Remote-First Managed IT for a German Manufacturer’s China Operations: A Multi-Site Case Study
How Brocent designed a remote-first managed IT model for a German precision-actuator manufacturer running a production-critical plant and a Shanghai office in China — one framework, tiered SLAs, layered security and a low-risk transition.
Published
In short — a German precision-actuator manufacturer runs two very different sites in China — a production-critical plant in the Yangtze River Delta and a lean Shanghai commercial office — under one remote-first managed IT model. Tiered SLAs, ITIL-aligned governance, layered security and a phased, low-risk transition keep the factory running and the office productive, with no permanent on-site staff and a predictable monthly cost.
The client: one company, two very different China sites
The client is a mid-sized, family-owned German manufacturer of high-precision electromagnetic and fluidic actuators — the valves, pumps and mechatronic modules that go into off-highway machinery and mobility applications. The group is known in its niche for a zero-defect quality culture and supplies demanding OEMs worldwide. To serve Asian customers closer to home and shorten lead times, it established local manufacturing in China, backed by a separate commercial and innovation office in the region. (Every identifying detail in this case study has been removed or generalised at the client’s request.)
That expansion created a textbook multinational-manufacturer IT problem. The company now operates two sites with completely different risk profiles, connected back to a German headquarters that expects one consistent standard for compliance, documentation and reporting. The two sites even share a single Active Directory domain, so identity and access could not be treated as two independent islands.
On paper this looks like “just IT support.” In practice it is two jobs at once: keep a 24×7 production environment safe and available, and give an office team dependable day-to-day help — without doubling the cost, and without a rotating cast of engineers who never quite learn the environment.
The challenge: one framework for a factory and an office
The production plant hosts the systems the factory simply cannot run without — a virtualization platform built on two physical hosts and shared SAN storage, a production SQL Server behind the plant’s line-of-business applications, Active Directory, file and application servers, and a next-generation firewall guarding the boundary between the shop floor and the outside world. Any unplanned outage here does not just inconvenience users; it can stop manufacturing. The Shanghai office is the mirror image: a small user base, a site-to-site VPN back to headquarters, SSL-VPN tokens for mobile staff, some cloud compute, and the everyday help-desk needs of a commercial team.
- Production-critical uptime. The plant’s virtualization hosts, SQL database, servers and firewall had to be monitored and defended around the clock, with the fastest possible response to anything that threatened the line — measured in minutes, not hours.
- A lean, cost-sensitive office. The Shanghai site needed reliable help-desk support, connectivity and user administration — but not the same heavy, expensive SLA as the factory. Paying plant-grade rates for office-grade risk would simply be waste.
- One shared identity domain. Because a single Active Directory spans both sites, identity, access and the joiner-mover-leaver lifecycle had to be managed once, centrally and cleanly — not bolted on twice, with the inconsistencies that invites.
- Non-negotiable HQ expectations. ITIL-aligned processes, bilingual English/Chinese communication, transparent monthly reporting and audit-ready governance were table stakes for a German-owned business, not optional extras.
- A clean, low-risk handover. Services had to move from the incumbent arrangement to the new provider with zero disruption to production and no lost knowledge — no “big-bang” cutover the factory could not afford.
Solve only for the factory and the office is neglected; solve only for the office and the plant is exposed. The real requirement was a single operating model that could hold both risk profiles at once, under one accountable owner.
The solution: a unified, remote-first managed IT model
Brocent’s answer was a single managed IT services framework covering both sites under one governance model, while still letting each site be prioritised on its own terms — production first, office second. Everything is delivered remotely through secure, audited access, so there is no permanent on-site headcount to fund; field engineers are dispatched only when hands-on work is genuinely required. The result is enterprise-grade discipline at a cost that fits a two-site operation.
Underneath that headline sit seven tightly integrated capabilities: tiered SLAs, around-the-clock remote monitoring, production-grade security, virtualization with real disaster recovery, a multilingual service desk with a disciplined identity lifecycle, a phased transition, and the governance and reporting that hold it all together. Each is worth looking at in turn.
