Google Workspace Management &
Co-Management for Enterprises
Your Google Workspace tenant is the operating system of your business. We run it — or run it with you — so your team stays focused on revenue, and your auditors stay out of your inbox. Certified Google Cloud Partner.
Co-Managed or Fully Managed
Your internal capacity, your compliance obligations, and your growth trajectory determine the right model. Most clients start with a tenant assessment, and we scope from there.
Co-Managed Google Workspace
Your internal team keeps super-admin access and owns day-to-day operations. ICS provides architecture, escalation, security engineering, and after-hours coverage. Ideal for organizations with 1–3 internal IT staff who need senior Google Workspace depth on call.
Fully Managed Google Workspace
ICS owns the tenant end-to-end — provisioning, licensing, security baselines, alerts, user lifecycle, and incident response. Your team stays focused on the business. Ideal for organizations without a dedicated Workspace administrator.
What's Included — and What's Not
We tell you up front what is in the per-user rate, what is pass-through, and what is project work. No surprise line items.
Included in the per-user rate
Gmail, Drive, Meet & Calendar administration
- •Mail routing, compliance footer, and content compliance rules
- •Drive sharing controls, shared drive governance, and storage hygiene
- •Meet policies — recording, transcription, dial-in, and external participation
- •Calendar resource management and room scheduling at scale
Identity & access (Cloud Identity / SSO)
- •Cloud Identity Free or Premium configuration and lifecycle
- •SSO for line-of-business apps (SAML, OIDC) with Google as IdP
- •2-Step Verification enforcement, security keys, and Advanced Protection program
- •Context-Aware Access policies — device, location, and IP-based access controls
Security center, alerts & threat protection
- •Security center dashboards, investigation tool, and alert center triage
- •Phishing and malware protection tuning, including pre-delivery sandbox
- •OAuth third-party app review, app whitelisting, and consent governance
- •Mail flow security — SPF, DKIM, DMARC enforcement, and quarantine review
Data governance — DLP, Vault & retention
- •Data Loss Prevention (DLP) rules for Gmail, Drive, and Chat
- •Vault eDiscovery, legal hold, and retention rule design
- •Drive labels (formerly classification labels) and shared drive controls
- •External sharing posture, link-sharing audits, and trust rules
Endpoint & mobile device management
- •Google MDM for iOS, Android, ChromeOS, Windows, and macOS
- •Company-owned and BYOD policy, work profile separation, and remote wipe
- •Chrome Enterprise policy management — extensions, browser settings, push installs
- •Endpoint verification and integration with Context-Aware Access
Domain, DNS & group management
- •Domain verification, secondary domain onboarding, and TLD migrations
- •Authoritative DNS operation or partner-of-record DNS management
- •Group lifecycle, dynamic groups, and group-based access control
- •Service account hygiene and Cloud Identity API governance
AppSheet & Gemini
- •AppSheet enablement, governance, and citizen-developer support
- •Gemini for Workspace deployment — license fit, pilot design, and rollout
- •Gemini data governance, audit logging, and prompt-history retention review
- •Adoption measurement and persona-level usage analytics
Compliance & audit support
- •Evidence packaging for SOC 2, HIPAA, GLBA, PCI DSS, and CMMC audits
- •BAA and DPA management, data residency configuration, and access transparency review
- •Continuous monitoring integration (Vanta or equivalent) for tenant signals
- •Quarterly posture review with written findings and remediation plan
Pass-through or scoped separately
- •Google Workspace license fees — billed direct from Google or via ICS as authorized reseller (see Google Workspace Licensing service)
- •Endpoint security licenses (CrowdStrike Falcon Pro or equivalent) — billed at MSRP pass-through, or BYOL if you have entitlement
- •Backup licenses (Workspace backup, endpoint backup) — pass-through at MSRP
- •Hardware procurement (Chromebooks, ChromeOS Flex devices, MDM-managed mobiles) — quoted per project
- •Tenant migrations, M&A merges, Context-Aware Access redesign, Vault retention rollout, AppSheet platform builds — scoped as fixed-bid projects
- •Custom Apps Script, Workspace add-ons, and bespoke Gemini agent development — scoped as fixed-bid project work
Pass-through items are billed at vendor MSRP or your existing license entitlement. Project work is scoped as fixed-bid or T&M against published advisory rates.
Day-to-day Google Workspace administration is included in every engagement. Project work — tenant migrations, Context-Aware Access redesign, DLP rollout, Vault program build — is scoped as fixed-bid against our advisory rate card (provided with proposals).
From Tenant Audit to Managed Operations
Predictable 8-week path from first conversation to fully operational managed tenant. Every gate has a written deliverable so you know what you're getting.
Tenant Assessment
Fixed-fee tenant operations assessment — license audit, security baseline, identity posture, DLP and Vault review, MDM coverage, and prioritized remediation roadmap.
Stabilize
Close the highest-severity gaps — 2SV enforcement, Context-Aware Access, OAuth app review, license cleanup, external sharing controls. You get a stable baseline before we take ongoing ownership.
Transition to Managed Operations
Runbook handoff, alert center integration, ticket routing, escalation paths, and first monthly business review scheduled. From here, co-managed or fully managed, depending on your model.
Ongoing Operations + QBRs
Daily operations, monthly reporting, quarterly business reviews against defined SLAs and roadmap, and annual license + security posture optimization.
