Release 0.12.0

update readme
update reqs
2022-03-19 20:08:16 +00:00 · 2022-03-19 20:04:17 +00:00 · 2022-03-19 01:31:21 +00:00 · 2022-03-19 01:24:17 +00:00 · 2022-03-19 00:03:03 +00:00 · 2022-03-18 22:47:37 +00:00
659 changed files with 46520 additions and 36620 deletions
--- a/.devcontainer/.env.example
+++ b/.devcontainer/.env.example
@@ -23,9 +23,9 @@ POSTGRES_USER=postgres
 POSTGRES_PASS=postgrespass

 # DEV SETTINGS
-APP_PORT=80
+APP_PORT=443
 API_PORT=80
 HTTP_PROTOCOL=https
-DOCKER_NETWORK="172.21.0.0/24"
-DOCKER_NGINX_IP="172.21.0.20"
-NATS_PORTS="4222:4222"
+DOCKER_NETWORK=172.21.0.0/24
+DOCKER_NGINX_IP=172.21.0.20
+NATS_PORTS=4222:4222
--- a/.devcontainer/api.dockerfile
+++ b/.devcontainer/api.dockerfile
@@ -1,4 +1,11 @@
-FROM python:3.9.2-slim
+# pulls community scripts from git repo
+FROM python:3.10-slim AS GET_SCRIPTS_STAGE
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git && \
+    git clone https://github.com/amidaware/community-scripts.git /community-scripts
+
+FROM python:3.10-slim

 ENV TACTICAL_DIR /opt/tactical
 ENV TACTICAL_READY_FILE ${TACTICAL_DIR}/tmp/tactical.ready
@@ -10,15 +17,22 @@ ENV PYTHONUNBUFFERED=1

 EXPOSE 8000 8383 8005

+RUN apt-get update && \
+    apt-get install -y build-essential
+
 RUN groupadd -g 1000 tactical && \
    useradd -u 1000 -g 1000 tactical

-# Copy Dev python reqs
-COPY ./requirements.txt /
+# copy community scripts
+COPY --from=GET_SCRIPTS_STAGE /community-scripts /community-scripts

-# Copy Docker Entrypoint
-COPY ./entrypoint.sh /
+# Copy dev python reqs
+COPY .devcontainer/requirements.txt  /
+
+# Copy docker entrypoint.sh
+COPY .devcontainer/entrypoint.sh /
 RUN chmod +x /entrypoint.sh
+
 ENTRYPOINT ["/entrypoint.sh"]

 WORKDIR ${WORKSPACE_DIR}/api/tacticalrmm
--- a/.devcontainer/docker-compose.debug.yml
+++ b/.devcontainer/docker-compose.debug.yml
@@ -1,19 +0,0 @@
-version: '3.4'
-
-services:
-  api-dev:
-    image: api-dev
-    build:
-      context: .
-      dockerfile: ./api.dockerfile
-    command: ["sh", "-c", "pip install debugpy -t /tmp && python /tmp/debugpy --wait-for-client --listen 0.0.0.0:5678 manage.py runserver 0.0.0.0:8000 --nothreading --noreload"]
-    ports:
-      - 8000:8000
-      - 5678:5678
-    volumes:
-      - tactical-data-dev:/opt/tactical
-      - ..:/workspace:cached
-    networks:
-      dev:
-        aliases: 
-          - tactical-backend
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -5,10 +5,11 @@ services:
    container_name: trmm-api-dev
    image: api-dev
    restart: always
+    user: 1000:1000
    build:
-      context: .
-      dockerfile: ./api.dockerfile
-    command: ["tactical-api"]
+      context: ..
+      dockerfile: .devcontainer/api.dockerfile
+    command: [ "tactical-api" ]
    environment:
      API_PORT: ${API_PORT}
    ports:
@@ -18,12 +19,12 @@ services:
      - ..:/workspace:cached
    networks:
      dev:
-        aliases: 
+        aliases:
          - tactical-backend

  app-dev:
    container_name: trmm-app-dev
-    image: node:14-alpine
+    image: node:16-alpine
    restart: always
    command: /bin/sh -c "npm install npm@latest -g && npm install && npm run serve -- --host 0.0.0.0 --port ${APP_PORT}"
    working_dir: /workspace/web
@@ -33,7 +34,7 @@ services:
      - "8080:${APP_PORT}"
    networks:
      dev:
-        aliases: 
+        aliases:
          - tactical-frontend

  # nats
@@ -41,6 +42,7 @@ services:
    container_name: trmm-nats-dev
    image: ${IMAGE_REPO}tactical-nats:${VERSION}
    restart: always
+    user: 1000:1000
    environment:
      API_HOST: ${API_HOST}
      API_PORT: ${API_PORT}
@@ -61,7 +63,8 @@ services:
    container_name: trmm-meshcentral-dev
    image: ${IMAGE_REPO}tactical-meshcentral:${VERSION}
    restart: always
-    environment: 
+    user: 1000:1000
+    environment:
      MESH_HOST: ${MESH_HOST}
      MESH_USER: ${MESH_USER}
      MESH_PASS: ${MESH_PASS}
@@ -84,6 +87,7 @@ services:
    container_name: trmm-mongodb-dev
    image: mongo:4.4
    restart: always
+    user: 1000:1000
    environment:
      MONGO_INITDB_ROOT_USERNAME: ${MONGODB_USER}
      MONGO_INITDB_ROOT_PASSWORD: ${MONGODB_PASSWORD}
@@ -115,9 +119,10 @@ services:
  redis-dev:
    container_name: trmm-redis-dev
    restart: always
+    user: 1000:1000
    command: redis-server --appendonly yes
    image: redis:6.0-alpine
-    volumes: 
+    volumes:
      - redis-data-dev:/data
    networks:
      dev:
@@ -127,11 +132,8 @@ services:
  init-dev:
    container_name: trmm-init-dev
    image: api-dev
-    build:
-      context: .
-      dockerfile: ./api.dockerfile
    restart: on-failure
-    command: ["tactical-init-dev"]
+    command: [ "tactical-init-dev" ]
    environment:
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASS: ${POSTGRES_PASS}
@@ -150,17 +152,18 @@ services:
      - dev
    volumes:
      - tactical-data-dev:/opt/tactical
+      - mesh-data-dev:/meshcentral-data
+      - redis-data-dev:/redis/data
+      - mongo-dev-data:/mongo/data/db
      - ..:/workspace:cached

  # container for celery worker service
  celery-dev:
    container_name: trmm-celery-dev
    image: api-dev
-    build:
-      context: .
-      dockerfile: ./api.dockerfile
-    command: ["tactical-celery-dev"]
+    command: [ "tactical-celery-dev" ]
    restart: always
+    user: 1000:1000
    networks:
      - dev
    volumes:
@@ -174,11 +177,9 @@ services:
  celerybeat-dev:
    container_name: trmm-celerybeat-dev
    image: api-dev
-    build:
-      context: .
-      dockerfile: ./api.dockerfile
-    command: ["tactical-celerybeat-dev"]
+    command: [ "tactical-celerybeat-dev" ]
    restart: always
+    user: 1000:1000
    networks:
      - dev
    volumes:
@@ -192,11 +193,9 @@ services:
  websockets-dev:
    container_name: trmm-websockets-dev
    image: api-dev
-    build:
-      context: .
-      dockerfile: ./api.dockerfile
-    command: ["tactical-websockets-dev"]
+    command: [ "tactical-websockets-dev" ]
    restart: always
+    user: 1000:1000
    networks:
      dev:
        aliases:
@@ -213,6 +212,7 @@ services:
    container_name: trmm-nginx-dev
    image: ${IMAGE_REPO}tactical-nginx:${VERSION}
    restart: always
+    user: 1000:1000
    environment:
      APP_HOST: ${APP_HOST}
      API_HOST: ${API_HOST}
@@ -221,36 +221,22 @@ services:
      CERT_PRIV_KEY: ${CERT_PRIV_KEY}
      APP_PORT: ${APP_PORT}
      API_PORT: ${API_PORT}
+      DEV: 1
    networks:
      dev:
        ipv4_address: ${DOCKER_NGINX_IP}
    ports:
-      - "80:80"
-      - "443:443"
+      - "80:8080"
+      - "443:4443"
    volumes:
      - tactical-data-dev:/opt/tactical