Two sites, two SLA tiers
The heart of the design is a two-tier SLA that deliberately matches spend to risk. The plant gets a production-grade tier; the office gets a solid business tier. Both are monitored continuously, but their response and uptime commitments differ where it matters.
- P1 (critical) response — plant: 15 minutes, 24×7. Office: 30 minutes, with a 24×7 escalation path for anything genuinely urgent.
- Network uptime target — plant: 99.5%. Office: 99.0% (both excluding planned maintenance).
- Server / VM uptime target — plant: 99.9%. Office: 99.5%.
- Monitoring coverage — both sites: 24×7×365. Lower-priority tickets are handled in business hours, Monday–Friday.
- Reporting cadence — both sites: a monthly service report by the fifth business day, plus a quarterly business review.
Priorities are defined up front so nobody argues about severity mid-incident: P1 is a complete outage, a production stop or a security breach; P2 is significant degradation affecting multiple users or a key process; P3 is a single-user or non-critical issue; P4 is a request or minor query. Fixing the definitions in advance is what makes the response targets meaningful.
Around-the-clock remote monitoring and management
Every managed device — servers, virtual machines, network hardware and storage — is watched by a remote monitoring and management (RMM) platform that never sleeps. The goal is to catch problems before they become incidents: a disk filling up, a backup job that silently failed, a firewall throwing errors, a host running hot. Automated remediation handles the routine cases instantly, and only the exceptions that need human judgement are escalated to an engineer, with full context already attached.
- Real-time alerting. Thresholds are tuned per site and per system, so the plant’s critical assets are held to tighter tolerances than the office’s.
- Automated remediation. Common conditions — service restarts, disk clean-ups, routine patch deployment — are scripted and run without waiting for a ticket.
- Patch and firmware management. Coordinated, tested and scheduled inside approved change windows, so updates never surprise the factory.
- Performance and capacity baselining. Trends are tracked over time, turning “it feels slow” into evidence and feeding capacity planning before something runs out.
Production-grade security and infrastructure management
On the plant side, Brocent manages the full stack. The next-generation firewall is run as an advanced security service — intrusion prevention, application control, web filtering, log review and threat response — because the boundary between a factory network and the internet is exactly where a manufacturer gets hurt. Around it, the servers, database and virtualization platform are patched, hardened, backed up and monitored as one coordinated estate rather than a collection of boxes.
- Next-generation firewall. UTM/NGFW policy management, IPS, web and application filtering, log analytics and rapid response to security events, with quarterly policy reviews.
- Servers and Active Directory. OS patching, health checks, backup verification and performance review across application, file and directory services — with AD managed centrally for both sites.
- Production SQL Server. Backup verification, performance monitoring, index maintenance and patching for the database behind the plant’s line-of-business applications.
- Secure administrative access. Every administrative session runs over encrypted, logged channels, with approval workflows for sensitive or production-impacting changes.
Virtualization, backup and disaster recovery
The plant’s virtualization platform — two physical hosts plus SAN storage — is managed end to end: host health, VM provisioning and lifecycle, storage allocation, snapshots and high-availability checks. Sitting under it, backup and disaster-recovery is treated as a first-class service, not an afterthought. Backups are verified, not just scheduled; recovery is something the team has actually tested, so the business knows what “restore” really means before it ever needs one.
- High availability by design. The two-host cluster and shared storage are configured and monitored so that a single host failure does not take production down.
- Verified backups. Every backup job is checked and its logs reviewed — a silent backup failure is treated as an incident, because a backup you cannot restore is not a backup.
- Tested recovery. Restore procedures and recovery objectives are documented and exercised, so a real disaster is a rehearsed routine rather than an improvisation.
A multilingual service desk and a disciplined identity lifecycle
For the Shanghai office in particular, the visible face of the service is the help desk. It acts as a single point of contact for every request and incident — triaging by priority, resolving what it can on first contact, and routing the rest to the right specialist with the ticket’s full history intact.
