License & asset inventory
Provision the new hire without over-buying or under-buying.
License & asset inventory
Provisioning a new hire is three coordinated lists that almost never agree: what HR says the person will do, what software the team actually uses, and what hardware is sitting on the shelf. This level teaches the mental model helpdesks use to keep those three lists in sync — and why they drift.
The day-one ticket
Friday afternoon, HR submits a ticket: "New hire Monday, role: Account Executive." You have until the 9:00 AM standup to get them working. The shape of the job is the same every time:
- Map role → requirements. Engineers need GitHub + an IDE + a Mac. Salespeople need Salesforce + a Windows laptop + an iPad for demos. Designers need Figma + a Mac + an external monitor. Execs need DocuSign + a premium laptop + an iPad. The role is the key; the requirements are a known set.
- Reconcile requirements against inventory. Does the license have a seat free? Is the device
in-stockor is it markedin-repair? If no, escalate: buy a seat, recall a retired device, or swap the spec. - Commit and reclaim. Assign the seat, ship the laptop, record the assignment so the next reconciliation knows who has what.
The playground on the next tab models steps 1–3 on a single screen. The challenge asks you to produce the ticket as text: lic1,lic2,...|dev1,dev2,....
The four license billing models
Not every SaaS seat is billed the same way. You will be asked to reason about this on day one:
| Model | What counts | Example |
|---|---|---|
| per-user | One seat per human, named | Slack, Figma, 1Password |
| per-device | One seat per endpoint, regardless of user | Intune, many MDM products |
| concurrent | Shared pool, billed for peak simultaneous use | DocuSign, Adobe enterprise, some VPNs |
| consumption | Billed per unit used (token, call, GB) | OpenAI, AWS, Twilio |
The billing model determines the reclaim strategy. Per-user seats are reclaimed by de-provisioning the user. Per-device seats follow the device through its lifecycle — retire the device, retire the seat. Concurrent seats don't reclaim per-user at all: you lower the pool size during renewal. Consumption seats are paid as you go, so the "reclaim" is really a rate-limit or a spend cap.
The asset lifecycle
Devices move through a fixed set of states. A helpdesk's job is largely nudging them through these in order:
procure → image → assign → in-use → refresh → retire
- Procure — a PO to the vendor (Apple Business Manager, CDW, etc.). Business Manager pre-enrolls the serial number in your MDM so the first unbox is already managed.
- Image — apply the corporate MDM profile, install the baseline app set, run smoke tests. Jamf (macOS) and Intune (Windows/iPadOS) are the defaults.
- Assign — record the user → serial mapping in your asset tool (Lansweeper, Snipe-IT, Rippling). This is the single row every audit will check.
- Refresh — after N years (typically 3–4), swap the device. The old device transitions to the next row...
- Retire — wipe, un-enroll from MDM, physically dispose or resell. The MDM row comes out, the asset row stays as
retiredforever (for audit).
Every status except in-stock is un-assignable. If you try to allocate an in-repair laptop to a new hire, the ticket will bounce off the physical reality two days later.
The reconciliation problem
Three sources of truth, all slightly wrong, all updated by different humans on different cadences:
- HR — the authoritative list of who works here. Changes when people join, move teams, or leave.
- IT asset system — the authoritative list of who has what. Changes when you assign or reclaim.
- Vendor billing portals — the authoritative list of who is being billed for. Changes silently, often based on last-login or last-API-use heuristics.
They drift. The cost of drift is real and one-directional: you almost always over-pay, almost never under-pay.
Gotchas that will bite you in the first quarter:
- Ghost seats. An employee leaves. HR removes them on Friday. Your Salesforce admin does the user deactivation on Monday. Salesforce's billing portal doesn't actually release the seat until the contract renews next July. You pay for seven months of nothing.
- Silent overage. Most SaaS vendors let you over-provision past your contracted count and just invoice you for it at renewal. Monitoring the seat count weekly (not at renewal) is how you catch this.
- MDM thinks the device is alive, physically it isn't. A laptop in a drawer with a charged battery will check in over LTE every morning and stay
in-usein Jamf. The asset system says "retired," the MDM says "active," the vendor bills for the Intune seat. This is the single most common reason asset counts diverge. - Role drift. A sales engineer is a salesperson one month and an engineer the next. Your provisioning template assumes exactly one role. Plan for hybrids by layering requirements, not picking one or the other.
Real tools, mapped to each job
| Job | Product |
|---|---|
| SaaS seat management | Rippling, BetterCloud, Torii |
| Network + device discovery | Lansweeper, Kandji |
| Asset tracking (small-org friendly) | Snipe-IT (open source) |
| Password-manager seat mgmt | 1Password Business, Bitwarden Enterprise |
| Apple device provisioning | Apple Business Manager + Jamf |
| Windows / iPadOS MDM | Microsoft Intune, Kandji |
| License e-signature | DocuSign Business Pro |
In practice most companies end up with two or three of these bolted together because no one vendor covers every billing model.
The playground
Pick a role. Check the boxes for the licenses + devices that role needs. The reviewer scores your proposal against the role's requirements AND the inventory's assignability, and tells you:
- score — percentage of requirements satisfied by assignable items.
- missing — requirements you haven't addressed (or addressed with something un-assignable).
- extra — items you proposed that the role doesn't need (or that don't exist).
Try the obvious moves first: pick the Engineer role, check every required license and device, watch the score climb to 100. Then try it with a retired device — the checkbox is disabled, teaching the lifecycle rule directly.
The visualizer
The Asset Grid panel is a two-layer snapshot of the fleet. The top half is a grid of devices bucketed by lifecycle status, colour-coded so in-stock versus retired versus in-repair read at a glance. The bottom half is a cost-per-seat bar for every license SKU — a picture of where the spend concentrates. The callout at the bottom shows the annual ceiling if every seat is billed, which is the number your CFO cares about.
The challenge
Answer format: lic1,lic2,...|dev1,dev2,.... The pipe separates licenses from devices; order doesn't matter inside either block; the lic- and dev- prefixes are required (they match the ids in the playground and visualizer). The reviewer accepts any permutation of the right set and rejects both missing requirements and un-required extras.