-  mkdocs-dev:
-    container_name: trmm-mkdocs-dev
-    image: api-dev
-    restart: always
-    build:
-      context: .
-      dockerfile: ./api.dockerfile
-    command: ["tactical-mkdocs-dev"]
-    ports:
-      - "8005:8005"
-    volumes:
-      - ..:/workspace:cached
-    networks:
-      - dev
-
 volumes:
-  tactical-data-dev:
-  postgres-data-dev:
-  mongo-dev-data:
-  mesh-data-dev:
-  redis-data-dev:
+  tactical-data-dev: null
+  postgres-data-dev: null
+  mongo-dev-data: null
+  mesh-data-dev: null
+  redis-data-dev: null

 networks:
  dev:
--- a/.devcontainer/entrypoint.sh
+++ b/.devcontainer/entrypoint.sh
@@ -9,7 +9,8 @@ set -e
 : "${POSTGRES_USER:=tactical}"
 : "${POSTGRES_PASS:=tactical}"
 : "${POSTGRES_DB:=tacticalrmm}"
-: "${MESH_CONTAINER:=tactical-meshcentral}"
+: "${MESH_SERVICE:=tactical-meshcentral}"
+: "${MESH_WS_URL:=ws://${MESH_SERVICE}:4443}"
 : "${MESH_USER:=meshcentral}"
 : "${MESH_PASS:=meshcentralpass}"
 : "${MESH_HOST:=tactical-meshcentral}"
@@ -20,6 +21,9 @@ set -e
 : "${APP_PORT:=8080}"
 : "${API_PORT:=8000}"

+: "${CERT_PRIV_PATH:=${TACTICAL_DIR}/certs/privkey.pem}"
+: "${CERT_PUB_PATH:=${TACTICAL_DIR}/certs/fullchain.pem}"
+
 # Add python venv to path
 export PATH="${VIRTUAL_ENV}/bin:$PATH"

@@ -37,7 +41,7 @@ function django_setup {
    sleep 5
  done

-  until (echo > /dev/tcp/"${MESH_CONTAINER}"/443) &> /dev/null; do
+  until (echo > /dev/tcp/"${MESH_SERVICE}"/4443) &> /dev/null; do
    echo "waiting for meshcentral container to be ready..."
    sleep 5
  done
@@ -56,10 +60,10 @@ DEBUG = True

 DOCKER_BUILD = True

-CERT_FILE = '/opt/tactical/certs/fullchain.pem'
-KEY_FILE = '/opt/tactical/certs/privkey.pem'
+CERT_FILE = '${CERT_PUB_PATH}'
+KEY_FILE = '${CERT_PRIV_PATH}'

-SCRIPTS_DIR = '${WORKSPACE_DIR}/scripts'
+SCRIPTS_DIR = '/community-scripts'

 ALLOWED_HOSTS = ['${API_HOST}', '*']

@@ -78,28 +82,11 @@ DATABASES = {
    }
 }

-REST_FRAMEWORK = {
-    'DATETIME_FORMAT': '%b-%d-%Y - %H:%M',
-
-    'DEFAULT_PERMISSION_CLASSES': (
-        'rest_framework.permissions.IsAuthenticated',
-    ),
-    'DEFAULT_AUTHENTICATION_CLASSES': (
-        'knox.auth.TokenAuthentication',
-    ),
-}
-
-if not DEBUG:
-    REST_FRAMEWORK.update({
-        'DEFAULT_RENDERER_CLASSES': (
-            'rest_framework.renderers.JSONRenderer',
-        )
-    })
-
 MESH_USERNAME = '${MESH_USER}'
 MESH_SITE = 'https://${MESH_HOST}'
 MESH_TOKEN_KEY = '${MESH_TOKEN}'
 REDIS_HOST    = '${REDIS_HOST}'
+MESH_WS_URL = '${MESH_WS_URL}'
 ADMIN_ENABLED = True
 EOF
 )"
@@ -114,6 +101,10 @@ EOF
  "${VIRTUAL_ENV}"/bin/python manage.py load_chocos
  "${VIRTUAL_ENV}"/bin/python manage.py load_community_scripts
  "${VIRTUAL_ENV}"/bin/python manage.py reload_nats
+  "${VIRTUAL_ENV}"/bin/python manage.py create_natsapi_conf
+  "${VIRTUAL_ENV}"/bin/python manage.py create_installer_user
+  "${VIRTUAL_ENV}"/bin/python manage.py post_update_tasks
+  

  # create super user 
  echo "from accounts.models import User; User.objects.create_superuser('${TRMM_USER}', 'admin@example.com', '${TRMM_PASS}') if not User.objects.filter(username='${TRMM_USER}').exists() else 0;" | python manage.py shell
@@ -126,8 +117,24 @@ if [ "$1" = 'tactical-init-dev' ]; then

  test -f "${TACTICAL_READY_FILE}" && rm "${TACTICAL_READY_FILE}"

+  mkdir -p /meshcentral-data
+  mkdir -p ${TACTICAL_DIR}/tmp
+  mkdir -p ${TACTICAL_DIR}/certs
+  mkdir -p /mongo/data/db
+  mkdir -p /redis/data
+  touch /meshcentral-data/.initialized && chown -R 1000:1000 /meshcentral-data
+  touch ${TACTICAL_DIR}/tmp/.initialized && chown -R 1000:1000 ${TACTICAL_DIR}
+  touch ${TACTICAL_DIR}/certs/.initialized && chown -R 1000:1000 ${TACTICAL_DIR}/certs
+  touch /mongo/data/db/.initialized && chown -R 1000:1000 /mongo/data/db
+  touch /redis/data/.initialized && chown -R 1000:1000 /redis/data
+  mkdir -p ${TACTICAL_DIR}/api/tacticalrmm/private/exe
+  mkdir -p ${TACTICAL_DIR}/api/tacticalrmm/private/log
+  touch ${TACTICAL_DIR}/api/tacticalrmm/private/log/django_debug.log
+
  # setup Python virtual env and install dependencies
  ! test -e "${VIRTUAL_ENV}" && python -m venv ${VIRTUAL_ENV}
+  "${VIRTUAL_ENV}"/bin/python -m pip install --upgrade pip
+  "${VIRTUAL_ENV}"/bin/pip install --no-cache-dir setuptools wheel
  "${VIRTUAL_ENV}"/bin/pip install --no-cache-dir -r /requirements.txt

