Technical SOPs
RMM Policy Set (Syncro) — Windows + Mac
RMM Policy Set (Syncro) — Windows + Mac
The standard Syncro RMM policy applied to every customer org at onboarding (Syncro SOP Part A step 6 / Engineer Runbook step 1). Two policies, assigned by OS: one Windows (PC), one Mac. Grounded in what Syncro actually automates — Syncro’s native patch manager patches Windows only; the Mac Agent does fleet management, monitoring, and macOS update enforcement plus scripted updates.
Patch SLA (both platforms — approved 2026-06-06)
| Severity | Deploy within |
|---|---|
| Critical | 7 days |
| High | 30 days |
| Standard / optional | 60 days |
This is the same bar the Readiness Report recommends to firms (C-09) — we hold ourselves to what we sell. Patch compliance is a monthly-report posture chip and feeds the compliance evidence.
Maintenance / reboot window (both)
Install in an after-hours window, notify the user, allow short deferral, then force a reboot once a patch has been pending 7 days. The window is set per customer from the Deployment Questionnaire (their stated maintenance window / change-control constraints).
🖥️ Windows (PC) policy
Patching — native Syncro patch policy
- Auto-approve Critical + Security patches; install in the maintenance window.
- Third-party app patching (browsers, Adobe Reader, Java, Zoom, 7-Zip, etc.) on the same SLA.
- Defer feature/optional updates → manual approval.
- Per-asset exclusions for any client hold rule.
- Force reboot after 7 days pending.
Monitors → ticket
| Monitor | Threshold | Severity |
|---|---|---|
| Offline | > 30 min (business hours) | alert |
| Disk free | < 10% / < 5% | alert / critical |
| RAM | > 90% sustained 15 min | alert |
| CPU | > 90% sustained 15 min | alert |
| Defender / Huntress health | not reporting / disabled | critical |
| Pending reboot | > 7 days | alert |
| Backup agent | failed job | alert |
| Disk SMART | failure predicted | critical |
Automation
- Weekly maintenance script (temp cleanup, service-health check).
- Auto-remediation: restart stuck critical services.
🍎 Mac policy
Patching
- Enforce macOS updates via the Mac Agent + scripted
softwareupdate -iaon the SLA. - Third-party Mac apps: best-effort via scripts (Homebrew / installer scripts) — not native; flag as best-effort so we never overclaim.
- Install in the maintenance window; enforce reboot per macOS update requirements.
Monitors → ticket
| Monitor | Threshold | Severity |
|---|---|---|
| Offline | > 30 min | alert |
| Disk free | < 10% | alert |
| FileVault encryption | OFF | critical (the Mac encryption control) |
| Huntress health | not reporting | critical |
| macOS update | overdue vs SLA | alert |
| Backup status | failed | alert |
Automation
- Scheduled
softwareupdatecheck (daily). - Scripted maintenance (cache cleanup).
Honest limits (state these; don’t overclaim)
- Native patch management is Windows-only. Mac = macOS update enforcement + scripts; third-party Mac patching is best-effort.
- Mac has fewer native monitors than Windows; the gaps above are covered by scripts where feasible.
Where this applies
- Created once in Syncro (two OS-scoped policies), assigned per asset OS, attached to every customer org at onboarding (Syncro SOP Part A step 6 + Engineer Runbook step 1).
- Patch compliance reporting drives the monthly-report patch chip + the compliance evidence appendix.
”Done” means
- Windows + Mac policies built in Syncro with the SLA, maintenance window, monitors, and automation above
- Each customer org assigned the correct OS policy at onboarding
- Patch-compliance reporting enabled (feeds the monthly posture chip)
- Per-customer maintenance window set from the Deployment Questionnaire