The challenge with the requirements you've outlined is that they span several distinct tool categories that don't naturally live in the same platform. User access control and lifecycle management, device tracking, and order/shipping integration are each well-served by purpose-built tools — but the overlap between them is limited, and a single tool that handles all four well doesn't really exist.
Understanding where each requirement fits helps you make a more practical decision about what to use together versus what to try to find in one place.
Breaking Down Your Requirements
User Access Control and Lifecycle Management
This is the core identity governance problem: who has access to which applications, how is access granted, how is it reviewed, and how does it get revoked when someone leaves.
For your current stack — Google Workspace, Zendesk, RingCentral — an identity governance or IT automation platform handles this well. The core capabilities to look for: automated onboarding provisioning triggered by a new hire record, offboarding playbooks that cover all discovered applications (not just the ones formally connected to SSO), self-service access requests with approval workflows, and audit logging that documents what access exists and how it was granted.
Several tools handle this for Google Workspace environments specifically: BetterCloud is worth evaluating for Google-centric environments and covers application access management, user lifecycle automation, and has integrations for many common SaaS tools. Okta Lifecycle Management handles provisioning and deprovisioning for SSO-connected applications. Identity governance platforms like Zluri, Trelica, and Productiv provide broader SaaS visibility including applications outside your SSO perimeter.
The "ghost accounts" problem you're implicitly describing — former employees with lingering access to Zendesk or RingCentral because offboarding only covers the applications IT formally manages — is exactly what these platforms address. They discover application usage beyond what your Google Workspace SSO controls and include those applications in offboarding workflows.
Device Tracking and MDM Integration
Device assignment to users (which laptop belongs to which person) and device management (configuration, compliance, remote wipe) are handled by Mobile Device Management platforms. The most common options for your environment:
Jamf is the standard for Apple-focused environments (Mac, iPhone, iPad). It tracks device assignment, manages configuration, and integrates with identity platforms for automated enrollment and offboarding actions (like remote wipe triggered by an employee departure).
Microsoft Intune covers Windows and Apple devices in Microsoft 365 environments, and it integrates with Azure AD/Entra ID for device compliance enforcement in Conditional Access.
Kandji is a newer Mac-focused MDM with a more modern UX than Jamf, popular in fast-growing companies.
Pulseway, which you're already using, provides RMM (remote monitoring and management) functionality that overlaps with MDM — it can track which devices are associated with which users and provide remote management capabilities.
The device tracking question — "which user currently has which device" — is primarily an asset management function that MDM platforms handle. Most identity governance platforms can surface this data by integrating with your MDM rather than tracking it natively.
Onboarding and Offboarding Coordination
The onboarding process that involves both software provisioning and physical device setup has two distinct tracks that need to be coordinated:
Digital provisioning: creating accounts in Google Workspace, Zendesk, RingCentral, and other tools. This is what identity governance platforms automate — triggered by a new hire record in your HRMS or manually, the workflow creates accounts and grants access according to defined policies.
Physical coordination: ordering and shipping a laptop to the new employee, tracking the shipment, confirming receipt. This is an IT asset management and logistics function that identity governance platforms don't handle natively. The connection between the two is typically a manual task in the onboarding workflow — a structured work item assigned to whoever handles device procurement, which the system tracks as needing completion before offboarding is "done."
For the device ordering piece specifically, many companies use IT asset management (ITAM) platforms that have integrations with device suppliers and support configuration of devices before shipping. Oomnitza, Asset Panda, and Snipe-IT are in this category. These are separate from identity governance tools but can be connected via workflow integration.
FedEx and Amazon Integration for Order Tracking
This is the most niche requirement and the one least likely to have a native solution in identity governance tooling. The realistic approaches:
Workflow automation with custom API calls: If your IT tool has webhook or custom HTTP action capability, you can build a connection to FedEx or Amazon's APIs to trigger orders or pull tracking status within a workflow. This requires API setup and some technical configuration but doesn't require a native integration to exist.
ITSM integration: ServiceNow and similar ITSM platforms have app store integrations including shipping and logistics. If you're using a ticketing system for onboarding workflows, shipping integration may be available through that platform rather than through your identity governance tool.
Manual task tracking within onboarding workflows: If automated shipping integration isn't justified by the volume of orders, a governed manual task — "Order laptop for [new hire]" assigned to the IT procurement person, with tracking number to be entered as confirmation — provides accountability and visibility without requiring API integration to FedEx or Amazon specifically.
A Practical Architecture for Your Stack
Given your current environment (Google Workspace, Pulseway, Zendesk, RingCentral, FedEx/Amazon), a practical combination looks like:
Identity governance platform (BetterCloud, Trelica, or similar Google Workspace-native options, or a broader IGA platform for deeper access governance): handles user access control, application discovery including shadow IT, onboarding provisioning, and offboarding playbooks.
Your existing Pulseway or an MDM if you're deploying company devices to employees: handles device tracking and management. The identity governance platform pulls device assignment data from Pulseway via integration.
Workflow integration for device ordering: either custom API calls to FedEx/Amazon within your identity governance tool's workflow engine, or manual task tracking within onboarding workflows, depending on your volume and technical resources.
The realistic expectation is two or three tools that share data rather than a single platform that does everything. The integration between them — specifically, that the identity governance platform can trigger manual tasks and potentially API calls to your shipping provider as part of onboarding workflows — is what makes the combination feel unified from an operational perspective even when the tools are separate.
What to Prioritize in Evaluation
If you're starting with one platform, prioritize the access control and lifecycle management piece — that's where the security and operational risk is highest, and it's the most mature tool category for your requirements. Evaluate specifically for:
- Google Workspace native integration (provisioning and deprovisioning, not just SSO)
- Zendesk and RingCentral connector support
- Application discovery that goes beyond SSO-connected apps
- Manual task support for the non-automatable steps in onboarding and offboarding
- Custom action or webhook capability for future integration with shipping APIs
Device tracking and shipping integration can be addressed separately once the identity governance foundation is in place — they're important but they're not the highest-risk gap to close first.
.svg)
