Getting Started
Quick Start Architecture
AI Agents
MSP Hunter Threat Researcher Tech Support Compliance Agent Account Manager Onboarding Agent
Compliance
HIPAA SOC 2 PCI-DSS NIST
Guides
First 30 Days Scaling
API
Overview Endpoints

Onboarding Agent

Automated Client Deployment in 10 Minutes

What It Does

The Onboarding Agent eliminates the most labor-intensive phase of MSP work: setting up a new client. From the moment you create a new client account in Gridlock, the agent handles asset discovery, security baseline configuration, compliance pre-assessment, integration connections, and monitoring deployment — without your team manually configuring each step.

The process that once required 4-8 hours of technician time per client now completes in under 10 minutes. One MSP reported onboarding a 150-employee law firm in 8 minutes. Another runs 12 new client onboardings per month without adding headcount. The agent handles the tedious work; your team handles the relationship.

Time Savings in Practice

MSPs using the Onboarding Agent report an average of 6.2 hours saved per new client deployment. At $150/hour fully-loaded technician cost, that is $930 per onboarding. With 10 new clients per month, the agent pays for the entire Gridlock subscription more than three times over before the first month is out.

The 6-Step Onboarding Flow

Every client onboarding follows the same six-step sequence. Each step runs automatically and takes between 30 seconds and 3 minutes. The overall process completes in under 10 minutes for most environments. You can watch the live progress from the onboarding panel in your dashboard.

1
Welcome & Organization Profile
~45 seconds
The agent creates the client's organization profile in Gridlock, capturing the company name, industry vertical, team size range, and geographic region. These four inputs are the seed for all downstream configuration decisions — the agent uses them to select the appropriate default security policies, compliance frameworks, and threat intelligence feeds. No further manual input is required after this step.
2
Organization Setup & Smart Defaults
~1 minute
Based on the industry and team size provided in Step 1, the agent applies a pre-tuned configuration profile. Healthcare organizations get HIPAA-first defaults; financial firms get FTC Safeguards-aligned policies; legal practices get data confidentiality-focused rules. Scan frequency, alert thresholds, and agent activation order are all set automatically. Every setting can be overridden after onboarding, but the defaults are production-ready for most environments without any adjustment.
3
First Scan — Asset Discovery
~3 minutes
The agent performs its initial network and endpoint discovery sweep. It enumerates devices, maps open ports, identifies operating system versions, catalogs installed software, and builds the initial asset inventory. For cloud-connected environments, it also discovers SaaS applications in use and maps data flow between services. At the end of this step, the client has a complete, searchable asset inventory that would have previously taken a technician half a day to build manually.
4
Results Dashboard — Initial Findings
~1 minute
The agent analyzes the scan data and generates the client's first security findings report. Findings are categorized by severity (Critical, High, Medium, Low, Informational) and mapped to specific assets. Each finding includes a plain-language description, the affected asset, a risk explanation, and a recommended remediation step. This report becomes the foundation of the client's security posture baseline — the "before" picture against which all future progress is measured.
5
Connect Integrations
~2 minutes
The agent detects which RMM and PSA tools are in use in the environment and presents the available connectors. For each detected tool, it auto-populates the connection fields where possible and walks through the authorization flow. ConnectWise, Datto, NinjaRMM, Kaseya, Autotask, and HaloPSA are supported out of the box. After connections are established, the agent performs a sync test and confirms bidirectional data flow before proceeding.
6
You're Protected — Shield Activation
~30 seconds
The agent activates all configured monitoring services, enables real-time threat detection, schedules recurring agent runs based on the configuration profile, and sends the client's primary contact a "your organization is now protected" welcome email. The client's dashboard populates with live data, the threat counter starts, and the Account Manager agent begins tracking the health score from day one. Onboarding is complete.

Industry-Specific Smart Defaults

The single most important input during onboarding is the industry vertical. The agent uses this to select a pre-built configuration profile that reflects the actual regulatory requirements, common threat patterns, and operational realities of that sector. Here is what changes based on the industry selected.