That 24×7 help-desk function runs on ITIL-aligned ticketing with a full audit trail, bilingual agents, and a customer portal where users can raise and track their own requests — which quietly reduces inbound volume while improving satisfaction.
Behind the desk sits something auditors always ask about: the joiner-mover-leaver (JML) lifecycle. Because both sites share one Active Directory, getting identity right is a security control, not paperwork. Access is provisioned correctly on day one, adjusted precisely when a role changes, and revoked completely and immediately when someone leaves.
- Joiner. Role-based accounts and permissions are prepared ahead of the start date, devices imaged and enrolled, MFA registered, and a security briefing delivered on day one.
- Mover. A role change triggers an access review — new permissions granted against a role template, old ones revoked, and segregation-of-duties validated so access never simply accumulates.
- Leaver. On departure, single sign-on is disabled first, then individual accounts; devices are collected and wiped, and the whole change is logged — with involuntary terminations completed within the hour.
A phased, low-risk transition
No factory tolerates a “big-bang” cutover, so Brocent’s structured transition methodology moves deliberately through five phases, never assuming responsibility for a system it has not first validated. Every credential and configuration is collected into a structured takeover pack and stored in an access-controlled vault, so nothing is lost in the handover and the outgoing provider is wound down professionally.
- 1. Discovery & information gathering. Secure collection of network diagrams, inventories, credentials, backup configurations, licences and existing tickets using a structured takeover pack (typically 1–2 weeks).
- 2. Joint validation workshop. On-site or remote sessions with the client and outgoing provider to confirm current state, surface risks and gaps, and agree Day-1 readiness (3–5 days).
- 3. Parallel / shadow mode. The new team shadows existing support, validates monitoring and alerts, tests escalation paths and handles tickets under supervision before taking the wheel (2–4 weeks).
- 4. Go-live & hypercare. Full responsibility handover with intensified support, daily checkpoints, rapid issue resolution and the first official monthly report (about 4 weeks).
- 5. Steady state & continuous improvement. The standard delivery cadence begins — SLA reporting, proactive optimisation and quarterly business reviews focused on getting better over time.
Governance a German headquarters can sign off on
For a German-owned manufacturer, how a service is governed matters as much as the technology inside it. Brocent wraps delivery in a three-tier governance model with named accountability at every level and a clear path for anything that needs to move up the chain.
Three tiers, named owners
- Executive steering (monthly). Strategic direction, investment decisions, major escalations and performance against contract objectives — the level a sponsor at HQ can talk to directly.
- Management committee (weekly). Escalation handling, process improvement, risk management and progress reporting, escalating to the executive tier only when needed.
- Service delivery (daily). Ticket execution, SLA compliance, proactive monitoring and incident resolution — the engine room, escalating upward when an issue outgrows it.
For a genuine P1 at the plant, that hierarchy collapses into a fast track: all three tiers are activated at once, the executive sponsor is notified within minutes, and a “war room” is stood up for anything that runs long. Governance is there to speed the response up, not slow it down.
Change management and rollback
Change is where production environments get broken, so every change is risk-scored across five dimensions — business impact, security, rollback complexity, dependency scope and technical feasibility. The score decides who has to approve it, from a technical lead for low-risk work up to a full change advisory board for anything that could hit production hard. Critically, no change is executed without a documented rollback plan agreed in advance.
If a change misbehaves, a seven-step rollback procedure with its own time targets takes over: detect within minutes, decide and notify, freeze related changes, execute the pre-approved reversal, verify data integrity and service health, then run a post-mortem within a day. Even emergency changes follow an expedited version of the same discipline — the shortcuts are in the speed, never in the safety net.
Reporting and transparency
A German HQ does not want to be told the service is fine; it wants to see it. Brocent’s reporting is built so that headquarters, the local site leads and finance can each get the view they need from the same underlying data.
- Monthly service report (by the 5th business day). An executive summary, an SLA-compliance scorecard, incident and change summaries with root-cause trends, ticket statistics and a security-events overview — with distinct sections for each site.