  django_setup
@@ -170,8 +177,3 @@ if [ "$1" = 'tactical-websockets-dev' ]; then
  check_tactical_ready
  "${VIRTUAL_ENV}"/bin/daphne tacticalrmm.asgi:application --port 8383 -b 0.0.0.0
 fi
-
-if [ "$1" = 'tactical-mkdocs-dev' ]; then
-  cd "${WORKSPACE_DIR}/docs"
-  "${VIRTUAL_ENV}"/bin/mkdocs serve
-fi
--- a/.devcontainer/requirements.txt
+++ b/.devcontainer/requirements.txt
@@ -1,36 +1,36 @@
 # To ensure app dependencies are ported from your virtual environment/host machine into your container, run 'pip freeze > requirements.txt' in the terminal to overwrite this file
-asyncio-nats-client
-celery
-channels
-channels_redis
-Django
-django-cors-headers
-django-rest-knox
-djangorestframework
-loguru
-msgpack
-psycopg2-binary
-pycparser
-pycryptodome
-pyotp
-pyparsing
-pytz
-qrcode
-redis
-twilio
-packaging
-validators
-websockets
-black
-Werkzeug
-django-extensions
-coverage
-coveralls
-model_bakery
-mkdocs
-mkdocs-material
-pymdown-extensions
-Pygments
-mypy
-pysnooper
-isort
+asgiref==3.5.0
+celery==5.2.3
+channels==3.0.4
+channels_redis==3.3.1
+daphne==3.0.2
+Django==3.2.12
+django-cors-headers==3.11.0
+django-ipware==4.0.2
+django-rest-knox==4.2.0
+djangorestframework==3.13.1
+future==0.18.2
+msgpack==1.0.3
+nats-py==2.0.0
+packaging==21.3
+psycopg2-binary==2.9.3
+pycryptodome==3.14.1
+pyotp==2.6.0
+pytz==2021.3
+qrcode==7.3.1
+redis==4.1.3
+requests==2.27.1
+twilio==7.6.0
+urllib3==1.26.8
+validators==0.18.2
+websockets==10.1
+drf_spectacular==0.21.2
+
+# dev
+black==22.1.0
+Werkzeug==2.0.2
+django-extensions==3.1.5
+Pygments==2.11.2
+isort==5.10.1
+mypy==0.931
+types-pytz==2021.3.4
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ develop ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ develop ]
+  schedule:
+    - cron: '19 14 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go', 'javascript', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -1,22 +0,0 @@
-name: Deploy Docs
-on:
-  push:
-    branches:
-      - master
-
-defaults:
-  run:
-    working-directory: docs
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: 3.x
-      - run: pip install --upgrade pip
-      - run: pip install --upgrade setuptools wheel
-      - run: pip install mkdocs mkdocs-material pymdown-extensions
-      - run: mkdocs gh-deploy --force
--- a/.github/workflows/devskim-analysis.yml
+++ b/.github/workflows/devskim-analysis.yml
@@ -0,0 +1,34 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: DevSkim
+
+on:
+  push:
+    branches: [ develop ]
+  pull_request:
+    branches: [ develop ]
+  schedule:
+    - cron: '19 5 * * 0'
+
+jobs:
+  lint:
+    name: DevSkim
+    runs-on: ubuntu-20.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Run DevSkim scanner
+        uses: microsoft/DevSkim-Action@v1
+        
+      - name: Upload DevSkim scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: devskim-results.sarif
--- a/.gitignore
+++ b/.gitignore
@@ -48,3 +48,6 @@ nats-rmm.conf
 .mypy_cache
 docs/site/
 reset_db.sh
+run_go_cmd.py
+nats-api.conf
+ignore/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,5 @@
 {
-    "python.pythonPath": "api/tacticalrmm/env/bin/python",
+    "python.defaultInterpreterPath": "api/tacticalrmm/env/bin/python",
    "python.languageServer": "Pylance",
    "python.analysis.extraPaths": [
        "api/tacticalrmm",
@@ -9,8 +9,6 @@
        "reportUnusedImport": "error",
        "reportDuplicateImport": "error",
    },
-    "python.analysis.memory.keepLibraryAst": true,
-    "python.linting.mypyEnabled": true,
    "python.analysis.typeCheckingMode": "basic",
    "python.formatting.provider": "black",
    "editor.formatOnSave": true,
--- a/21
+++ b/21
@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2019-present wh1te909
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -0,0 +1,74 @@
+### Tactical RMM License Version 1.0
+
+Text of license:&emsp;&emsp;&emsp;Copyright © 2022 AmidaWare LLC.  All rights reserved.<br>
+&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&nbsp;Amending the text of this license is not permitted.
+
+Trade Mark:&emsp;&emsp;&emsp;&emsp;"Tactical RMM" is a trade mark of AmidaWare LLC.
+
+Licensor:&emsp;&emsp;&emsp;&emsp;&emsp;&nbsp;&nbsp;AmidaWare LLC of 1968 S Coast Hwy PMB 3847 Laguna Beach, CA, USA.
+
+Licensed Software:&emsp;&nbsp;The software known as Tactical RMM Version v0.12.0 (and all subsequent releases and versions) and the Tactical RMM Agent v2.0.0 (and all subsequent releases and versions).
+
+### 1. Preamble
+The Licensed Software is designed to facilitate the remote monitoring and management (RMM) of networks, systems, servers, computers and other devices.  The Licensed Software is made available primarily for use by organisations and managed service providers for monitoring and management purposes.
+
+The Tactical RMM License is not an open-source software license.  This license contains certain restrictions on the use of the Licensed Software.  For example the functionality of the Licensed Software may not be made available as part of a SaaS (Software-as-a-Service) service or product to provide a commercial or for-profit service without the express prior permission of the Licensor.
+
+### 2. License Grant
+Permission is hereby granted, free of charge, on a non-exclusive basis, to copy, modify, create derivative works and use the Licensed Software in source and binary forms subject to the following terms and conditions.  No additional rights will be implied under this license.
+
+* The hosting and use of the Licensed Software to monitor and manage in-house networks/systems and/or customer networks/systems is permitted.
+
+This license does not allow the functionality of the Licensed Software (whether in whole or in part) or a modified version of the Licensed Software or a derivative work to be used or otherwise made available as part of any other commercial or for-profit service, including, without limitation, any of the following:
+* a service allowing third parties to interact remotely through a computer network;
+* as part of a SaaS service or product;
+* as part of the provision of a managed hosting service or product;
+* the offering of installation and/or configuration services;
+* the offer for sale, distribution or sale of any service or product (whether or not branded as Tactical RMM).
+
+The prior written approval of AmidaWare LLC must be obtained for all commercial use and/or for-profit service use of the (i) Licensed Software (whether in whole or in part), (ii) a modified version of the Licensed Software and/or (iii) a derivative work.
+
+The terms of this license apply to all copies of the Licensed Software (including modified versions) and derivative works.
+
+All use of the Licensed Software must immediately cease if use breaches the terms of this license.
+
+### 3. Derivative Works
+If a derivative work is created which is based on or otherwise incorporates all or any part of the Licensed Software, and the derivative work is made available to any other person, the complete corresponding machine readable source code (including all changes made to the Licensed Software) must accompany the derivative work and be made publicly available online.
+
+### 4. Copyright Notice
+The following copyright notice shall be included in all copies of the Licensed Software:
+
+&emsp;&emsp;&emsp;Copyright © 2022 AmidaWare LLC.
+
+&emsp;&emsp;&emsp;Licensed under the Tactical RMM License Version 1.0 (the “License”).<br>
+&emsp;&emsp;&emsp;You may only use the Licensed Software in accordance with the License.<br>
+&emsp;&emsp;&emsp;A copy of the License is available at: https://license.tacticalrmm.com
+
+### 5. Disclaimer of Warranty
+THE LICENSED SOFTWARE IS PROVIDED "AS IS".  TO THE FULLEST EXTENT PERMISSIBLE AT LAW ALL CONDITIONS, WARRANTIES OR OTHER TERMS OF ANY KIND WHICH MIGHT HAVE EFFECT OR BE IMPLIED OR INCORPORATED, WHETHER BY STATUTE, COMMON LAW OR OTHERWISE ARE HEREBY EXCLUDED, INCLUDING THE CONDITIONS, WARRANTIES OR OTHER TERMS AS TO SATISFACTORY QUALITY AND/OR MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, THE USE OF REASONABLE SKILL AND CARE AND NON-INFRINGEMENT.
+
+### 6. Limits of Liability
+THE FOLLOWING EXCLUSIONS SHALL APPLY TO THE FULLEST EXTENT PERMISSIBLE AT LAW.  NEITHER THE AUTHORS NOR THE COPYRIGHT HOLDERS SHALL IN ANY CIRCUMSTANCES HAVE ANY LIABILITY FOR ANY CLAIM, LOSSES, DAMAGES OR OTHER LIABILITY, WHETHER THE SAME ARE SUFFERED DIRECTLY OR INDIRECTLY OR ARE IMMEDIATE OR CONSEQUENTIAL, AND WHETHER THE SAME ARISE IN CONTRACT, TORT OR DELICT (INCLUDING NEGLIGENCE) OR OTHERWISE HOWSOEVER ARISING FROM, OUT OF OR IN CONNECTION WITH THE LICENSED SOFTWARE OR THE USE OR INABILITY TO USE THE LICENSED SOFTWARE OR OTHER DEALINGS IN THE LICENSED SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.  THE FOREGOING EXCLUSIONS SHALL INCLUDE, WITHOUT LIMITATION, LIABILITY FOR ANY LOSSES OR DAMAGES WHICH FALL WITHIN ANY OF THE FOLLOWING CATEGORIES: SPECIAL, EXEMPLARY, OR INCIDENTAL LOSS OR DAMAGE, LOSS OF PROFITS, LOSS OF ANTICIPATED SAVINGS, LOSS OF BUSINESS OPPORTUNITY, LOSS OF GOODWILL, AND LOSS OR CORRUPTION OF DATA.
+
+### 7. Termination
+This license shall terminate with immediate effect if there is a material breach of any of its terms.
+
+### 8. No partnership, agency or joint venture
+Nothing in this license agreement is intended to, or shall be deemed to, establish any partnership or joint venture or any relationship of agency between AmidaWare LLC and any other person.
+
+### 9. No endorsement
+The names of the authors and/or the copyright holders must not be used to promote or endorse any products or services which are in any way derived from the Licensed Software without prior written consent.
+
+### 10. Trademarks
+No permission is granted to use the trademark “Tactical RMM” or any other trade name, trademark, service mark or product name of AmidaWare LLC except to the extent necessary to comply with the notice requirements in Section 4 (Copyright Notice).
+
+### 11. Entire agreement
+This license contains the whole agreement relating to its subject matter.
+
+
+
+### 12. Severance
+If any provision or part-provision of this license is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this license.
+
+### 13. Acceptance of these terms
+The terms and conditions of this license are accepted by copying, downloading, installing, redistributing, or otherwise using the Licensed Software.
--- a/README.md
+++ b/README.md
@@ -2,18 +2,17 @@