Healthcare

  • HIPAA framework pre-loaded
  • PHI data classification rules active
  • Medical device asset tagging enabled
  • Breach notification workflow configured
  • EHR system integrations prioritized
  • HITECH audit log requirements enforced

Financial Services

  • FTC Safeguards Rule defaults
  • SOC 2 Type II framework pre-loaded
  • PCI-DSS scope detection enabled
  • Encryption-at-rest verification active
  • Access control audit rules enforced
  • Financial data classification active

Legal

  • Attorney-client privilege data rules
  • Matter file access tracking enabled
  • Strict data exfiltration alerts
  • Third-party sharing restriction alerts
  • Bar association guidelines mapped
  • eDiscovery retention policy defaults

Manufacturing

  • OT/IT network segmentation scanning
  • SCADA and ICS device tagging
  • NIST Cybersecurity Framework pre-loaded
  • Supply chain risk monitoring active
  • Ransomware-specific detection rules
  • Production system isolation policies

Education

  • FERPA data classification active
  • Student record access monitoring
  • BYOD device policy enforcement
  • Learning management system connectors
  • Elevated phishing sensitivity (staff)
  • Guest network segmentation rules

Professional Services

  • Cyber insurance compliance checks
  • Client data compartmentalization
  • Remote work security defaults
  • Cloud-first asset detection
  • SaaS application audit rules
  • Vendor access monitoring active
Changing the Industry After Onboarding

If the wrong industry was selected during onboarding, navigate to Dashboard → Client Settings → Organization Profile and update the industry field. The agent will automatically re-apply the correct configuration profile, update compliance framework mappings, and re-score the existing findings against the new framework. No data is lost.

Asset Discovery Phase

Step 3 of onboarding — the first scan — is the most technically substantive phase. The agent deploys a lightweight connector to the client environment and runs a structured discovery sweep. Here is exactly what it looks for and what it captures.

Asset Category What Is Discovered Data Captured
Endpoints (Windows/Mac/Linux) All network-connected workstations and servers Hostname, OS version, patch level, installed software, local users, open ports
Network Infrastructure Routers, switches, firewalls, WAPs, NAS devices Device type, firmware version, management interface exposure, SNMP configuration
Active Directory / Identity AD domains, user accounts, groups, admin rights User count, privileged account list, stale accounts, password policy settings
Cloud Services Microsoft 365, Google Workspace, AWS, Azure, GCP Connected tenant, admin users, MFA status, conditional access policies
SaaS Applications Browser-detected or directory-detected apps in use App name, data access scope, SSO status, shadow IT flagging
Mobile Devices (if MDM present) Enrolled iOS and Android devices OS version, encryption status, remote wipe capability, MDM compliance status
Backup Systems Local and cloud backup solutions detected Last successful backup timestamp, retention policy, offsite copy status
Discovery Scope and Credentials

The Onboarding Agent uses read-only credentials and network-level scanning for discovery. It does not make any configuration changes during this phase. For Active Directory discovery, a read-only service account with Domain Users membership is sufficient. No Domain Admin credentials are required or stored.

Security Baseline Establishment

After discovery completes, the agent calculates the client's initial security baseline. This baseline serves as the reference point for all future measurements — every compliance score, health metric, and improvement percentage is calculated relative to where the client started on day one.

Baseline Metrics Captured at Onboarding

Metric Baseline Measurement Industry Benchmark
Patch Compliance Rate % of endpoints with critical patches applied within 30 days Target: 95%+
MFA Coverage % of user accounts with MFA enrolled across all systems Target: 100%
Admin Account Ratio Privileged accounts as % of total user accounts Target: under 5%
Endpoint Encryption % of devices with full-disk encryption enabled Target: 100% of mobile + laptops
Backup Recency Hours since last successful backup across all critical systems Target: under 24 hours
External Attack Surface Count of externally reachable ports and services Target: minimal; review anything beyond 80/443/VPN
Software Vulnerability Count Open CVEs across all discovered software (by severity) Target: 0 Critical, fewer than 5 High
Stale Account Count User accounts with no login in the past 90 days Target: 0 (disable or remove immediately)

The baseline report is delivered as a PDF and a dashboard entry at the end of Step 4. It is automatically attached to the client's first QBR report as the "Day 1 State" reference. MSPs use this document extensively in renewal conversations to demonstrate concrete improvement over time.

Compliance Framework Pre-Assessment

During onboarding, the agent runs a pre-assessment against the compliance frameworks that are active for the client's industry profile. This is not a full audit — it is a rapid gap identification pass based on the data gathered in the discovery scan. The output tells you and the client exactly where the gaps are before any remediation work begins.

