Device Management

Breeze gives MSP and IT teams a single endpoint management layer for hardware and software visibility, management-tool detection, and patch operations across Windows, macOS, and Linux. One workflow for daily control. One audit trail when someone asks how a change happened.

Inventory and Endpoint Context

Device records include operating system, hardware profile, and software data that filter across the fleet. That supports the real day-to-day work: targeting updates to a specific cohort, finding stale agents, and narrowing incident scope before it spreads.

Management Posture Detection

Breeze detects which management and security tools are present on each device across categories like MDM, RMM, endpoint security, backup, identity/MFA, and zero-trust/VPN. The result is a clean view of overlap, unmanaged endpoints, and missing controls — the kind of evidence you need when a new customer asks what’s actually on their machines.

Patch Lifecycle Operations

Patch management covers discovery, approval, deployment, and rollback. Approvals are organization-scoped, and every patch action lands in audit history so change reviews don’t depend on memory.

Installers and Enrollment

Onboarding a new device should feel like installing any other native app, not running a terminal script during a customer call.

• macOS ships a native Swift GUI installer using bootstrap tokens. No scripted enrollment, no terminal.
• Windows MSI installs go through a hardened path so clean installs finish without rollback and the intended ACLs are applied — no more half-installed agents left behind by generic installer errors.
• AI-assisted onboarding is supported through OAuth 2.1 with Dynamic Client Registration, so assistants like Claude.ai and ChatGPT can authenticate to your workspace through a real OAuth handshake instead of pasted API keys. See Authentication & Authorization for the full identity model.

Agent enrollment uses a shared secret in production with a warn-only fallback during cutover, and enrollment keys use stronger derivation with a one-cycle legacy fallback so older keys keep resolving while operators migrate. When a stale device record reconnects, the agent receives a clear re-enrollment-required signal instead of failing silently.

Agent Auto-Update and Recovery

Breeze agents pin a signing key at enrollment and verify every release manifest against it. When something does go wrong, recovery doesn’t require touching individual machines: a single command from the platform queues a one-time, checksum-verified update to every affected agent, bypassing the broken manifest path in place. The recovery hatch ships with the server and works for both hosted SaaS and self-hosted deployments, which generate their own per-deployment signing key on first boot.

Cross-Platform Operations

Core endpoint workflows — inventory, posture, patch, deployments, remote access — are built once for Windows, macOS, and Linux. Mixed fleets don’t need a separate tool per OS family.

Platform Abuse Controls

Platform administrators can suspend an abusive partner with a single API call: every device queues for self-uninstall, sessions delete, non-admin users disable, API keys revoke, and JWTs blanket-revoke. The flow fails closed if revocation fails, so operators never get a misleading success on a sensitive action.

Why It Matters for MSPs

Customer fleets stay clean when onboarding lands the first time, patches roll with approvals attached, and the recovery story for a bad update doesn’t involve dispatching a tech to every site. That’s the bar Breeze targets on every endpoint.