Endpoint Management

TATER agents provide a complete Unified Endpoint Management surface — feature-parity with ManageEngine Endpoint Central across patch management, software deployment, disk encryption escrow, policy enforcement, and remote shell. Every action rides on the agent's existing AgentCommands pipeline, every mutation is audit-logged with the requesting SuperAdmin's identity, and every sensitive operation requires explicit opt-in at both the org level and the device-config level.

What you need:
  • TATER agent v2.x or later running on the target devices (Windows / macOS / Linux)
  • Live Shell, Patch Inventory, and BitLocker Escrow are opt-in features — enable per-org in Manage → Tenant Admin → Organizations → ⚙ Features and (for Live Shell) per-device via the agent's liveShellEnabled config flag.
  • SuperAdmin role (most write surfaces); Admin role (some catalog + policy CRUD); Viewer (self-service portal).

Live Interactive Shell

Open a persistent PowerShell / pwsh / cmd / bash / zsh session against any enrolled endpoint and type commands as if you were sitting at the keyboard. V1 transport is REST-polling pseudo-terminal — works through any firewall. V2 will add WebRTC for sub-100ms latency.

How to use it

  1. Enable Live Shell for the org: Manage → Tenant Admin → Organizations → ⚙ Features → Live Interactive Shell ON.
  2. Open Manage → Endpoint Fleet → Devices.
  3. Find the target device, click the 💻 Shell button on its row.
  4. Pick the shell (PowerShell / pwsh / cmd / bash / zsh / sh), context, and idle timeout (default 30 min, max 4h).
  5. Click ▶ Start session — xterm.js loads, the agent attaches, the prompt appears.
  6. Type any command. Output streams back in ~400ms chunks.
  7. Click ⏹ End session to close. The session also auto-closes on idle timeout or max-session timeout.

What's recorded

Every keystroke and every byte of output is persisted server-side in a ShellTranscripts Cosmos container with 90-day retention. Replay any prior session by hitting GET /agents/shell/sessions/<sid>/transcript with SuperAdmin auth. There is no way to disable recording while keeping shell access — the audit trail is the point.

Limits

Patch Management

The agent runs platform-native upgrade discovery (winget upgrade on Windows, brew outdated + softwareupdate -l on macOS, apt list --upgradable / dnf check-update on Linux) every 6 hours and uploads the available-update list to TATER. SuperAdmins review in Manage and queue deployments with one click.

Where to look

Manage → Endpoint Fleet → Patch Management. KPI cards show fleet-wide totals (devices reporting, total patches, critical count). Per-device table shows hostname, OS, patches, critical / important counts, and last-scan timestamp.

Deploying patches

The deployment is queued as an AgentCommand with a 30-minute timeout. Status mirrors back into the PatchDeployments shadow record as the agent reports progress.

Software Deployment

Define a package once in the org's catalog, then deploy it to up to 500 hosts in a single API call. Supports winget IDs, MSI / EXE / PKG / DEB / RPM direct-URL downloads (with optional SHA256 verification), Homebrew formulae and casks, and raw PowerShell / bash scripts as a fallback.

Catalog management

Manage → Endpoint Fleet → Software Deploy → + New package. Fill in the form:

Deploying

Click ▶ Deploy on a package row, paste hostnames (one per line, up to 500), click ▶ Deploy. Each host gets its own SoftwareDeployment record; the agent downloads (with SHA256 check if configured), runs silent install, and reports back.

BitLocker / FileVault / LUKS Escrow

The agent inventory runner captures volume protection status and recovery passwords every 6 hours. Passwords are AES-256-GCM encrypted at rest in the BitLockerKeys Cosmos container. Recovery passwords are never returned in list responses — they're masked as ••• masked •••.