What Pre-Assessment Covers vs. What It Does Not

The onboarding pre-assessment evaluates controls that can be verified technically through the discovery scan: patch levels, encryption status, MFA enrollment, access control configuration, and network segmentation. It does not evaluate policy documents, staff training completion, or physical security — those require manual assessment through the Compliance Agent's full audit workflow.

Framework Controls Assessed During Onboarding Full Assessment
HIPAA Security Rule Access controls, encryption, audit logging, backup, device inventory Via Compliance Agent full audit
NIST CSF Identify (asset inventory), Protect (access controls, data security), Detect (monitoring) Via Compliance Agent full audit
SOC 2 (Trust Services) CC6 (logical access), CC7 (system operations), CC9 (risk mitigation) Via Compliance Agent full audit
CIS Controls v8 IG1 controls (Controls 1–6): inventory, software, data protection, configuration, account mgmt, access Via Compliance Agent full audit
PCI-DSS (if applicable) Cardholder data environment scope, network segmentation, default credential check Via Compliance Agent full audit

Pre-assessment scores appear in the client's Compliance dashboard within minutes of the onboarding completing. Scores are shown as a percentage of assessed controls that are currently passing. A score of 0% is common for a brand-new client — it means the gaps are identified and the remediation roadmap is ready to begin.

Integration Setup During Onboarding

Step 5 connects Gridlock to the tools your MSP already uses. The agent auto-detects which platforms are present in the environment and walks through the connection process for each. All integrations use OAuth or API key authentication — no passwords are stored.

Tool Category Supported Platforms Data Synced
RMM (Remote Monitoring) NinjaRMM, Kaseya VSA, Datto RMM, Atera, ConnectWise Automate Device inventory, patch status, agent health, alert history
PSA (Professional Services Automation) ConnectWise Manage, Autotask, HaloPSA, ServiceNow MSP Ticket creation and sync, contract data, SLA tracking, client contact list
Identity Management Microsoft Entra ID (Azure AD), Okta, Google Workspace User list, MFA enrollment, privileged roles, last login timestamps
Backup and DR Datto BCDR, Veeam, Acronis, Axcient Last backup success/failure, retention policy, recovery point objectives
Email Security Microsoft Defender, Proofpoint, Mimecast, Barracuda Threat quarantine events, phishing clicks, blocked sender stats
Endpoint Protection Sentinel One, CrowdStrike, Malwarebytes, Webroot, Bitdefender Detection events, quarantine actions, endpoint health score, version levels
Integration Health Monitoring

Every connected integration is monitored continuously after onboarding. If a sync fails, the connector goes stale, or API credentials expire, an alert fires to your team within 15 minutes. The Account Manager agent also factors integration health into the client's overall health score — a disconnected RMM is a gap in your visibility, and it shows up as such.

Team Member Invitation Flow

During onboarding Step 6, the agent prompts you to invite team members who should have access to the client's Gridlock environment. Invitations can be sent immediately or deferred until after the onboarding completes. Each invited user is assigned a role that controls what they can see and do.

Role Who Uses It Access Level
Owner Primary MSP account holder or senior partner Full access to all clients, billing, agent configuration, and user management
Account Manager Client-facing MSP staff or vCISO All client data, QBR reports, communications; no billing access
Technician Engineers, NOC staff, help desk Assigned clients only; scan results, agent runs, threat data; no communications or billing
Compliance Analyst Compliance officer or vCISO staff Compliance dashboards and reports across all assigned clients; read-only elsewhere
Client Read-Only Client-side IT manager or security officer Their own organization's dashboard only; can view but not modify any settings

Invited users receive an email with a secure setup link. The link expires after 48 hours. If a user does not accept within that window, you can resend the invitation from the Team Management panel in the dashboard. SSO login via Microsoft or Google is available for all roles on Pro and Ultimate plans.

Onboarding Progress Tracking

The onboarding panel in your dashboard shows live progress for each active client onboarding. Each of the six steps displays a status indicator, a timestamp when it started, a timestamp when it completed, and any warnings or errors that arose during the step.

Step Status Meaning Action Required
Complete Step finished successfully with no issues None — proceed to next step automatically
In Progress Step is currently running None — wait for completion (typical duration shown next to status)
Warning Step completed with partial results or non-critical issues Review warning details; onboarding continues but some data may be incomplete
Error Step could not complete; onboarding paused at this step See troubleshooting section below; fix the root cause and retry the step
Pending Step queued, waiting for prior step to complete None — will start automatically when prerequisites are met

Troubleshooting Common Onboarding Issues

Most onboarding errors fall into a small set of categories. The following covers the most frequent issues and how to resolve them without contacting support.

