Get Started
MANAGED IT SERVICES SINCE 2001

Managed IT Services
for the stack modern businesses run.
One team. Direct line. No tickets.

Microsoft 365, Google Workspace, Bitdefender, Exclaimer, DMARC, and MDM: set up, configured, and supported by the same people who answer the phone.

Book a Discovery Call → See What We Cover
Managed IT Services
25yrs
In Business (Since 2001)
< 1hr
Remote Support Response
95%
Issues Resolved Remotely
R0
Travel Callout Fees
The platforms we set up, configure, and support
Microsoft 365
CSP Partner
Google Workspace
Reseller Partner
Bitdefender
GravityZone Partner
Exclaimer
Signatures Partner
DMARC
Email Auth Specialist
MDM
Intune & Hexnode
M365 CSP & GWS reseller
In business since 2001
Independent, vendor-neutral advice
Direct line to the engineer who did the work
No call centres, no ticketing portal
The problem with fragmented IT support

Six platforms.
Six vendors.
Nobody owns the gaps.

6
Critical IT platforms the average SA SME runs, each potentially managed by a different person or vendor
91%
Of security breaches involve the human element, staff using platforms they were never properly trained on
9 in 10
SMB break-glass accounts fail when tested, the recovery path exists on paper only
Book a 60-Minute Discovery Call → No slide deck. Written follow-up within two business days.
What we set up, configure and support

Six platforms. One team. Direct access.

OSH manages the full stack that modern businesses run on. Setup is only the start; we stay on after go-live.

Microsoft 365

Exchange Online, Teams, SharePoint, Intune: deployed and kept working

We've been deploying M365 since the platform launched as Office 365. Initial setup is straightforward. The ongoing work (licence right-sizing, Conditional Access, MFA enforcement, Secure Score improvement, Defender configuration, mailbox migrations) is where most tenants are under-served.

We handle tenant setup, on-premises Exchange migrations (zero lost mail, contractually guaranteed), Teams governance, SharePoint structure, OneDrive policies, and Microsoft Intune device enrolment. Monthly licence reviews catch over-spend. Quarterly posture checks catch configuration drift.

Microsoft 365 services →
Google Workspace

Admin console, Gmail, Drive, GAM7: set up right and managed properly

Workspace is often chosen for its simplicity. The admin layer is anything but. Multi-domain setups, shared drive governance, Vault configuration for e-discovery, GAM7 bulk operations, security hardening: these aren't hard once you've done them hundreds of times. They're very hard the first time.

We handle new tenant deployment, user provisioning, DKIM setup specific to Workspace domains, Google Vault, and cross-platform migrations in both directions. If your team lives in Gmail, Calendar, and Meet, we make sure the environment is configured correctly underneath them.

Google Workspace services →
Bitdefender GravityZone

Endpoint protection with EDR: Windows, macOS, and Linux from one console

Commodity antivirus stops commodity malware. It does nothing against a human attacker living off the land, using certutil, PowerShell, and legitimate admin tools to move through your network. GravityZone's EDR gives you process trees, full attack chain context, and the ability to isolate a device before the damage spreads.

We deploy GravityZone across Windows, macOS, and Linux endpoints. Policy tuning, patch management for 150+ third-party applications, encryption enforcement with auditable recovery keys, and console management. If an incident happens, you call us, not a vendor support line.

Bitdefender GravityZone services →
Exclaimer

Email signature management: designed, deployed, and maintained across every device

Most businesses have four to seven signature variants in circulation at any point: the correct one, the one Sales designed themselves, the MD's 2019 default, and whoever installed Outlook last week. Exclaimer Cloud replaces all of them with a single template, applied server-side, consistent across Outlook, OWA, mobile, and Mac Mail.

We design the signature templates, configure the Exclaimer tenant for M365 or Google Workspace, handle the DNS changes and email flow connectors, and manage the rollout. Ongoing support covers template updates, new starters, and rebrands, without anyone needing to touch individual Outlook clients.

Exclaimer services →
DMARC

SPF, DKIM, and DMARC enforcement: so your domain can't be spoofed

CEO fraud works because most business domains are fully spoofable. An attacker crafts an email claiming to be from your CEO, and without DMARC enforcement, most mail servers deliver it. Business email compromise consistently ranks as the most expensive cybercrime category by reported losses globally; it's not a theoretical risk.

We deploy DMARC at p=none first, collect reports for two to four weeks, map every sending source, authenticate the legitimate ones, then move systematically to p=quarantine and p=reject. We don't move to enforcement until we're certain nothing legitimate will break. Ongoing management includes SPF updates, DKIM key rotation, and monthly report review.

DMARC services →
MDM

Mobile device management with Intune and Hexnode: every device, policy-compliant before it connects

Remote work without MDM means your IT policy is aspirational. Users connect from personal devices, bypass conditional access, and when a laptop goes missing, "we think it was encrypted" is not an acceptable answer to your cyber insurer. MDM makes device compliance a technical control, not a trust exercise.

We deploy Microsoft Intune and Hexnode for Windows, macOS, iOS, and Android. Enrolment, compliance policies, app deployment, conditional access integration, and remote wipe with audit trail. New starters are enrolled inside an hour. Lost devices are wiped before the end of the call.