Revealing a recovery key

  1. Manage → Endpoint Fleet → BitLocker Keys.
  2. Click View keys on a host row to see its volumes and protection status.
  3. Click 🔓 Reveal on the volume you need.
  4. Confirm the audit warning. A high-sensitivity entry is written to the audit log capturing your identity (OID + UPN + IP) and the volume id.
  5. The cleartext password is displayed inline. It's user-selectable so you can copy/paste into the recovery flow.

Audit trail

Every reveal writes an audit entry with action=update entityType=bitlocker-key, metadata.action=reveal, and the requester's OID/UPN/via. Filter Manage → Audit & Telemetry → Activity Log → All Channels: web for bitlocker-reveal to see who's been pulling keys.

Endpoint Policies

Six policy kinds compose to cover most Endpoint-Central-style enforcement scenarios. Define each policy once with a JSON spec, then apply it to one or many devices. The API renders a platform-specific script and queues it via AgentCommands.

KindWhat it doesSpec example
USB ControlBlock USB storage, allow all, or allowlist by VID/PID{"mode":"block-storage"}
App AllowlistAppLocker enforce / audit / off (Win); Gatekeeper enable/disable (mac); SELinux / AppArmor (linux){"mode":"enforce"}
JIT Admin ElevationAdd a user to local Administrators for N minutes with auto-revoke{"username":"DOMAIN\\user","durationMinutes":60,"mode":"grant"}
Power ManagementSleep / hibernate / screen-off timeouts (powercfg / pmset){"sleepMinutesAC":30,"sleepMinutesDC":15}
Browser PolicyBlock extensions, force homepage, disable incognito (Chrome / Edge / Firefox){"browser":"chrome","blockExtensions":true}
DNS FilterOverride DNS servers, push a hosts blocklist{"primaryDns":"1.1.1.2","hostsBlocklist":["malware.example"]}

Apply workflow

  1. Manage → Endpoint Fleet → Endpoint Policies.
  2. Pick the tab (USB / App Allow / JIT Admin / Power / Browser / DNS Filter).
  3. Click + New policy, fill in name + platform + spec JSON, save.
  4. Click ▶ Apply on the saved policy.
  5. Paste target hostnames (one per line, up to 500), click ▶ Apply.

Wake-on-LAN, Process Control, File Transfer

One-shot endpoint actions for when you don't need a full policy or live shell.

Self-Service Portal (My TATER)

End users submit software / JIT-admin / access / support requests from My TATER. Admins approve in Manage. Approving does not auto-execute — admins still drive the underlying action via the matching workflow (e.g., approving a software request opens up the relevant Software Deploy queue.)

End-user flow

  1. Open My TATER → Self-Service.
  2. Click + New request, pick a kind (Software install / JIT admin / Access request / General support).
  3. Fill in the title + description. For software requests, name the package; for JIT admin, request a duration.
  4. Submit. The status table shows Pending until an admin decides.

Admin flow

SuperAdmins / OrgAdmins see all pending requests across the org. Approve or deny with a decision note. Once approved, the admin manually triggers the matching action (deploy software, grant JIT admin via the Endpoint Policies → Elevation Grants flow, etc.). MCP agents can list and decide via list_self_service_requests and decide_self_service_request.

MCP Tools (Agent Surface)

External AI agents (Claude, Copilot, Cursor, etc.) can drive most endpoint-management workflows via MCP. Live Shell is intentionally not exposed — that's an interactive UI surface only, by design.

ToolRolePurpose
list_endpoint_patchesViewerFleet patch posture
queue_patch_deploymentAdminPush patches to a device
list_software_packagesViewerSoftware catalog discovery
deploy_softwareAdminFan out package install to 1–500 hosts
list_bitlocker_statusViewerFleet encryption posture (passwords NEVER returned via MCP)
list_endpoint_policiesViewerDiscover existing policies by kind
apply_endpoint_policyAdminApply a policy to up to 500 hosts
endpoint_process_controlAdminkill-process / restart, stop, start service
list_self_service_requestsViewer/AdminTriage pending end-user requests
decide_self_service_requestAdminApprove / deny with a note

Security Model

Related