 [![Build Status](https://dev.azure.com/dcparsi/Tactical%20RMM/_apis/build/status/wh1te909.tacticalrmm?branchName=develop)](https://dev.azure.com/dcparsi/Tactical%20RMM/_build/latest?definitionId=4&branchName=develop)
 [![Coverage Status](https://coveralls.io/repos/github/wh1te909/tacticalrmm/badge.png?branch=develop&kill_cache=1)](https://coveralls.io/github/wh1te909/tacticalrmm?branch=develop)
-[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/python/black)

-Tactical RMM is a remote monitoring & management tool for Windows computers, built with Django and Vue.\
-It uses an [agent](https://github.com/wh1te909/rmmagent) written in golang and integrates with [MeshCentral](https://github.com/Ylianst/MeshCentral)
+Tactical RMM is a remote monitoring & management tool, built with Django and Vue.\
+It uses an [agent](https://github.com/amidaware/rmmagent) written in golang and integrates with [MeshCentral](https://github.com/Ylianst/MeshCentral)

 # [LIVE DEMO](https://rmm.tacticalrmm.io/)
-Demo database resets every hour. Alot of features are disabled for obvious reasons due to the nature of this app.
+Demo database resets every hour. A lot of features are disabled for obvious reasons due to the nature of this app.

 ### [Discord Chat](https://discord.gg/upGTkWp)

-### [Documentation](https://wh1te909.github.io/tacticalrmm/)
+### [Documentation](https://docs.tacticalrmm.com)

 ## Features

@@ -35,4 +34,4 @@ Demo database resets every hour. Alot of features are disabled for obvious reaso

 ## Installation / Backup / Restore / Usage

-### Refer to the [documentation](https://wh1te909.github.io/tacticalrmm/)
+### Refer to the [documentation](https://docs.tacticalrmm.com)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,12 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.12.0   | :white_check_mark: |
+| < 0.12.0 | :x:                |
+
+## Reporting a Vulnerability
+
+https://docs.tacticalrmm.com/security
--- a/api/tacticalrmm/.coveragerc
+++ b/api/tacticalrmm/.coveragerc
@@ -21,4 +21,6 @@ omit =
    */tests.py
    */test.py
    checks/utils.py
+    */asgi.py
+    */demo_views.py
    
--- a/api/tacticalrmm/accounts/admin.py
+++ b/api/tacticalrmm/accounts/admin.py
@@ -1,7 +1,7 @@
 from django.contrib import admin
 from rest_framework.authtoken.admin import TokenAdmin

-from .models import User, Role
+from .models import Role, User

 admin.site.register(User)
 TokenAdmin.raw_id_fields = ("user",)
--- a/api/tacticalrmm/accounts/management/commands/create_installer_user.py
+++ b/api/tacticalrmm/accounts/management/commands/create_installer_user.py
@@ -0,0 +1,22 @@
+import uuid
+
+from accounts.models import User
+from django.core.management.base import BaseCommand
+
+
+class Command(BaseCommand):
+    help = "Creates the installer user"
+
+    def handle(self, *args, **kwargs):
+        self.stdout.write("Checking if installer user has been created...")
+        if User.objects.filter(is_installer_user=True).exists():
+            self.stdout.write("Installer user already exists")
+            return
+
+        User.objects.create_user(  # type: ignore
+            username=uuid.uuid4().hex,
+            is_installer_user=True,
+            password=User.objects.make_random_password(60),  # type: ignore
+            block_dashboard_login=True,
+        )
+        self.stdout.write("Installer user has been created")
--- a/api/tacticalrmm/accounts/management/commands/generate_barcode.py
+++ b/api/tacticalrmm/accounts/management/commands/generate_barcode.py
@@ -1,9 +1,8 @@
 import subprocess

 import pyotp
-from django.core.management.base import BaseCommand
-
 from accounts.models import User
+from django.core.management.base import BaseCommand


 class Command(BaseCommand):
--- a/api/tacticalrmm/accounts/management/commands/reset_2fa.py
+++ b/api/tacticalrmm/accounts/management/commands/reset_2fa.py
@@ -2,9 +2,8 @@ import os
 import subprocess

 import pyotp
-from django.core.management.base import BaseCommand
-
 from accounts.models import User
+from django.core.management.base import BaseCommand


 class Command(BaseCommand):
--- a/api/tacticalrmm/accounts/management/commands/reset_password.py
+++ b/api/tacticalrmm/accounts/management/commands/reset_password.py
@@ -1,5 +1,5 @@
-from django.core.management.base import BaseCommand
 from accounts.models import User
+from django.core.management.base import BaseCommand


 class Command(BaseCommand):
--- a/api/tacticalrmm/accounts/migrations/0019_user_role.py
+++ b/api/tacticalrmm/accounts/migrations/0019_user_role.py
@@ -1,7 +1,7 @@
 # Generated by Django 3.2.1 on 2021-05-11 02:33

-from django.db import migrations, models
 import django.db.models.deletion
+from django.db import migrations, models