Step 3 Hangs or Times Out (Asset Discovery)

The most common cause is a firewall blocking ICMP or the connector port (default: TCP 4422). Verify that the Gridlock connector is whitelisted on the client's firewall and endpoint protection software. If the environment uses a proxy, configure the proxy settings in Dashboard → Client Settings → Connector Configuration before retrying the scan.

Step 5 Integration Auth Failure

If an integration fails to authenticate, the most common causes are: (1) API key has insufficient permissions — check that the Gridlock app has the required scopes listed in the integration's setup guide; (2) IP allowlist restriction on the third-party platform — add Gridlock's outbound IP ranges (listed in Dashboard → Settings → Network Info); (3) OAuth token expired mid-flow — clear the partial connection and re-authorize from scratch.

Active Directory Discovery Returns Incomplete Results

This typically means the service account used for AD discovery lacks read access to one or more OUs. The account needs Domain Users membership plus read access to the AD computer and user containers. It does not need and should not have Domain Admin rights. Review OU permissions in ADUC and re-run Step 3 after correcting access.

Retrying Individual Steps

You do not need to restart the entire onboarding to fix a failed step. Navigate to the client's onboarding panel, click the failed step, review the error details, fix the underlying issue, and click Retry Step. All previously completed steps retain their results and do not re-run. Only the failed step (and any steps after it) will execute again.

Complete Troubleshooting Reference

Symptom Root Cause Resolution
Connector install fails silently Endpoint protection blocking the installer Add Gridlock connector to AV/EDR exclusion list; re-run installer
Discovery finds fewer devices than expected VLAN segmentation; connector only sees its own subnet Deploy connectors on each VLAN or configure routing between subnets
Cloud tenant not discovered automatically No Microsoft/Google integration connected yet Connect the identity integration in Step 5, then re-run Step 3
Compliance pre-assessment shows 0% for all frameworks Discovery completed with insufficient data (connector permissions) Verify connector has local admin rights on at least one endpoint; expand scope
Invitation email not received by team member Spam filter or incorrect email address Check spam; verify address; resend from Team Management panel
Onboarding shows complete but dashboard is empty Data sync delay (can take up to 5 minutes to populate) Wait 5 minutes and refresh; if still empty, check connector status in Settings

Frequently Asked Questions

Does the Onboarding Agent make any changes to the client environment?

No. The Onboarding Agent is entirely read-only during the discovery and assessment phases. It installs a lightweight connector that reads data and sends it to Gridlock, but it does not modify firewall rules, group policies, user accounts, or any other configuration on the client's systems. The only write operation during onboarding is creating the client's record in Gridlock itself.

Can the client see the onboarding progress?

Yes, if you share access. By default, onboarding progress is visible only to your MSP team. You can invite a client-side contact with the Client Read-Only role at any time during onboarding and they will see a simplified progress view that shows which steps have completed without exposing internal technical details. Many MSPs share this view during the initial client kickoff call as a live demonstration of Gridlock's capabilities.

What happens if onboarding is interrupted mid-way?

Onboarding is checkpoint-based. Any step that completed successfully before the interruption does not re-run. If the agent loses connectivity mid-step, it waits up to 30 minutes for reconnection before marking the step as failed and pausing. When the connection is restored (or when you click Retry Step), the step resumes from the last successful checkpoint within that step, not from the beginning of it.

How do I re-run onboarding for an existing client?

Navigate to the client's account page and select Actions → Re-run Onboarding. You can choose to re-run all steps (full re-onboarding) or only specific steps. A full re-run is useful after a major infrastructure change, an acquisition, or when onboarding a branch office. A partial re-run is useful when you add a new integration or want to refresh the asset inventory without resetting other configuration.

Which plan includes the Onboarding Agent?

The Onboarding Agent is included on all plans. The Starter plan ($149/month) includes onboarding for up to 5 clients. Pro ($299/month) supports up to 25 clients. Ultimate ($499/month) is unlimited. The industry-specific smart defaults and compliance pre-assessment features are available on Pro and Ultimate. Starter uses the general-purpose default configuration profile.