Patch Policy Automation

What it is

The TATER agent already reports the patches available on each endpoint (via winget / brew / apt / dnf, collected every 6 hours). Patch policies add the automation layer: a policy auto-approves patches at or above a severity threshold — optionally filtered by category — and, when auto-deploy is on, a daily scheduler queues the upgrades to matching devices without a human clicking deploy on each one.

Creating a policy

In TATER Manage → Patch Management, the Patch Policies card lists your policies. Click + New policy and set:

• Severity threshold — patch at or above Critical / Important / Moderate / Low.
• Enabled — turn the policy on/off.
• Auto-deploy — when on, the daily scheduler queues deployments. When off, the policy is report-only (use Preview to see what it would match).
• Include categories — only patch these categories (blank = all).
• Exclude package IDs — never auto-patch these (e.g. a pinned line-of-business app).
• Target hostnames — specific devices (blank = all reporting devices).
• Max devices per run — a safety cap so a single scheduler run can't deploy fleet-wide unexpectedly.

Start with report-only + Preview to confirm the match set, then flip on auto-deploy.

How auto-deploy works

Once a day, the scheduler evaluates every enabled auto-deploy policy against the latest patch inventory. For each matching device it queues an OS-appropriate upgrade (winget on Windows, brew on macOS, apt/dnf on Linux) through the same AgentCommands pipeline used by manual deployments. Each run is capped by your max devices per run and recorded in the Activity Log.

Curated 3rd-party catalog

TATER Manage → Software Deployment → ⊕ Seed 3rd-party catalog bulk-adds ~36 common business apps (Chrome, Firefox, Edge, Zoom, Slack, Teams, Acrobat Reader, 7-Zip, Notepad++, VLC, VS Code, Git, Node.js, Python, Docker, Postman, KeePassXC, AnyDesk, TeamViewer, AWS/Azure CLI, and more) to your deployment catalog — winget ids on Windows, brew casks on macOS — so you can deploy them with one click instead of authoring each package. It's idempotent: re-running only adds what's missing.

Reporting

Insights → Patch Compliance shows pending patches per device by severity, how many devices have critical patches outstanding, the most-needed updates across the fleet, and whether an auto-deploy policy is configured.

For AI agents (MCP)

• list_patch_policies (read) — see how patching is automated.
• set_patch_policy (write, Admin) — create or update a policy (severity threshold, categories, targets, auto-deploy).
• list_endpoint_patches / queue_patch_deployment — the existing per-device inventory + manual deploy tools.