 class Migration(migrations.Migration):
--- a/api/tacticalrmm/accounts/migrations/0023_user_is_installer_user.py
+++ b/api/tacticalrmm/accounts/migrations/0023_user_is_installer_user.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.4 on 2021-06-30 03:22
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0022_user_clear_search_when_switching'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='is_installer_user',
+            field=models.BooleanField(default=False),
+        ),
+    ]
--- a/api/tacticalrmm/accounts/migrations/0024_user_last_login_ip.py
+++ b/api/tacticalrmm/accounts/migrations/0024_user_last_login_ip.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.1 on 2021-07-20 20:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0023_user_is_installer_user'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='last_login_ip',
+            field=models.GenericIPAddressField(blank=True, default=None, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/accounts/migrations/0025_auto_20210721_0424.py
+++ b/api/tacticalrmm/accounts/migrations/0025_auto_20210721_0424.py
@@ -0,0 +1,33 @@
+# Generated by Django 3.2.1 on 2021-07-21 04:24
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0024_user_last_login_ip'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='role',
+            name='created_by',
+            field=models.CharField(blank=True, max_length=100, null=True),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='created_time',
+            field=models.DateTimeField(auto_now_add=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='modified_by',
+            field=models.CharField(blank=True, max_length=100, null=True),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='modified_time',
+            field=models.DateTimeField(auto_now=True, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/accounts/migrations/0026_auto_20210901_1247.py
+++ b/api/tacticalrmm/accounts/migrations/0026_auto_20210901_1247.py
@@ -0,0 +1,34 @@
+# Generated by Django 3.2.6 on 2021-09-01 12:47
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0025_auto_20210721_0424'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='APIKey',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('created_by', models.CharField(blank=True, max_length=100, null=True)),
+                ('created_time', models.DateTimeField(auto_now_add=True, null=True)),
+                ('modified_by', models.CharField(blank=True, max_length=100, null=True)),
+                ('modified_time', models.DateTimeField(auto_now=True, null=True)),
+                ('name', models.CharField(max_length=25, unique=True)),
+                ('key', models.CharField(blank=True, max_length=48, unique=True)),
+                ('expiration', models.DateTimeField(blank=True, default=None, null=True)),
+            ],
+            options={
+                'abstract': False,
+            },
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_manage_api_keys',
+            field=models.BooleanField(default=False),
+        ),
+    ]
--- a/api/tacticalrmm/accounts/migrations/0027_auto_20210903_0054.py
+++ b/api/tacticalrmm/accounts/migrations/0027_auto_20210903_0054.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.2.6 on 2021-09-03 00:54
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0026_auto_20210901_1247'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='apikey',
+            name='user',
+            field=models.ForeignKey(default=1, on_delete=django.db.models.deletion.CASCADE, related_name='api_key', to='accounts.user'),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='user',
+            name='block_dashboard_login',
+            field=models.BooleanField(default=False),
+        ),
+    ]
--- a/api/tacticalrmm/accounts/migrations/0028_auto_20211010_0249.py
+++ b/api/tacticalrmm/accounts/migrations/0028_auto_20211010_0249.py
@@ -0,0 +1,150 @@
+# Generated by Django 3.2.6 on 2021-10-10 02:49
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('clients', '0018_auto_20211010_0249'),
+        ('accounts', '0027_auto_20210903_0054'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='role',
+            name='can_list_accounts',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_agent_history',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_agents',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_alerts',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_api_keys',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_automation_policies',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_autotasks',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_checks',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_clients',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_deployments',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_notes',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_pendingactions',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_roles',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_scripts',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_sites',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_list_software',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_ping_agents',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_recover_agents',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_view_clients',
+            field=models.ManyToManyField(blank=True, related_name='role_clients', to='clients.Client'),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_view_sites',
+            field=models.ManyToManyField(blank=True, related_name='role_sites', to='clients.Site'),
+        ),
+        migrations.AlterField(
+            model_name='apikey',
+            name='created_by',
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name='apikey',
+            name='modified_by',
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name='role',
+            name='created_by',
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name='role',
+            name='modified_by',
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name='user',
+            name='created_by',
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name='user',
+            name='modified_by',
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name='user',
+            name='role',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='users', to='accounts.role'),
+        ),
+    ]
--- a/api/tacticalrmm/accounts/migrations/0029_auto_20211022_2245.py
+++ b/api/tacticalrmm/accounts/migrations/0029_auto_20211022_2245.py
@@ -0,0 +1,28 @@
+# Generated by Django 3.2.6 on 2021-10-22 22:45
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0028_auto_20211010_0249'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='role',
+            name='can_list_alerttemplates',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_manage_alerttemplates',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_run_urlactions',
+            field=models.BooleanField(default=False),
+        ),
+    ]
--- a/api/tacticalrmm/accounts/migrations/0030_auto_20211104_0221.py
+++ b/api/tacticalrmm/accounts/migrations/0030_auto_20211104_0221.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.2.6 on 2021-11-04 02:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0029_auto_20211022_2245'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='role',
+            name='can_manage_customfields',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='role',
+            name='can_view_customfields',
+            field=models.BooleanField(default=False),
+        ),
+    ]
--- a/api/tacticalrmm/accounts/models.py
+++ b/api/tacticalrmm/accounts/models.py
@@ -1,6 +1,6 @@
 from django.contrib.auth.models import AbstractUser
 from django.db import models
-
+from django.db.models.fields import CharField, DateTimeField
 from logs.models import BaseAuditModel

 AGENT_DBLCLICK_CHOICES = [
@@ -24,6 +24,7 @@ CLIENT_TREE_SORT_CHOICES = [

 class User(AbstractUser, BaseAuditModel):
    is_active = models.BooleanField(default=True)
+    block_dashboard_login = models.BooleanField(default=False)
    totp_key = models.CharField(max_length=50, null=True, blank=True)
    dark_mode = models.BooleanField(default=True)
    show_community_scripts = models.BooleanField(default=True)
@@ -47,6 +48,8 @@ class User(AbstractUser, BaseAuditModel):
    client_tree_splitter = models.PositiveIntegerField(default=11)
    loading_bar_color = models.CharField(max_length=255, default="red")
    clear_search_when_switching = models.BooleanField(default=True)
+    is_installer_user = models.BooleanField(default=False)
+    last_login_ip = models.GenericIPAddressField(default=None, blank=True, null=True)

    agent = models.OneToOneField(
        "agents.Agent",
@@ -60,7 +63,7 @@ class User(AbstractUser, BaseAuditModel):
        "accounts.Role",
        null=True,
        blank=True,
-        related_name="roles",
+        related_name="users",
        on_delete=models.SET_NULL,
    )

@@ -72,11 +75,13 @@ class User(AbstractUser, BaseAuditModel):
        return UserSerializer(user).data


-class Role(models.Model):
+class Role(BaseAuditModel):
    name = models.CharField(max_length=255, unique=True)
    is_superuser = models.BooleanField(default=False)

    # agents
+    can_list_agents = models.BooleanField(default=False)
+    can_ping_agents = models.BooleanField(default=False)
    can_use_mesh = models.BooleanField(default=False)
    can_uninstall_agents = models.BooleanField(default=False)
    can_update_agents = models.BooleanField(default=False)
@@ -88,93 +93,107 @@ class Role(models.Model):
    can_install_agents = models.BooleanField(default=False)
    can_run_scripts = models.BooleanField(default=False)
    can_run_bulk = models.BooleanField(default=False)
+    can_recover_agents = models.BooleanField(default=False)
+    can_list_agent_history = models.BooleanField(default=False)

    # core
+    can_list_notes = models.BooleanField(default=False)
    can_manage_notes = models.BooleanField(default=False)
    can_view_core_settings = models.BooleanField(default=False)
    can_edit_core_settings = models.BooleanField(default=False)
    can_do_server_maint = models.BooleanField(default=False)
    can_code_sign = models.BooleanField(default=False)
+    can_run_urlactions = models.BooleanField(default=False)
+    can_view_customfields = models.BooleanField(default=False)
+    can_manage_customfields = models.BooleanField(default=False)

    # checks
+    can_list_checks = models.BooleanField(default=False)
    can_manage_checks = models.BooleanField(default=False)
    can_run_checks = models.BooleanField(default=False)

    # clients
+    can_list_clients = models.BooleanField(default=False)
    can_manage_clients = models.BooleanField(default=False)
+    can_list_sites = models.BooleanField(default=False)
    can_manage_sites = models.BooleanField(default=False)
+    can_list_deployments = models.BooleanField(default=False)
    can_manage_deployments = models.BooleanField(default=False)
+    can_view_clients = models.ManyToManyField(
+        "clients.Client", related_name="role_clients", blank=True
+    )
+    can_view_sites = models.ManyToManyField(
+        "clients.Site", related_name="role_sites", blank=True
+    )

    # automation
+    can_list_automation_policies = models.BooleanField(default=False)
    can_manage_automation_policies = models.BooleanField(default=False)

    # automated tasks
+    can_list_autotasks = models.BooleanField(default=False)
    can_manage_autotasks = models.BooleanField(default=False)
    can_run_autotasks = models.BooleanField(default=False)

    # logs
    can_view_auditlogs = models.BooleanField(default=False)
+    can_list_pendingactions = models.BooleanField(default=False)
    can_manage_pendingactions = models.BooleanField(default=False)
    can_view_debuglogs = models.BooleanField(default=False)

    # scripts
+    can_list_scripts = models.BooleanField(default=False)
    can_manage_scripts = models.BooleanField(default=False)

    # alerts
+    can_list_alerts = models.BooleanField(default=False)
    can_manage_alerts = models.BooleanField(default=False)
+    can_list_alerttemplates = models.BooleanField(default=False)
+    can_manage_alerttemplates = models.BooleanField(default=False)

    # win services
    can_manage_winsvcs = models.BooleanField(default=False)

    # software
+    can_list_software = models.BooleanField(default=False)
    can_manage_software = models.BooleanField(default=False)

    # windows updates
    can_manage_winupdates = models.BooleanField(default=False)

    # accounts
+    can_list_accounts = models.BooleanField(default=False)
    can_manage_accounts = models.BooleanField(default=False)
+    can_list_roles = models.BooleanField(default=False)
    can_manage_roles = models.BooleanField(default=False)

+    # authentication
+    can_list_api_keys = models.BooleanField(default=False)
+    can_manage_api_keys = models.BooleanField(default=False)
+
    def __str__(self):
        return self.name

