GEM
GEM logo

Manage every client's Google Workspace from one console.

GEM is a free, open-source, multi-tenant management tool for Google Workspace, built for MSPs and IT admins. Identity lifecycle, onboarding, license reclamation, and cleanup automation — across all of your client environments.

Self-host GEM (free) Join the GEM Cloud waitlist

Identity lifecycle

Inventory every user across every environment. Suspend, archive, offboard with Drive handoff, and move between OUs and groups — individually or in bulk.

Onboarding that scales

Provision new hires from reusable templates: account, OU, groups, licenses, and a branded welcome email. Single, bulk CSV, or scheduled for a start date.

License reclamation

Find inactive accounts still burning licenses, reclaim them safely, and see assigned licenses per environment at a glance.

Cleanup automation

Activity-driven hygiene: an assisted daily review queue, and opt-in automation that suspends or archives accounts inactive past your thresholds.

Branded reports

Assemble dashboard sections into a PDF carrying your brand — or your client's — for QBRs and handoffs.

Security first

Per-environment least-privilege OAuth. No domain-wide delegation, no impersonation. Credentials encrypted at rest, mandatory MFA, full audit log.

How GEM connects to Google Workspace

Each environment's super-admin grants GEM a single, revocable OAuth consent — no domain-wide delegation, no service-account keys to manage. GEM requests only sensitive (not restricted) scopes: the Admin SDK (Directory, Reports, Data Transfer) and the Enterprise License Manager API. GEM never reads Gmail or Drive content. Disconnecting an environment revokes the grant at Google. The full scope-by-scope explanation lives in the setup guide.

Two ways to run GEM

Self-hosted (free, AGPL-3.0). One docker compose up on your own infrastructure. You hold the keys; your data never touches ours. Get started on GitHub.

GEM Cloud (coming soon). The same product, run for you: a dedicated, isolated instance per customer — your own database and encryption keys, in the region you choose — with Google-verified OAuth, automatic upgrades, and encrypted offsite backups.

GEM Cloud is in private beta. Join the Discord or email [email protected] to get on the waitlist.