- Quarterly business review. A strategic session on performance against objectives, upcoming changes, budget and scope alignment, and where to improve next.
- Live dashboards and alerts. A customer portal with read-only monitoring and ticket status, plus immediate notification for P1 incidents.
- Full audit trails. Every access and every change is logged — the evidence auditors and HQ expect, available on demand rather than reconstructed after the fact.
A two-mode commercial model built for predictability
The commercial design mirrors the technical one: predictable work is priced predictably, and unpredictable work is funded flexibly. Rather than a single opaque number, the engagement separates proactive management from reactive support, which is exactly what makes a managed IT budget easy for finance to plan around.
- Mode 1 — monthly managed-service retainer. A fixed monthly fee, sized separately for the plant and the office, covering all the proactive work: monitoring, maintenance, patching, security management, backup verification and SLA reporting.
- Mode 2 — pre-purchased on-demand hours. A block of hours bought in advance for incidents, help-desk work, JML events and ad-hoc changes — flexible capacity for the things you cannot schedule, without a surprise invoice.
Value-added enhancements, ready when they add value
Beyond the core service, a few optional enhancements map neatly onto a manufacturer’s real risks. None are forced into the base scope; each is there to be switched on when it earns its place — particularly useful as the client retires legacy collaboration tools and tightens its security posture.
Microsoft 365 security-posture assessment
As the office moves off legacy email toward modern cloud collaboration, a recurring security-posture assessment scores identity and MFA enforcement, risky sign-ins, privileged roles, conditional-access gaps and device compliance — turning a vague “are we secure?” into a tracked number with a prioritised remediation list.
Advanced ITSM and workflow automation
A richer ticketing layer adds auto-numbered tickets, SLA-driven escalation, recurring-maintenance automation and a self-service portal — the difference between a mailbox full of requests and a managed workflow with data behind it.
Integrated IT asset management
A live inventory of hardware and software — servers, VMs, SAN, network devices, endpoints and firewalls, with model, serial, location, owner and warranty — plus proactive alerts for warranty and end-of-life dates. For a brand-new virtualization platform, that lifecycle visibility is worth having from day one.
Wireless survey and optimisation
A factory floor is a hostile place for Wi-Fi — metal, machinery and interference everywhere. A professional wireless survey and optimisation service uses predictive, passive, active and spectrum surveys to design coverage properly, find rogue access points and non-Wi-Fi interference, and produce heatmaps with a concrete remediation plan.
The outcome: predictable IT for an unpredictable factory
Because the engagement is built around the operating model above rather than a pile of ad-hoc tasks, the client gains three things that are genuinely hard to buy piecemeal:
- A single point of accountability. Two sites, one named service-delivery manager, and one monthly report that headquarters can actually read — instead of finger-pointing between vendors when something breaks.
- Production protected by design. Tiered SLAs, 24×7 monitoring, advanced firewall management and disciplined change control, with backup and disaster-recovery verification built in — reliability that comes from the model, not from luck.
- Predictable cost. A fixed monthly retainer for proactive work plus a pre-purchased block of on-demand hours, so finance sees a stable number rather than a surprise. (See how Brocent structures managed IT pricing.)
It is worth being candid about what this case study is and is not. The engagement is deliberately right-sized rather than over-engineered: scope, task frequency and cost are confirmed in a discovery workshop and can be trimmed as the real environment becomes clear — including the planned decommissioning of legacy email and file-sync services. The service levels quoted here are the committed targets the model is built to deliver, and the value is in that disciplined operating model, not in any single heroic metric.
What manufacturers in China can take from this
The pattern generalises well beyond one company. Almost any foreign-owned manufacturer running a China plant alongside a commercial office faces the same three-way tension: the factory needs enterprise-grade reliability, the office needs cost-efficient support, and headquarters needs both delivered to a single, auditable standard. Trying to buy those separately usually produces gaps, duplicated effort and a reporting line HQ cannot trust.
