[Patching] Enhance: Apple update type classification, 3rd-party discovery dashboard, rollback time windows

[ToddHebebrand]

Description

Feature request from @SemoTech for comprehensive patch scheduling capabilities:

1. Scheduled patch windows — set install times at the device level, remembered for future updates
2. Auto-install option — patches install automatically on schedule with automatic restart if needed
3. Precautionary delay — configurable X-day delay before installing to assess safety
4. Tiered approval:
   • Safari and Security updates → install promptly on schedule
   • Major macOS version updates → require manual approval (can break app compatibility)
5. 3rd-party app patching — detect and flag updates for installed 3rd-party apps, allow tagging apps for auto-update on the same schedule
6. Rollback — ability to revert to previous version within 30 days if new version causes issues

Context

This builds on the existing patch scanning and installation infrastructure. The current system can scan for and install individual patches, but lacks scheduling, automation, and approval workflows.

Reported By

@SemoTech — comment on #265 (2026-03-19)

[ToddHebebrand]

Closing — Breeze already has a full patching management system via Configuration Policies that covers scheduled patch windows, auto-install, and approval workflows.

@SemoTech — check the Configuration Policies section in the console to set up patch schedules, maintenance windows, and approval rules per device/group/org.

[ToddHebebrand]

Capability Audit — Breeze Configuration Policy System vs. Feature Requests

After auditing the codebase, here's what's already supported and what needs work:

#	Request	Status	Details
1	Scheduled patch windows (per-device)	Supported	Full hierarchy (partner→org→site→group→device) with frequency, time, day-of-week/month. patchSchedulerWorker runs every 60s.
2	Auto-install with auto-restart	Supported	Auto-approve by severity/category, reboot policy (never/if_required/always/maintenance_window).
3	Precautionary delay (X days)	Supported	deferralDays on update rings (0-365), per-category override, checked against release date.
4	Tiered approval (Safari vs. major macOS)	Partial	Category rules with per-category auto-approve exist, but agent doesn't yet classify Apple updates as minor/security vs. major OS upgrade.
5	3rd-party app patching	Partial	Agent has Homebrew, Chocolatey, Winget providers (scan/install/uninstall). Server accepts third_party source. Missing: fleet-wide discovery dashboard, bridge between software inventory and patch workflow.
6	Rollback within 30 days	Partial	patchRollbacks table, API routes, agent Uninstall on all providers. Missing: 30-day window enforcement, scheduled rollback, macOS softwareupdate has no native uninstall.

Bottom line: Requests 1-3 are fully covered by Configuration Policies today. Requests 4-6 have infrastructure in place but need enhancement work.

@SemoTech — for your immediate needs, check Configuration Policies → Patch Settings in the console to set up schedules, auto-approval rules, deferral periods, and reboot policies.