Summary. Keep every laptop and desktop secure and up-to-date—without slowing people down. We manage patching, endpoint protection policy, and device health so your team can focus on work. Clear KPIs and monthly reporting included, with options for after-hours support and device care add-ons.
Who it's for. NZ SMEs running Windows and/or macOS, especially those without a full-time IT team or who’ve had near-miss incidents (malware, phishing). Fits businesses wanting consistent patching and EDR policy hygiene.
Business Outcomes
- Higher security baseline with timely OS and app patches (reduced vulnerability window)
- Endpoint protection policies managed and monitored; improved detection and response
- Fewer disruptions from ad-hoc break-fix; clear KPIs and monthly insights for leadership
- Better user experience from predictable maintenance windows and fewer surprises
What’s Included
| Scope | Description |
|---|
| Core Inclusions |
- Patching & updates (OS + common apps) with compliance tracking and exception handling
- EDR/AV policy management; alert triage and tuning (licenses are pass-through at vendor MSRP)
- Device health checks, disk status where available, and baseline posture verification
- Remote support during business hours per SLA; escalation to L3/L4 as required
- Monthly report with patch KPIs, coverage, exceptions, and the actions we’ll take next month
- Disk encryption posture (BitLocker/FileVault) monitoring + exceptions workflow
- Local admin/LAPS policy and elevation controls (at least policy hygiene)
- MDM/RMM enrolment baseline and re-enrolment handling
- App catalogue scope (e.g., MS 365 apps + common third-party like browsers, Zoom, Adobe Reader)
- Non-compliant device handling (quarantine/notify/escalate)
|
| Optional Add‑Ons |
- After-hours support or 24×7 P1 coverage (per Annex)
- Server & firewall device care (per device, see Annex for rates)
- EDR rollout and uplift pilots for under-protected devices
|
Onboarding & Steady‑State
Note: timelines depend on fleet size and current tooling.
| Phase | Activities | Deliverables | Indicative Duration |
|---|
| 01 — Baseline |
- Assessment (Lite/Standard/Plus) and initial device inventory
- Policy import/review; confirm maintenance windows
- Authoritative asset source agreed (Intune/RMM/CMDB)
|
- Onboarding plan, RACI, first patch window and EDR policy set
- Exceptions register with expiry and owners
- Rollback tested
- Comms template for user-impacting changes
- Encryption & EDR coverage snapshot recorded
|
0.5–1 week |
| 02 — Stabilise |
- Roll out patching rings; EDR policy tuning; alert triage playbook
- Exceptions log created and ownership agreed
- Monthly CAB-ready change notes
- KPI review (patch %, EDR coverage, MTTR)
- Exception ageing & closure
|
- Stable patch and EDR cadence, dashboards and KPIs live
|
1–2 weeks |
| 03 — Operate |
- Monthly reporting; continuous improvements; optional after-hours
|
- Monthly report, KPI review, next-month actions
|
Ongoing |
Service Levels (Summary)
| Plan | Coverage | Response / Restore | Governance |
|---|
| Bronze |
Business hours (Mon–Fri 08:00–17:00 NZT, except Public Holidays) |
P1: 2h / NBD • P2: 4h / 2BD |
Email support • Change log • Monthly summary |
| Silver |
Extended hours (Mon–Fri 07:00–19:00 NZT, except Public Holidays) |
P1: 1h / Same day • P2: 2h / NBD |
Weekly check‑in • Findings register • Exceptions log |
| Gold |
Business + after‑hours (24×7 P1 only) |
P1: 30m / ASAP • P2: 1h / Same day |
Executive summary • CAB-ready change notes • Roadmap alignment |
Success Criteria (from our perspective)
- Patch compliance ≥ 95% across managed devices
- EDR agent coverage 100% of in-scope devices
- Mean time to respond within SLA (per tier)
- KPI exceptions trend down month-on-month
Targets: Patch ≥ 95%, EDR coverage 100%, P1 within SLA
Prerequisites
- Admin access (tenant/RMM/MDM) and allow-listing for remote tooling
- Endpoint management tooling available (e.g., Intune/RMM) or agreeable to deploy
- EDR licensing in place (or to be procured at vendor MSRP)
- Maintenance windows (NZT) confirmed (and after-hours policy if Gold)
Assumptions
- Corporate-managed devices in scope; BYOD covered on best-effort unless separately contracted
- Low-risk, scheduled maintenance windows with rollback available for policy changes
- Customer approves standard change practices (CAB as needed for Gold)
Out of Scope
- Major endpoint tooling changes or migrations (separate project or pilot)
- Custom scripting beyond standard patterns without a change request
- EDR licensing costs (pass-through) and new vendor procurement
- Imaging/hardware break-fix, OS migrations and unsupported/EOL OS remediation (project or pilot)
