TATER Manage

Platform admin + agent fleet management. SuperAdmin only. Third sister app to TATER Security and TATER Ops.

What it is

TATER Manage consolidates SuperAdmin functions and adds operational fleet capabilities that don't fit cleanly into Security or Ops: remote command execution on devices, multi-screen viewing, vulnerability inventory. The TATER acronym for this product expands as Tenant Administration, Telemetry & Endpoint Remote-control.

Manage is reachable at manage.tatersecurity.com. Sign in with the same Microsoft account used for TATER Security and Ops. The app gates by SuperAdmin role at boot — non-SA accounts see an access-denied card with links back to Security/Ops.

Tenant Admin

Organizations — list of all orgs visible to your session, with role + tenant ID. Edit deep-links to TATER Security.
Users — registered platform users, global roles, last seen.
Subscriptions — per-org billing, license limits, MRR; native KPI cards + table with status pills.
MSP Licensing — MSP partner relationships, tier (T1/T2/T3), seat usage with over-limit warnings.

Audit & Telemetry

Activity Log — cross-product audit trail; filter by action, channel (via field: web / mcp / copilot / claude / agent / cron / api / ado-webhook), free-text search.
Usage Analytics — period selector (7/30/90 days), KPIs, Top Pages, Top Orgs.
MCP Feedback — all MCP feedback submissions; sentiment-coloured cards with ADO link badges.

Connections

Integrations — connector cards (ADO, Jira, ServiceNow, Teams, Slack, Webhook) with "Used by" tags. Configuration deep-links to TATER Security or directly to the ADO Sync page.
Azure DevOps Sync — full configuration form for TATER Ops ↔ ADO bi-directional sync. PAT and webhook secret encrypted at rest, redacted on display.

Endpoint Fleet

Devices — every TATER agent reporting in; filter by OS, search by hostname.
Agent Deployment — current version, download links for all platforms.
Agent Versions — per-platform binary metadata with SHA256.

Remote Operations (Phase 2-4)

Remote Commands (per-device "▶ Run" button on Devices page) — queue PowerShell or bash scripts targeted at a specific hostname. Choose SYSTEM (default service context) or logged-in user. Live status modal polls every 2.5s, captures stdout/stderr.
Multi-Screen — thumbnail grid of device screenshots (when capture is enabled in agent config). Click any thumbnail to zoom.
Vulnerabilities — fleet exposure summary with CISA Known Exploited Vulnerabilities (KEV) correlation. Click any device row to see Known Exposures + full software inventory.

Agent communication channels

The TATER Go agent runs as a system service and talks to four API surfaces:

Scans — endpoint compliance posture (existing)
Evidence — browser/PS evidence collection (existing)
Commands — Phase 2: poll for queued scripts, execute, report status
Vulnerabilities — Phase 4: weekly software inventory upload for KEV correlation
Screens — Phase 3 (API live, agent capture pending) — periodic screenshot upload

All use the same X-Api-Key auth bound to a per-org API key configured during agent installation. Agent API keys are org-bound — an agent for org A cannot read or mutate commands/screens/inventory belonging to org B even within the same tenant.

Security model

SuperAdmin gate at the app level (boot-time access-denied for non-SA)
Every action audit-logged with via: 'web' attribution to distinguish from MCP/agent activity
ADO PAT and webhook secret encrypted at rest via existing AES-256-GCM encryption.ts with ENCRYPTION_KEY env var; redacted to '[REDACTED]' on GET responses
Remote commands have script size cap (100KB), timeout cap (5–3600s), output cap (64KB stdout / 16KB stderr); 90-day TTL on command records
Screen captures: 350KB cap per upload, one document per device (overwrites prior), 24h TTL
Vuln inventory: 1.5MB cap per upload, 4500-package cap, 30-day TTL

Direct URL

Bookmark manage.tatersecurity.com. Also reachable at app.tatersecurity.com/manage.html.