PowerShell automation
for MSP tenants — governed.
Run scripted actions across every client tenant with the same shadow-mode review, per-action approval, and audit trail as every other operation on the platform. Rewst-class automation without the scripting-without-governance gap.
The scripting-without-governance gap
Rewst is great at running scripts. But who approves each one?
Rewst, Liongard, and similar tools solve a real problem: MSPs need a way to execute PowerShell across hundreds of client tenants without logging in each time. That part is genuinely useful.
The gap is what happens next. A script that resets a user password is a compliance event. A script that adds a member to an admin group is a security event. A script that bulk-enables a mailbox forwarding rule is an incident-investigation event — sometimes.
Traditional automation platforms run those scripts and log the output. Whether a human approved the action in advance, whether sensitive strings ended up in plaintext logs, whether the action belongs to the right tenant — all of that is the MSP's problem to verify after the fact.
JieGou runs the same PowerShell. But the governance is first-class, not an afterthought.
How it works
One pipeline. Scripts and AI, both governed.
Every PowerShell job flows through the same path as every other JieGou action. No separate approval layer to maintain, no separate audit log to reconcile.
Request
Operator or AI creates a job targeting a specific client tenant. Action + arguments are structured data, not a free-form prompt.
Shadow-mode review
Job enters the approval queue with the exact PowerShell it will run, fully rendered. Reviewer sees what executes before it executes.
Approval
Per-action approval (not per-workflow). Approver role-gated; emergency override requires a reason logged to audit.
Execute
Node router dispatches to a PowerShell runner scoped to the target tenant. Output comes back through a redaction pipeline.
Audit
Request, approver, PowerShell executed, redacted output, and timestamps are written to the immutable audit log.
Pre-built actions
15+ actions ship with the platform
No "first, write the script." Common MSP actions are productized, tested, and governed on day one. Custom scripts follow the same approval + audit pipeline.
User Provisioning
Create users, set initial passwords, add to groups, assign licenses.
License Assignment
Add or remove M365 / Intune licenses at any scale, per-tenant.
Group Management
Create security groups, add/remove members, enforce membership policy.
Mailbox Configuration
Create shared mailboxes, set forwarding, configure delegation, litigation hold.
Device Management
Intune / Azure AD device enrollment, compliance policy updates, bulk remediation.
Password & MFA
Force password resets, configure MFA methods, revoke sessions on compromise.
Plus custom scripts — any PowerShell, same governance pipeline.
Honest comparison
JieGou vs. Rewst
Rewst is a real, credible product for MSPs. We built JieGou for a different positioning — governance-first operations with AI as a first-class citizen. Where that matters, here's how we compare.
| Capability | Rewst | JieGou |
|---|---|---|
| Run PowerShell against client tenants | Yes — their core product | Yes — 15+ pre-built actions ship with the platform |
| Shadow-mode review before every action | Separate approval logic, bolted on per-workflow | First-class — every job passes through the same approval queue |
| Per-action approval (not per-workflow) | Workflow-level only; once the flow runs, individual actions fire | Individual action-level — you approve or reject each change |
| Full audit log of every action, input, output | Execution logs; output redaction is your job | Automatic sensitive-string redaction; signed audit entries |
| AI-generated actions governed by the same pipeline | Scripts only; AI is external if at all | AI and scripts share one approval + audit + redaction pipeline |
| Emergency approval override with reason + audit | Workflow edits or manual re-run | Owner/Admin override with required reason, recorded in audit |
| Cross-account tenant isolation | Correct by construction, no isolation test suite published | Isolation verified by a dedicated cross-account test suite |
Comparison based on publicly-documented Rewst capabilities as of April 2026. If anything on this table is inaccurate, please email corrections@jiegou.ai — we want to represent Rewst fairly.
See the governed PowerShell pipeline in action
Book a 20-minute demo and we'll run a real action end-to-end — from request through approval through execution to audit.