreds of previously invisible licenses; steady state maintains continuous compliance, protecting against vendor audit penalties from Microsoft, Adobe, IBM, and Oracle — while leaving legitimate users undisrupted.
Challenge: Parts of the estate couldn't be reached reliably by agentless, credential-based Discovery — network segmentation, firewall restrictions, or missing credentials left blind spots in the CMDB. At the same time, monitoring was spread across fragmented tools with manual, per-host configuration that was slow to maintain and generated too much noise.
What we did: Deployed ServiceNow Agent Client Collector (ACC) — a lightweight agent on Windows, Linux, and macOS hosts, connected to the instance through a MID Web Server. ACC for Visibility provides agent-based, credential-less discovery that reaches hosts agentless Discovery can't, populating the CMDB with accurate process, connection, and configuration data. ACC for Monitoring runs policy-based checks with adaptive thresholds, generating events into Event Management and feeding metrics to ITOM Health. Policy-based log collection streams into Health Log Analytics for AI-driven anomaly detection. Everything is centrally policy-driven, so new agents inherit monitoring automatically with no per-host setup.
Result: Fewer CMDB blind spots, consolidated monitoring on one platform, and proactive detection through metrics and log analytics — with a lightweight, secure, centrally governed agent footprint that scales as the estate grows.
Challenge: Across a 3,000-device estate, end-of-life device return ran on email and manual chasing — devices averaged 2–3 months late coming back, unnecessary lease payments piled up, and a 5–7 person asset team burned most of its capacity on retrieval coordination. There was no auditable proof that retired devices had been securely wiped.
What we did: Replaced the email process with a scheduled CMDB job that detects end-of-life devices and triggers self-service user notification (drop-off or ship-out), while simultaneously creating tasks for logistics, asset, and IT security teams. Added manager escalation for non-responsive users and gave the asset team real-time pipeline visibility into every device due, in-flight, and pending clearance. Made data sanitization a mandatory documented gate before clearance — wipe method, tool version, pass/fail, technician ID, and timestamp permanently attached to the CI record.
Result: An estimated $100K–$125K in annual lease savings from eliminated late-return payments, 60%+ of the asset team's capacity recovered and redirected to higher-value work, and an auditable chain of custody from retrieval through verified data destruction for every retired device.
Challenge: A ~$7M annual software vendor portfolio of roughly 100 contracts was tracked manually — renewals crept up unnoticed and auto-renewed at list price, and there was no link between a contract ending and the software actually being removed from endpoints.
What we did: Brought the portfolio under automated governance — renewal reminders with escalating lead times, negotiation workflows pre-populated with prior contract financials for cost comparison, and automated PO creation on finalization. Then closed the loop to the endpoint: contract termination automatically sets the associated software models to Restricted, triggering the reclamation engine across all active installations, routing through Azure AD automated removal or manual task assignment, and closing candidates with verified audit notes once SCCM confirms removal.
Result: An estimated $255K–$395K in annual contract savings from proactive negotiation (15–25% rate improvements on contracts previously auto-renewing at list price), plus a termination-to-cleanup chain that completes within the same business day with no manual coordination.