About the Client
A global crop protection and specialty chemicals manufacturer operating four US sites — formulation plants, warehousing operations, and a corporate office. The customer is part of a larger global enterprise with its own Global IT function based outside the US and a dedicated OT security team responsible for the formulation environment. The US footprint runs a mixed workforce of plant operators, formulation chemists, EHS specialists, warehouse staff, and corporate professionals. End-user computing in this environment is not a back-office concern: a laptop that cannot reach the MES, or a misconfigured update that breaks a plant-floor application, has direct line-impact on production of regulated agricultural chemistry.
The Challenge
The customer needed end-user logistics that could operate inside a regulated manufacturing environment without conflicting with two pre-existing authorities: Global IT, which owned the SAP SuccessFactors → ServiceNow integration and the Intune tenant, and OT Security, which owned the plant network, the WSUS configuration, and the validated software baselines for formulation systems.
Most logistics providers do not survive that conversation. They either ignore OT and break something, or they refuse to touch anything OT-adjacent and become useless to the plant. The customer had cycled through both failure modes before engaging Surya.
The specific pain points were operational and political.
Joiners at the plants were waiting days for laptops because the Global IT team — eight time zones away — was the only group that could approve, image, and ship. New formulation chemists and plant supervisors were missing their first production shift. The cost of that downtime was not theoretical.
OT laptops were drifting. The engineering and maintenance laptops that connect to PLCs, HMIs, and formulation control systems require pinned drivers, validated OS baselines, and a conservative patch ring that respects vendor compatibility matrices. Without a dedicated owner, those laptops were being auto-patched into incompatibility, or going so long without updates that they became security liabilities.
Inventory was invisible across the IT/OT boundary. Nobody had a single accurate list of which devices existed at which site, which were corporate IT assets, which were OT-classified, which had been retired, and which were sitting in a drawer at a plant. Audit response to NIST 800-171 inquiries required physical walks of each site.
Offboarding at the plants was inconsistent. When a contractor or employee left, the device sometimes came back to a plant IT closet and sometimes did not. Global IT had no visibility, and the OT team had no mandate. The gap belonged to nobody.
The Approach
Surya deployed an onsite-coordinated JML model: physical execution at the four US sites, governance and integration aligned to the customer's Global IT and OT Security teams. The model has three operating principles.
One accountable team across IT and OT. Surya runs as the single named operator for end-user logistics across the four sites. Global IT keeps ownership of the SuccessFactors-to-ServiceNow workflow, the Intune tenant, and the security baselines. OT Security keeps ownership of the validated formulation builds and the WSUS rings. Surya is the operator that executes against both authorities and signs back the evidence to each.
Two device classes, two pipelines. Corporate IT laptops flow through a standard pipeline: SuccessFactors hire event into ServiceNow, Surya pulls inventory, applies the corporate Intune persona, ships to the joiner's home site, and the device lands ready for day one. OT-classified laptops flow through a separate pipeline: builds are pulled from the OT-validated catalog, drivers and firmware are pinned to the formulation system's compatibility matrix, Windows Update for Business is configured to the conservative OT ring, and the device is commissioned with the OT security team's sign-off before it reaches the plant floor.
Site-level execution, central reporting. Surya holds a US inventory buffer in RTP and dispatches to each of the four sites against a same-day or next-day SLA depending on geography. Onsite handoffs — receiving, asset tagging against the customer's ServiceNow CMDB, end-user fit-up — are executed by Surya technicians coordinating with the plant IT contact. Every event flows back into ServiceNow as the system of record, so Global IT sees a consistent global view and OT Security sees a clean audit trail for every OT-classified device.
The offboarding side closes the loop the customer had been missing. Termination events in SuccessFactors trigger a pre-paid return kit dispatched to the employee's site within the same business day. Access is cut through Intune Conditional Access at the same moment. The device is recovered, sanitized to NIST 800-88 inside the RTP HIPAA-aligned and NIST 800-171 aligned facility, and the certificate of sanitization is filed against the asset in ServiceNow. The IT/OT inventory gap is closed in real time, not at audit time.
Business Outcomes
Zero line-down events from endpoint issues
Onsite execution and OT-validated builds keep formulation lines running.
Predictable Day-1 readiness
Every joiner across the 4 US sites lands with a role-correct, hardened device on their first shift.
Tight IT/OT coordination
A single accountable team bridges Global IT, plant IT, and OT security — no hand-off gaps.
NIST 800-171 evidence on demand
Standardized builds and documented chain of custody simplify audit response across sites.
Business Outcomes
Zero line-down events from endpoint issues
Onsite execution and OT-validated builds keep formulation lines running.
Predictable Day-1 readiness
Every joiner across the 4 US sites lands with a role-correct, hardened device on their first shift.
Tight IT/OT coordination
A single accountable team bridges Global IT, plant IT, and OT security — no hand-off gaps.
NIST 800-171 evidence on demand
Standardized builds and documented chain of custody simplify audit response across sites.