A remote-first managed IT model with tiered SLAs resolves all three at once — provided the provider genuinely understands production environments, cross-border compliance and bilingual service delivery. The technology is almost the easy part; the harder, more valuable work is the governance, the identity discipline and the transparent reporting that let a headquarters thousands of kilometres away sleep at night.
Frequently asked questions
Can a managed IT provider really support a factory without on-site staff?
Yes. The large majority of monitoring, maintenance, security and incident work is done remotely through secure, audited access. Field engineers are dispatched only for physical tasks — hardware swaps or on-site diagnostics — which keeps cost down without sacrificing response. For sites that do want a permanent presence, full-time on-site support is available as an option.
How do you protect a production plant from downtime?
Through layered defence: 24×7 proactive monitoring with automated remediation, a production-grade SLA (a 15-minute P1 response and a 99.9% server-uptime target), advanced next-generation firewall management, high-availability virtualization, verified backups, and strict change control with a pre-approved rollback plan for every change to a critical system.
How is a German headquarters’ compliance and reporting handled?
With ITIL-aligned processes, bilingual English/Chinese communication, a named service-delivery manager, a transparent monthly report delivered by the fifth business day, quarterly business reviews, live dashboards, and full audit trails for every access and change. HQ sees the same evidence the local team does.
What happens during the transition from our current provider?
A five-phase handover: discovery, joint validation, a parallel/shadow period, go-live with intensified “hypercare” support, and then steady state. Credentials and configurations are collected into a secure takeover pack, monitoring is validated before responsibility transfers, and the outgoing provider is treated professionally throughout — with no disruption to the factory.
How is multi-site managed IT priced in China?
Typically as a fixed monthly retainer for proactive management, sized per site, plus a pre-purchased block of on-demand hours for incidents and ad-hoc changes. That combination gives predictable budgeting with flexibility for the unexpected. See our pricing overview for indicative rates.
Do you support Fortinet, Cisco and VMware environments?
Yes — Brocent’s engineers hold current Fortinet, Cisco, Microsoft and VMware certifications and manage mixed-vendor estates (firewalls, switches, wireless, virtualization hosts, SAN and SQL) as a single coordinated service rather than a set of disconnected contracts.
How do you handle a single Active Directory shared across two sites?
It is managed centrally as one domain, with the directory effort consolidated under the site that hosts it and the second site handling only its local file and access tasks. That avoids duplicated administration and keeps the joiner-mover-leaver lifecycle consistent and auditable across both locations.
Can the model scale as we add more sites in Asia?
Yes. The same remote-first platform, governance model and reporting extend to additional sites with site-tagging in the monitoring platform, and Brocent’s field-dispatch network covers on-site needs across the region — so a third or fourth location plugs into an existing operating model rather than starting from scratch.
Planning managed IT for a plant, an office, or both in China? Talk to Brocent about a right-sized, remote-first model with SLAs that match your risk — and a transition that never puts production at risk.
Share:
Ready to take action?
Turn these insights into a roadmap for your business.
Book a 15-minute no-obligation consultation with our APAC IT experts. We'll review your current setup and provide a tailored IT roadmap within 24 hours.
Free Checklist
10 Critical Checks Before Expanding IT to Greater China
PIPL compliance, network segmentation, bilingual helpdesk setup, and more — everything your IT team needs before Day 1 in China.
Request the checklist →📬 Monthly Asia IT Insights
China compliance updates, cybersecurity alerts, and IT tips for APAC teams — once a month.
No spam. Unsubscribe anytime.
Related Articles
Apr 30, 2026
Scaling Global IT Operations: How We Delivered Multi-Regional Support Across 28+ Countries for a Global Customer (Manufacturing Company)
Apr 25, 2026
Empowering Global AV Manufacturing Excellence: How Managed IT Services and Pan-Asian Global IT Support Delivered Unmatched Operational Resilience for a Leading Audio Video Solutions Provider
Apr 26, 2026
Navigating Complex Multi-Country IT Relocations in Asia: A 45-Day Success Story with Managed IT Services