    @staticmethod
-    def perms():
-        return [
-            "is_superuser",
-            "can_use_mesh",
-            "can_uninstall_agents",
-            "can_update_agents",
-            "can_edit_agent",
-            "can_manage_procs",
-            "can_view_eventlogs",
-            "can_send_cmd",
-            "can_reboot_agents",
-            "can_install_agents",
-            "can_run_scripts",
-            "can_run_bulk",
-            "can_manage_notes",
-            "can_view_core_settings",
-            "can_edit_core_settings",
-            "can_do_server_maint",
-            "can_code_sign",
-            "can_manage_checks",
-            "can_run_checks",
-            "can_manage_clients",
-            "can_manage_sites",
-            "can_manage_deployments",
-            "can_manage_automation_policies",
-            "can_manage_autotasks",
-            "can_run_autotasks",
-            "can_view_auditlogs",
-            "can_manage_pendingactions",
-            "can_view_debuglogs",
-            "can_manage_scripts",
-            "can_manage_alerts",
-            "can_manage_winsvcs",
-            "can_manage_software",
-            "can_manage_winupdates",
-            "can_manage_accounts",
-            "can_manage_roles",
-        ]
+    def serialize(role):
+        # serializes the agent and returns json
+        from .serializers import RoleAuditSerializer
+
+        return RoleAuditSerializer(role).data
+
+
+class APIKey(BaseAuditModel):
+    name = CharField(unique=True, max_length=25)
+    key = CharField(unique=True, blank=True, max_length=48)
+    expiration = DateTimeField(blank=True, null=True, default=None)
+    user = models.ForeignKey(
+        "accounts.User",
+        related_name="api_key",
+        on_delete=models.CASCADE,
+    )
+
+    @staticmethod
+    def serialize(apikey):
+        from .serializers import APIKeyAuditSerializer
+
+        return APIKeyAuditSerializer(apikey).data
--- a/api/tacticalrmm/accounts/permissions.py
+++ b/api/tacticalrmm/accounts/permissions.py
@@ -6,14 +6,38 @@ from tacticalrmm.permissions import _has_perm
 class AccountsPerms(permissions.BasePermission):
    def has_permission(self, r, view):
        if r.method == "GET":
-            return True
+            return _has_perm(r, "can_list_accounts")
+        else:

-        return _has_perm(r, "can_manage_accounts")
+            # allow users to reset their own password/2fa see issue #686
+            base_path = "/accounts/users/"
+            paths = ["reset/", "reset_totp/"]
+
+            if r.path in [base_path + i for i in paths]:
+                from accounts.models import User
+
+                try:
+                    user = User.objects.get(pk=r.data["id"])
+                except User.DoesNotExist:
+                    pass
+                else:
+                    if user == r.user:
+                        return True
+
+            return _has_perm(r, "can_manage_accounts")


 class RolesPerms(permissions.BasePermission):
    def has_permission(self, r, view):
        if r.method == "GET":
-            return True
+            return _has_perm(r, "can_list_roles")
+        else:
+            return _has_perm(r, "can_manage_roles")

-        return _has_perm(r, "can_manage_roles")
+
+class APIKeyPerms(permissions.BasePermission):
+    def has_permission(self, r, view):
+        if r.method == "GET":
+            return _has_perm(r, "can_list_api_keys")
+
+        return _has_perm(r, "can_manage_api_keys")
--- a/api/tacticalrmm/accounts/serializers.py
+++ b/api/tacticalrmm/accounts/serializers.py
@@ -1,7 +1,11 @@
 import pyotp
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
+from rest_framework.serializers import (
+    ModelSerializer,
+    ReadOnlyField,
+    SerializerMethodField,
+)

-from .models import User, Role
+from .models import APIKey, Role, User


 class UserUISerializer(ModelSerializer):
@@ -17,6 +21,7 @@ class UserUISerializer(ModelSerializer):
            "client_tree_splitter",
            "loading_bar_color",
            "clear_search_when_switching",
+            "block_dashboard_login",
        ]


@@ -31,7 +36,9 @@ class UserSerializer(ModelSerializer):
            "email",
            "is_active",
            "last_login",
+            "last_login_ip",
            "role",
+            "block_dashboard_login",
        ]


@@ -54,6 +61,38 @@ class TOTPSetupSerializer(ModelSerializer):


 class RoleSerializer(ModelSerializer):
+    user_count = SerializerMethodField()
+
    class Meta:
        model = Role
        fields = "__all__"
+
+    def get_user_count(self, obj):
+        return obj.users.count()
+
+
+class RoleAuditSerializer(ModelSerializer):
+    class Meta:
+        model = Role
+        fields = "__all__"
+
+
+class APIKeySerializer(ModelSerializer):
+
+    username = ReadOnlyField(source="user.username")
+
+    class Meta:
+        model = APIKey
+        fields = "__all__"
+
+
+class APIKeyAuditSerializer(ModelSerializer):
+    username = ReadOnlyField(source="user.username")
+
+    class Meta:
+        model = APIKey
+        fields = [
+            "name",
+            "username",
+            "expiration",
+        ]
--- a/api/tacticalrmm/accounts/tests.py
+++ b/api/tacticalrmm/accounts/tests.py
@@ -1,8 +1,10 @@
 from unittest.mock import patch

+from accounts.models import APIKey, User
+from accounts.serializers import APIKeySerializer
 from django.test import override_settings
+from model_bakery import baker, seq

-from accounts.models import User
 from tacticalrmm.test import TacticalTestCase


@@ -25,12 +27,12 @@ class TestAccounts(TacticalTestCase):
        data = {"username": "bob", "password": "a3asdsa2314"}
        r = self.client.post(url, data, format="json")
        self.assertEqual(r.status_code, 400)
-        self.assertEqual(r.data, "bad credentials")
+        self.assertEqual(r.data, "Bad credentials")

        data = {"username": "billy", "password": "hunter2"}
        r = self.client.post(url, data, format="json")
        self.assertEqual(r.status_code, 400)
-        self.assertEqual(r.data, "bad credentials")
+        self.assertEqual(r.data, "Bad credentials")

        self.bob.totp_key = "AB5RI6YPFTZAS52G"
        self.bob.save()
@@ -39,6 +41,12 @@ class TestAccounts(TacticalTestCase):
        self.assertEqual(r.status_code, 200)
        self.assertEqual(r.data, "ok")

+        # test user set to block dashboard logins
+        self.bob.block_dashboard_login = True
+        self.bob.save()
+        r = self.client.post(url, data, format="json")
+        self.assertEqual(r.status_code, 400)
+
    @patch("pyotp.TOTP.verify")
    def test_login_view(self, mock_verify):
        url = "/login/"
@@ -53,7 +61,7 @@ class TestAccounts(TacticalTestCase):
        mock_verify.return_value = False
        r = self.client.post(url, data, format="json")
        self.assertEqual(r.status_code, 400)
-        self.assertEqual(r.data, "bad credentials")
+        self.assertEqual(r.data, "Bad credentials")

        mock_verify.return_value = True
        data = {"username": "bob", "password": "asd234234asd", "twofactor": "123456"}
@@ -288,6 +296,68 @@ class TestUserAction(TacticalTestCase):
        self.check_not_authenticated("patch", url)