Extend the Managed Tenant
Named, priced extensions to the base engagement — picked up only when the tenant assessment indicates they fit.
Context-Aware Access Hardening
Fixed-bid projectPolicy redesign and enforcement pack — device-trust posture, IP allow-listing, country blocks, and conditional Drive access by sensitivity.
DLP & Drive Labels Rollout
Fixed-bid + monthlySensitive data discovery, label taxonomy, DLP rule design across Gmail, Drive, and Chat, plus user education and exception handling.
Vault Retention & eDiscovery Program
From $1,500/moRetention rule design, legal hold runbook, custodian preservation workflow, and quarterly evidence packaging for litigation readiness.
Gemini for Workspace Rollout
Fixed-bid + monthlyPersona fit analysis, pilot cohort design, governance baseline, prompt library, and adoption measurement for Gemini deployment.
Phishing Simulation & Training
From $4/user/moMonthly campaigns, role-based training assignments, and risk-scored user reporting integrated with the Workspace alert center.
Workspace + Endpoint Backup
From $5/user/moIndependent backup of Gmail, Drive, Calendar, Chat, and endpoints with restore SLA — covers the gaps Vault retention does not.
Compliance Program Operation
From $2,500/moSOC 2, HIPAA, or PCI program operation with monthly evidence collection from the Workspace tenant and annual audit support.
AppSheet Governance & Enablement
From $1,500/moCitizen-developer training, app review process, data-source governance, and lifecycle management for AppSheet portfolios at scale.
Pricing is indicative. Exact rate depends on user count, license entitlement, and term. We will publish your add-on totals in the one-page proposal.
Contact for pricing. Written scope before you sign.
Tenant assessments and onboarding are fixed-fee with defined deliverables. Ongoing co-managed and fully managed operations run on a monthly retainer scoped to your user count, security posture, and workload complexity. Every proposal is written, reviewed with you, and signed before work starts — no open-ended time-and-materials for transformation work.
Request a Written Proposal →The Broader Google Workspace Practice
Workspace management is one piece of the ICS Google practice. Explore adjacent capabilities that often accompany a managed tenant engagement.
Google Workspace Licensing
License resale, plan optimization, true-ups, edition migrations, and BYOL guidance — paired with managed operations so licensing tracks actual tenant usage.
Learn More →Google Workspace Tenant Assessment
30-day fixed-scope assessment — security, compliance, license utilization, admin hygiene, identity, DLP and Vault posture, with a 90-day roadmap.
Learn More →Cybersecurity
XDR, SIEM, G-Force incident response, compliance management, and security awareness — layered on top of a managed Workspace tenant.
Learn More →Google Workspace Management — FAQ
Do you offer co-managed Google Workspace, or only fully outsourced?+
Both. Co-managed is our most common engagement — your internal team keeps super-admin rights and owns daily operations, while ICS provides architecture depth, escalation, security engineering, and after-hours coverage. Fully outsourced is available for organizations without a dedicated Workspace administrator. We scope the right model during the tenant assessment.
Are you a Google Cloud Partner?+
Yes. ICS is a Certified Google Cloud Partner. The designation reflects demonstrated depth across Google Workspace deployment, security, and compliance work, and is renewed against Google's current technical and customer-evidence requirements. We work directly with Google's partner support escalation paths.
How do you handle identity — do you replace our IdP or integrate with it?+
Either model is supported. Many clients run Google Workspace with Cloud Identity as the primary IdP and use SAML/OIDC SSO outbound to line-of-business apps. Others keep an existing IdP (Entra ID, Okta, Ping) as the source of truth and federate into Workspace. We scope the right architecture against your existing investments and compliance obligations.
Can you help us deploy Gemini for Workspace?+
Yes. Gemini rollout requires license fit analysis, persona-level pilot design, governance configuration (audit logging, retention, prompt history controls), and adoption measurement — all of which are part of our Workspace management practice. We handle readiness, pilot, and rollout with usage analytics tied to the Workspace admin console.
How do you price ongoing Google Workspace management?+
Onboarding and assessment engagements are fixed-fee with defined deliverables. Ongoing co-managed and fully managed operations are scoped as a monthly retainer based on user count, security posture, and workload complexity. Contact us for a written scope — we don't publish per-user rates because the right number depends on your tenant, not a price list.
Do you cover DLP, Vault, and eDiscovery?+
Yes — they're core to the practice. DLP rule design across Gmail, Drive, and Chat, Vault retention and legal hold runbooks, custodian preservation workflows, and eDiscovery export procedures are all part of the engagement. For organizations with active litigation or regulatory obligations, we offer a dedicated Vault retention and eDiscovery program as an add-on.
Can you manage Chrome Enterprise and ChromeOS devices?+
Yes. Chrome Enterprise policy management, ChromeOS device enrollment, kiosk and managed-guest session configuration, extension governance, and integration with Context-Aware Access are all in scope. We support pure-Chrome environments as well as mixed estates with Windows, macOS, iOS, and Android under the same Workspace MDM umbrella.
Do you work with organizations outside of Dallas?+
Yes. ICS serves clients across North America and 5+ countries from our Dallas headquarters. Our delivery team operates 24×5. For Dallas-Fort Worth clients specifically, we also offer on-site support — see our Dallas managed IT page.
Ready for a Google Workspace You Don't Have to Worry About?
Start with a tenant assessment. 30-day fixed scope, written deliverable. Then decide whether co-managed or fully managed is the right model for you.