Automated Client Deployment in 10 Minutes
The Onboarding Agent eliminates the most labor-intensive phase of MSP work: setting up a new client. From the moment you create a new client account in Gridlock, the agent handles asset discovery, security baseline configuration, compliance pre-assessment, integration connections, and monitoring deployment — without your team manually configuring each step.
The process that once required 4-8 hours of technician time per client now completes in under 10 minutes. One MSP reported onboarding a 150-employee law firm in 8 minutes. Another runs 12 new client onboardings per month without adding headcount. The agent handles the tedious work; your team handles the relationship.
MSPs using the Onboarding Agent report an average of 6.2 hours saved per new client deployment. At $150/hour fully-loaded technician cost, that is $930 per onboarding. With 10 new clients per month, the agent pays for the entire Gridlock subscription more than three times over before the first month is out.
Every client onboarding follows the same six-step sequence. Each step runs automatically and takes between 30 seconds and 3 minutes. The overall process completes in under 10 minutes for most environments. You can watch the live progress from the onboarding panel in your dashboard.
The single most important input during onboarding is the industry vertical. The agent uses this to select a pre-built configuration profile that reflects the actual regulatory requirements, common threat patterns, and operational realities of that sector. Here is what changes based on the industry selected.
If the wrong industry was selected during onboarding, navigate to Dashboard → Client Settings → Organization Profile and update the industry field. The agent will automatically re-apply the correct configuration profile, update compliance framework mappings, and re-score the existing findings against the new framework. No data is lost.
Step 3 of onboarding — the first scan — is the most technically substantive phase. The agent deploys a lightweight connector to the client environment and runs a structured discovery sweep. Here is exactly what it looks for and what it captures.
| Asset Category | What Is Discovered | Data Captured |
|---|---|---|
| Endpoints (Windows/Mac/Linux) | All network-connected workstations and servers | Hostname, OS version, patch level, installed software, local users, open ports |
| Network Infrastructure | Routers, switches, firewalls, WAPs, NAS devices | Device type, firmware version, management interface exposure, SNMP configuration |
| Active Directory / Identity | AD domains, user accounts, groups, admin rights | User count, privileged account list, stale accounts, password policy settings |
| Cloud Services | Microsoft 365, Google Workspace, AWS, Azure, GCP | Connected tenant, admin users, MFA status, conditional access policies |
| SaaS Applications | Browser-detected or directory-detected apps in use | App name, data access scope, SSO status, shadow IT flagging |
| Mobile Devices (if MDM present) | Enrolled iOS and Android devices | OS version, encryption status, remote wipe capability, MDM compliance status |
| Backup Systems | Local and cloud backup solutions detected | Last successful backup timestamp, retention policy, offsite copy status |
The Onboarding Agent uses read-only credentials and network-level scanning for discovery. It does not make any configuration changes during this phase. For Active Directory discovery, a read-only service account with Domain Users membership is sufficient. No Domain Admin credentials are required or stored.
After discovery completes, the agent calculates the client's initial security baseline. This baseline serves as the reference point for all future measurements — every compliance score, health metric, and improvement percentage is calculated relative to where the client started on day one.
| Metric | Baseline Measurement | Industry Benchmark |
|---|---|---|
| Patch Compliance Rate | % of endpoints with critical patches applied within 30 days | Target: 95%+ |
| MFA Coverage | % of user accounts with MFA enrolled across all systems | Target: 100% |
| Admin Account Ratio | Privileged accounts as % of total user accounts | Target: under 5% |
| Endpoint Encryption | % of devices with full-disk encryption enabled | Target: 100% of mobile + laptops |
| Backup Recency | Hours since last successful backup across all critical systems | Target: under 24 hours |
| External Attack Surface | Count of externally reachable ports and services | Target: minimal; review anything beyond 80/443/VPN |
| Software Vulnerability Count | Open CVEs across all discovered software (by severity) | Target: 0 Critical, fewer than 5 High |
| Stale Account Count | User accounts with no login in the past 90 days | Target: 0 (disable or remove immediately) |
The baseline report is delivered as a PDF and a dashboard entry at the end of Step 4. It is automatically attached to the client's first QBR report as the "Day 1 State" reference. MSPs use this document extensively in renewal conversations to demonstrate concrete improvement over time.
During onboarding, the agent runs a pre-assessment against the compliance frameworks that are active for the client's industry profile. This is not a full audit — it is a rapid gap identification pass based on the data gathered in the discovery scan. The output tells you and the client exactly where the gaps are before any remediation work begins.
The onboarding pre-assessment evaluates controls that can be verified technically through the discovery scan: patch levels, encryption status, MFA enrollment, access control configuration, and network segmentation. It does not evaluate policy documents, staff training completion, or physical security — those require manual assessment through the Compliance Agent's full audit workflow.
| Framework | Controls Assessed During Onboarding | Full Assessment |
|---|---|---|
| HIPAA Security Rule | Access controls, encryption, audit logging, backup, device inventory | Via Compliance Agent full audit |
| NIST CSF | Identify (asset inventory), Protect (access controls, data security), Detect (monitoring) | Via Compliance Agent full audit |
| SOC 2 (Trust Services) | CC6 (logical access), CC7 (system operations), CC9 (risk mitigation) | Via Compliance Agent full audit |
| CIS Controls v8 | IG1 controls (Controls 1–6): inventory, software, data protection, configuration, account mgmt, access | Via Compliance Agent full audit |
| PCI-DSS (if applicable) | Cardholder data environment scope, network segmentation, default credential check | Via Compliance Agent full audit |
Pre-assessment scores appear in the client's Compliance dashboard within minutes of the onboarding completing. Scores are shown as a percentage of assessed controls that are currently passing. A score of 0% is common for a brand-new client — it means the gaps are identified and the remediation roadmap is ready to begin.