+class TestAPIKeyViews(TacticalTestCase):
+    def setUp(self):
+        self.setup_coresettings()
+        self.authenticate()
+
+    def test_get_api_keys(self):
+        url = "/accounts/apikeys/"
+        apikeys = baker.make("accounts.APIKey", key=seq("APIKEY"), _quantity=3)
+
+        serializer = APIKeySerializer(apikeys, many=True)
+        resp = self.client.get(url, format="json")
+        self.assertEqual(resp.status_code, 200)
+        self.assertEqual(serializer.data, resp.data)  # type: ignore
+
+        self.check_not_authenticated("get", url)
+
+    def test_add_api_keys(self):
+        url = "/accounts/apikeys/"
+
+        user = baker.make("accounts.User")
+        data = {"name": "Name", "user": user.id, "expiration": None}
+
+        resp = self.client.post(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+        self.assertTrue(APIKey.objects.filter(name="Name").exists())
+        self.assertTrue(APIKey.objects.get(name="Name").key)
+
+        self.check_not_authenticated("post", url)
+
+    def test_modify_api_key(self):
+        # test a call where api key doesn't exist
+        resp = self.client.put("/accounts/apikeys/500/", format="json")
+        self.assertEqual(resp.status_code, 404)
+
+        apikey = baker.make("accounts.APIKey", name="Test")
+        url = f"/accounts/apikeys/{apikey.pk}/"  # type: ignore
+
+        data = {"name": "New Name"}  # type: ignore
+
+        resp = self.client.put(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+        apikey = APIKey.objects.get(pk=apikey.pk)  # type: ignore
+        self.assertEquals(apikey.name, "New Name")
+
+        self.check_not_authenticated("put", url)
+
+    def test_delete_api_key(self):
+        # test a call where api key doesn't exist
+        resp = self.client.delete("/accounts/apikeys/500/", format="json")
+        self.assertEqual(resp.status_code, 404)
+
+        # test delete api key
+        apikey = baker.make("accounts.APIKey")
+        url = f"/accounts/apikeys/{apikey.pk}/"  # type: ignore
+        resp = self.client.delete(url, format="json")
+        self.assertEqual(resp.status_code, 200)
+
+        self.assertFalse(APIKey.objects.filter(pk=apikey.pk).exists())  # type: ignore
+
+        self.check_not_authenticated("delete", url)
+
+
 class TestTOTPSetup(TacticalTestCase):
    def setUp(self):
        self.authenticate()
@@ -313,3 +383,29 @@ class TestTOTPSetup(TacticalTestCase):
        r = self.client.post(url)
        self.assertEqual(r.status_code, 200)
        self.assertEqual(r.data, "totp token already set")
+
+
+class TestAPIAuthentication(TacticalTestCase):
+    def setUp(self):
+        # create User and associate to API Key
+        self.user = User.objects.create(username="api_user", is_superuser=True)
+        self.api_key = APIKey.objects.create(
+            name="Test Token", key="123456", user=self.user
+        )
+
+        self.client_setup()
+
+    def test_api_auth(self):
+        url = "/clients/"
+        # auth should fail if no header set
+        self.check_not_authenticated("get", url)
+
+        # invalid api key in header should return code 400
+        self.client.credentials(HTTP_X_API_KEY="000000")
+        r = self.client.get(url, format="json")
+        self.assertEqual(r.status_code, 401)
+
+        # valid api key in header should return code 200
+        self.client.credentials(HTTP_X_API_KEY="123456")
+        r = self.client.get(url, format="json")
+        self.assertEqual(r.status_code, 200)
--- a/api/tacticalrmm/accounts/urls.py
+++ b/api/tacticalrmm/accounts/urls.py
@@ -9,7 +9,8 @@ urlpatterns = [
    path("users/reset_totp/", views.UserActions.as_view()),
    path("users/setup_totp/", views.TOTPSetup.as_view()),
    path("users/ui/", views.UserUI.as_view()),
-    path("permslist/", views.PermsList.as_view()),
    path("roles/", views.GetAddRoles.as_view()),
-    path("<int:pk>/role/", views.GetUpdateDeleteRole.as_view()),
+    path("roles/<int:pk>/", views.GetUpdateDeleteRole.as_view()),
+    path("apikeys/", views.GetAddAPIKeys.as_view()),
+    path("apikeys/<int:pk>/", views.GetUpdateDeleteAPIKey.as_view()),
 ]
--- a/api/tacticalrmm/accounts/views.py
+++ b/api/tacticalrmm/accounts/views.py
@@ -3,32 +3,37 @@ from django.conf import settings
 from django.contrib.auth import login
 from django.db import IntegrityError
 from django.shortcuts import get_object_or_404
+from ipware import get_client_ip
 from knox.views import LoginView as KnoxLoginView
-from rest_framework import status
+from logs.models import AuditLog
 from rest_framework.authtoken.serializers import AuthTokenSerializer
 from rest_framework.permissions import AllowAny, IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView

-from logs.models import AuditLog
 from tacticalrmm.utils import notify_error

-from .models import User, Role
-from .permissions import AccountsPerms, RolesPerms
+from .models import APIKey, Role, User
+from .permissions import AccountsPerms, APIKeyPerms, RolesPerms
 from .serializers import (
+    APIKeySerializer,
+    RoleSerializer,
    TOTPSetupSerializer,
    UserSerializer,
    UserUISerializer,
-    RoleSerializer,
 )


 def _is_root_user(request, user) -> bool:
-    return (
+    root = (
        hasattr(settings, "ROOT_USER")
        and request.user != user
        and user.username == settings.ROOT_USER
    )
+    demo = (
+        getattr(settings, "DEMO", False) and request.user.username == settings.ROOT_USER
+    )
+    return root or demo


 class CheckCreds(KnoxLoginView):
@@ -40,11 +45,16 @@ class CheckCreds(KnoxLoginView):
        # check credentials
        serializer = AuthTokenSerializer(data=request.data)
        if not serializer.is_valid():
-            AuditLog.audit_user_failed_login(request.data["username"])
-            return Response("bad credentials", status=status.HTTP_400_BAD_REQUEST)
+            AuditLog.audit_user_failed_login(
+                request.data["username"], debug_info={"ip": request._client_ip}
+            )
+            return notify_error("Bad credentials")

        user = serializer.validated_data["user"]

+        if user.block_dashboard_login:
+            return notify_error("Bad credentials")
+
        # if totp token not set modify response to notify frontend
        if not user.totp_key:
            login(request, user)
@@ -66,28 +76,50 @@ class LoginView(KnoxLoginView):
        serializer.is_valid(raise_exception=True)
        user = serializer.validated_data["user"]

+        if user.block_dashboard_login:
+            return notify_error("Bad credentials")
+
        token = request.data["twofactor"]
        totp = pyotp.TOTP(user.totp_key)

        if settings.DEBUG and token == "sekret":
            valid = True
+        elif getattr(settings, "DEMO", False):
+            valid = True
        elif totp.verify(token, valid_window=10):
            valid = True

        if valid:
            login(request, user)
-            AuditLog.audit_user_login_successful(request.data["username"])
+
+            # save ip information
+            client_ip, is_routable = get_client_ip(request)
+            user.last_login_ip = client_ip
+            user.save()
+
+            AuditLog.audit_user_login_successful(
+                request.data["username"], debug_info={"ip": request._client_ip}
+            )
            return super(LoginView, self).post(request, format=None)
        else:
-            AuditLog.audit_user_failed_twofactor(request.data["username"])
-            return Response("bad credentials", status=status.HTTP_400_BAD_REQUEST)
+            AuditLog.audit_user_failed_twofactor(
+                request.data["username"], debug_info={"ip": request._client_ip}
+            )
+            return notify_error("Bad credentials")


 class GetAddUsers(APIView):
    permission_classes = [IsAuthenticated, AccountsPerms]

    def get(self, request):
-        users = User.objects.filter(agent=None)
+        search = request.GET.get("search", None)
+
+        if search:
+            users = User.objects.filter(agent=None, is_installer_user=False).filter(
+                username__icontains=search
+            )
+        else:
+            users = User.objects.filter(agent=None, is_installer_user=False)

        return Response(UserSerializer(users, many=True).data)

@@ -104,8 +136,10 @@ class GetAddUsers(APIView):
                f"ERROR: User {request.data['username']} already exists!"
            )

-        user.first_name = request.data["first_name"]
-        user.last_name = request.data["last_name"]
+        if "first_name" in request.data.keys():
+            user.first_name = request.data["first_name"]
+        if "last_name" in request.data.keys():
+            user.last_name = request.data["last_name"]
        if "role" in request.data.keys() and isinstance(request.data["role"], int):
            role = get_object_or_404(Role, pk=request.data["role"])
            user.role = role
@@ -196,11 +230,6 @@ class UserUI(APIView):
        return Response("ok")


-class PermsList(APIView):
-    def get(self, request):
-        return Response(Role.perms())
-
-
 class GetAddRoles(APIView):
    permission_classes = [IsAuthenticated, RolesPerms]