MDM services →
Why a single managed IT partner matters

The problem isn't the platforms. It's the gaps between them.

Most IT problems we're called in to fix weren't caused by any one platform failing. They were caused by two platforms not talking to each other, a configuration change in one system that nobody applied to the other, or a piece of work that fell through because it sat on the boundary between two vendors' responsibilities.

DMARC enforcement breaks when you onboard a new CRM that nobody told the email security provider about. MDM compliance gaps appear when a new device type isn't covered by the existing Intune policies. Email signatures go wrong after an M365 migration that the Exclaimer configuration wasn't updated for. These aren't edge cases, they happen every time you make a change to one part of the stack without someone holding the whole picture.

When OSH manages all six platforms, a change to your M365 tenant automatically triggers a review of DMARC sending sources, Exclaimer connectors, Intune compliance policies, and GravityZone agent scope. Nobody has to remember to tell the other vendor.

We are a small, specialist team by design. The person who configured your DMARC is the same person who manages your M365 tenant and handles your Bitdefender console. When something breaks at the intersection of two platforms, there's no finger-pointing, no inter-vendor email chain, and no service desk ticket that sits in a queue for three days. You call one number.

That's not a marketing claim. It's the structure of how we work, and it's the thing clients who've come from large MSPs mention first on the transition call.

Book a Discovery Call → See How an Engagement Works
HOW WE WORK

What an Engagement Looks Like

From first call to full ongoing management, here's the sequence.

Discovery

A 60-minute call. Current state, the three things keeping you up at night, and the budget shape you are working with. No slide deck. We take notes and write back inside two business days with what we heard and a recommended next step.

Audit or Assessment

Read-only access into the tenants and consoles that matter: M365, Google Workspace, GravityZone, Hexnode, Intune, DMARC reports, domain registrar, password manager. Written findings, prioritised by risk and cost.

Recommendation

A sequenced roadmap: quick wins first (licence right-sizing, Conditional Access tweaks), structural changes second (MDM rollout, DMARC enforcement, break-glass redesign), optimisation third. Costed up-front, no scope creep.

Implementation or Handover

Take the report and run it in-house, hand it to your existing MSP, or have us do the work. We do not make this conditional on the audit. You decide what happens next.

Book a 60-Minute Discovery Call

Bring your current state and your top concerns. You leave with a recommended next step in writing, even if the answer is 'you are fine, do nothing yet.' No obligation.

Book a Discovery Call → Send a message
QUESTIONS

Frequently Asked Questions

Consulting is project work: discovery, audit, recommendation, sometimes implementation, then we step back. Managed service is the ongoing operational work that runs after a project closes: monthly licence reviews, helpdesk escalations, quarterly posture checks. Plenty of clients use us for one and not the other. We will tell you which makes sense for your situation.

Yes, and we run a fair number of these. The output is a written review of what your current provider is doing well, what is missing, and which line items on the invoice do not match the work being delivered. We are not in the business of poaching MSP clients. Most reviews end with the existing provider keeping the contract and improving the scope.

A monthly retainer where you get a senior IT advisor available for strategic decisions: supplier contracts, M&A due diligence on the IT side, board reporting, security incident response, hiring panels. Typically four to eight hours a month. The clients who buy this are usually too small for a full-time CIO and too big to keep winging it. Billed monthly, three-month minimum.

We are CSP partners for Microsoft 365 and Google Workspace, and resellers for Bitdefender, Hexnode, and Exclaimer. That is disclosed in writing in every engagement letter. When the audit finds the right tool is something we do not resell, we say so. Several audit reports we have written end with ‘stay with what you have, do not change vendors.’ The recommendation is the deliverable, not the licence sale.

Yes. All sessions are fully encrypted and require user consent for attended support. For unattended access on managed devices, our engineers authenticate with MFA. You receive a written summary of what was done when the session closes.

That is most of our training work. Sessions are scoped to your team’s actual tools and skill level, not a generic curriculum. We run end-user sessions for staff who live in Gmail, Outlook, and Teams all day, and separate admin-level sessions for the people managing the platforms.

We support the platforms we deploy and manage: Microsoft 365 (including Exchange Online, Teams, SharePoint, and Intune), Google Workspace, Bitdefender GravityZone, Exclaimer Cloud, DMARC enforcement, and MDM platforms including Hexnode and Microsoft Intune. Support is available as part of a managed-service retainer or on a per-incident basis.

Twenty to five hundred seats is the sweet spot. Below twenty, the cost of a structured engagement is hard to justify against just doing the work directly. Above five hundred, you usually have an internal IT team and our role becomes more specialist: DMARC enforcement, fractional CIO cover during a leadership gap, due-diligence reviews.

A focused audit (one area, like email security or licensing) is two to three weeks. A full strategic audit with a 12-month roadmap is six to eight weeks elapsed. Implementation projects vary: DMARC enforcement is usually six to twelve weeks, an M365 or Google Workspace migration is six to ten weeks, a break-glass redesign is two to four weeks. Retainer relationships run on rolling three-month terms.

Book a 60-Minute Discovery Call

Bring your current state and your top concerns. You leave with a recommended next step in writing, even if the answer is 'you are fine, do nothing yet.' No obligation.

Email us directly support@osh.co.za

Start the conversation