Step 5 connects Gridlock to the tools your MSP already uses. The agent auto-detects which platforms are present in the environment and walks through the connection process for each. All integrations use OAuth or API key authentication — no passwords are stored.
| Tool Category | Supported Platforms | Data Synced |
|---|---|---|
| RMM (Remote Monitoring) | NinjaRMM, Kaseya VSA, Datto RMM, Atera, ConnectWise Automate | Device inventory, patch status, agent health, alert history |
| PSA (Professional Services Automation) | ConnectWise Manage, Autotask, HaloPSA, ServiceNow MSP | Ticket creation and sync, contract data, SLA tracking, client contact list |
| Identity Management | Microsoft Entra ID (Azure AD), Okta, Google Workspace | User list, MFA enrollment, privileged roles, last login timestamps |
| Backup and DR | Datto BCDR, Veeam, Acronis, Axcient | Last backup success/failure, retention policy, recovery point objectives |
| Email Security | Microsoft Defender, Proofpoint, Mimecast, Barracuda | Threat quarantine events, phishing clicks, blocked sender stats |
| Endpoint Protection | Sentinel One, CrowdStrike, Malwarebytes, Webroot, Bitdefender | Detection events, quarantine actions, endpoint health score, version levels |
Every connected integration is monitored continuously after onboarding. If a sync fails, the connector goes stale, or API credentials expire, an alert fires to your team within 15 minutes. The Account Manager agent also factors integration health into the client's overall health score — a disconnected RMM is a gap in your visibility, and it shows up as such.
During onboarding Step 6, the agent prompts you to invite team members who should have access to the client's Gridlock environment. Invitations can be sent immediately or deferred until after the onboarding completes. Each invited user is assigned a role that controls what they can see and do.
| Role | Who Uses It | Access Level |
|---|---|---|
| Owner | Primary MSP account holder or senior partner | Full access to all clients, billing, agent configuration, and user management |
| Account Manager | Client-facing MSP staff or vCISO | All client data, QBR reports, communications; no billing access |
| Technician | Engineers, NOC staff, help desk | Assigned clients only; scan results, agent runs, threat data; no communications or billing |
| Compliance Analyst | Compliance officer or vCISO staff | Compliance dashboards and reports across all assigned clients; read-only elsewhere |
| Client Read-Only | Client-side IT manager or security officer | Their own organization's dashboard only; can view but not modify any settings |
Invited users receive an email with a secure setup link. The link expires after 48 hours. If a user does not accept within that window, you can resend the invitation from the Team Management panel in the dashboard. SSO login via Microsoft or Google is available for all roles on Pro and Ultimate plans.
The onboarding panel in your dashboard shows live progress for each active client onboarding. Each of the six steps displays a status indicator, a timestamp when it started, a timestamp when it completed, and any warnings or errors that arose during the step.
| Step Status | Meaning | Action Required |
|---|---|---|
| Complete | Step finished successfully with no issues | None — proceed to next step automatically |
| In Progress | Step is currently running | None — wait for completion (typical duration shown next to status) |
| Warning | Step completed with partial results or non-critical issues | Review warning details; onboarding continues but some data may be incomplete |
| Error | Step could not complete; onboarding paused at this step | See troubleshooting section below; fix the root cause and retry the step |
| Pending | Step queued, waiting for prior step to complete | None — will start automatically when prerequisites are met |
Most onboarding errors fall into a small set of categories. The following covers the most frequent issues and how to resolve them without contacting support.
The most common cause is a firewall blocking ICMP or the connector port (default: TCP 4422). Verify that the Gridlock connector is whitelisted on the client's firewall and endpoint protection software. If the environment uses a proxy, configure the proxy settings in Dashboard → Client Settings → Connector Configuration before retrying the scan.
If an integration fails to authenticate, the most common causes are: (1) API key has insufficient permissions — check that the Gridlock app has the required scopes listed in the integration's setup guide; (2) IP allowlist restriction on the third-party platform — add Gridlock's outbound IP ranges (listed in Dashboard → Settings → Network Info); (3) OAuth token expired mid-flow — clear the partial connection and re-authorize from scratch.
This typically means the service account used for AD discovery lacks read access to one or more OUs. The account needs Domain Users membership plus read access to the AD computer and user containers. It does not need and should not have Domain Admin rights. Review OU permissions in ADUC and re-run Step 3 after correcting access.
You do not need to restart the entire onboarding to fix a failed step. Navigate to the client's onboarding panel, click the failed step, review the error details, fix the underlying issue, and click Retry Step. All previously completed steps retain their results and do not re-run. Only the failed step (and any steps after it) will execute again.
| Symptom | Root Cause | Resolution |
|---|---|---|
| Connector install fails silently | Endpoint protection blocking the installer | Add Gridlock connector to AV/EDR exclusion list; re-run installer |
| Discovery finds fewer devices than expected | VLAN segmentation; connector only sees its own subnet | Deploy connectors on each VLAN or configure routing between subnets |
| Cloud tenant not discovered automatically | No Microsoft/Google integration connected yet | Connect the identity integration in Step 5, then re-run Step 3 |
| Compliance pre-assessment shows 0% for all frameworks | Discovery completed with insufficient data (connector permissions) | Verify connector has local admin rights on at least one endpoint; expand scope |
| Invitation email not received by team member | Spam filter or incorrect email address | Check spam; verify address; resend from Team Management panel |
| Onboarding shows complete but dashboard is empty | Data sync delay (can take up to 5 minutes to populate) | Wait 5 minutes and refresh; if still empty, check connector status in Settings |