Auto-patch creates and runs patch plans automatically for findings that match your rules, so routine remediation happens without manual work. Rules are set per platform. Open the page from Security > Patch & vulnerability > Auto-patch.

The Auto-patch enabled master switch controls the whole module. When it is off, existing patch plans keep running but no new plans are auto-created. Use the platform tabs — macOS, iOS & iPadOS, Windows, Android, Chrome browser, and Third-party software — to configure each platform separately.

Default rules apply to every managed app on a platform unless an override changes them:

On iOS & iPadOS and Android, auto-patch applies to OS updates and MDM-managed apps only. On Chrome browser, Trio MDM can enforce a minimum OS version but cannot push individual app patches.

On the Third-party software tab you can set stricter or looser rules for individual apps. Per-app rules always win over the platform default. Select Add app override, then choose the app, the match condition (such as a lower CVSS threshold), the start mode, the maintenance window, and whether to require sandbox success for that app.

Sandbox devices are a small set of managed devices that receive each patch first. After the dwell time, if no sandbox device reports a failure, the fleet rollout starts automatically. You manage your sandbox devices and dwell-time defaults under Settings > Sandbox devices.

The right-hand Status card shows whether the rules are enabled, patches applied in the last 30 days, the success rate, devices covered, and the last run. After changing any setting, select Save changes.

If you have any questions, please contact Trio support.