@@ -212,7 +241,7 @@ class GetAddRoles(APIView):
        serializer = RoleSerializer(data=request.data)
        serializer.is_valid(raise_exception=True)
        serializer.save()
-        return Response("ok")
+        return Response("Role was added")


 class GetUpdateDeleteRole(APIView):
@@ -227,9 +256,48 @@ class GetUpdateDeleteRole(APIView):
        serializer = RoleSerializer(instance=role, data=request.data)
        serializer.is_valid(raise_exception=True)
        serializer.save()
-        return Response("ok")
+        return Response("Role was edited")

    def delete(self, request, pk):
        role = get_object_or_404(Role, pk=pk)
        role.delete()
-        return Response("ok")
+        return Response("Role was removed")
+
+
+class GetAddAPIKeys(APIView):
+    permission_classes = [IsAuthenticated, APIKeyPerms]
+
+    def get(self, request):
+        apikeys = APIKey.objects.all()
+        return Response(APIKeySerializer(apikeys, many=True).data)
+
+    def post(self, request):
+        # generate a random API Key
+        from django.utils.crypto import get_random_string
+
+        request.data["key"] = get_random_string(length=32).upper()
+        serializer = APIKeySerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        obj = serializer.save()
+        return Response("The API Key was added")
+
+
+class GetUpdateDeleteAPIKey(APIView):
+    permission_classes = [IsAuthenticated, APIKeyPerms]
+
+    def put(self, request, pk):
+        apikey = get_object_or_404(APIKey, pk=pk)
+
+        # remove API key is present in request data
+        if "key" in request.data.keys():
+            request.data.pop("key")
+
+        serializer = APIKeySerializer(instance=apikey, data=request.data, partial=True)
+        serializer.is_valid(raise_exception=True)
+        serializer.save()
+        return Response("The API Key was edited")
+
+    def delete(self, request, pk):
+        apikey = get_object_or_404(APIKey, pk=pk)
+        apikey.delete()
+        return Response("The API Key was deleted")
--- a/api/tacticalrmm/agents/admin.py
+++ b/api/tacticalrmm/agents/admin.py
@@ -1,8 +1,8 @@
 from django.contrib import admin

-from .models import Agent, AgentCustomField, Note, RecoveryAction
+from .models import Agent, AgentCustomField, AgentHistory, Note

 admin.site.register(Agent)
-admin.site.register(RecoveryAction)
 admin.site.register(Note)
 admin.site.register(AgentCustomField)
+admin.site.register(AgentHistory)
--- a/api/tacticalrmm/agents/baker_recipes.py
+++ b/api/tacticalrmm/agents/baker_recipes.py
@@ -30,7 +30,9 @@ agent = Recipe(
    hostname="DESKTOP-TEST123",
    version="1.3.0",
    monitoring_type=cycle(["workstation", "server"]),
-    agent_id=seq("asdkj3h4234-1234hg3h4g34-234jjh34|DESKTOP-TEST123"),
+    agent_id=seq(generate_agent_id("DESKTOP-TEST123")),
+    last_seen=djangotime.now() - djangotime.timedelta(days=5),
+    plat="windows",
 )

 server_agent = agent.extend(
--- a/api/tacticalrmm/agents/management/commands/bulk_change_checkin.py
+++ b/api/tacticalrmm/agents/management/commands/bulk_change_checkin.py
@@ -1,7 +1,6 @@
-from django.core.management.base import BaseCommand
-
 from agents.models import Agent
 from clients.models import Client, Site
+from django.core.management.base import BaseCommand


 class Command(BaseCommand):
--- a/api/tacticalrmm/agents/management/commands/bulk_delete_agents.py
+++ b/api/tacticalrmm/agents/management/commands/bulk_delete_agents.py
@@ -0,0 +1,82 @@
+import asyncio
+
+from agents.models import Agent
+from django.core.management.base import BaseCommand
+from django.utils import timezone as djangotime
+from packaging import version as pyver
+
+from tacticalrmm.constants import AGENT_DEFER
+from tacticalrmm.utils import reload_nats
+
+
+class Command(BaseCommand):
+    help = "Delete old agents"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--days",
+            type=int,
+            help="Delete agents that have not checked in for this many days",
+        )
+        parser.add_argument(
+            "--agentver",
+            type=str,
+            help="Delete agents that equal to or less than this version",
+        )
+        parser.add_argument(
+            "--delete",
+            action="store_true",
+            help="This will delete agents",
+        )
+
+    def handle(self, *args, **kwargs):
+        days = kwargs["days"]
+        agentver = kwargs["agentver"]
+        delete = kwargs["delete"]
+
+        if not days and not agentver:
+            self.stdout.write(
+                self.style.ERROR("Must have at least one parameter: days or agentver")
+            )
+            return
+
+        q = Agent.objects.defer(*AGENT_DEFER)
+
+        agents = []
+        if days:
+            overdue = djangotime.now() - djangotime.timedelta(days=days)
+            agents = [i for i in q if i.last_seen < overdue]
+
+        if agentver:
+            agents = [i for i in q if pyver.parse(i.version) <= pyver.parse(agentver)]
+
+        if not agents:
+            self.stdout.write(self.style.ERROR("No agents matched"))
+            return
+
+        deleted_count = 0
+        for agent in agents:
+            s = f"{agent.hostname} | Version {agent.version} | Last Seen {agent.last_seen} | {agent.client} > {agent.site}"
+            if delete:
+                s = "Deleting " + s
+                self.stdout.write(self.style.SUCCESS(s))
+                asyncio.run(agent.nats_cmd({"func": "uninstall"}, wait=False))
+                try:
+                    agent.delete()
+                except Exception as e:
+                    err = f"Failed to delete agent {agent.hostname}: {str(e)}"
+                    self.stdout.write(self.style.ERROR(err))
+                else:
+                    deleted_count += 1
+            else:
+                self.stdout.write(self.style.WARNING(s))
+
+        if delete:
+            reload_nats()
+            self.stdout.write(self.style.SUCCESS(f"Deleted {deleted_count} agents"))
+        else:
+            self.stdout.write(
+                self.style.SUCCESS(
+                    "The above agents would be deleted. Run again with --delete to actually delete them."
+                )
+            )
--- a/api/tacticalrmm/agents/management/commands/demo_cron.py
+++ b/api/tacticalrmm/agents/management/commands/demo_cron.py
@@ -0,0 +1,39 @@
+# import datetime as dt
+import random
+
+from agents.models import Agent
+from core.tasks import cache_db_fields_task
+from django.core.management.base import BaseCommand
+from django.utils import timezone as djangotime
+
+
+class Command(BaseCommand):
+    help = "stuff for demo site in cron"
+
+    def handle(self, *args, **kwargs):
+
+        random_dates = []
+        now = djangotime.now()
+
+        for _ in range(20):
+            rand = now - djangotime.timedelta(minutes=random.randint(1, 2))
+            random_dates.append(rand)
+
+        for _ in range(5):
+            rand = now - djangotime.timedelta(minutes=random.randint(10, 20))
+            random_dates.append(rand)
+
+        """ for _ in range(5):
+            rand = djangotime.now() - djangotime.timedelta(hours=random.randint(1, 10))
+            random_dates.append(rand)
+
+        for _ in range(5):
+            rand = djangotime.now() - djangotime.timedelta(days=random.randint(40, 90))
+            random_dates.append(rand) """
+
+        agents = Agent.objects.only("last_seen")
+        for agent in agents:
+            agent.last_seen = random.choice(random_dates)
+            agent.save(update_fields=["last_seen"])
+
+        cache_db_fields_task()
--- a/api/tacticalrmm/agents/management/commands/fake_agents.py
+++ b/api/tacticalrmm/agents/management/commands/fake_agents.py
@@ -0,0 +1,696 @@
+import datetime as dt
+import json
+import random
+import string
+
+from accounts.models import User
+from agents.models import Agent, AgentHistory
+from automation.models import Policy
+from autotasks.models import AutomatedTask
+from checks.models import Check, CheckHistory
+from clients.models import Client, Site
+from django.conf import settings
+from django.core.management import call_command
+from django.core.management.base import BaseCommand
+from django.utils import timezone as djangotime
+from logs.models import AuditLog, PendingAction
+from scripts.models import Script
+from software.models import InstalledSoftware
+from winupdate.models import WinUpdate, WinUpdatePolicy
+
+from tacticalrmm.demo_data import (
+    disks,
+    ping_fail_output,
+    ping_success_output,
+    spooler_stdout,
+    temp_dir_stdout,
+)
+
+AGENTS_TO_GENERATE = 250
+
+SVCS = settings.BASE_DIR.joinpath("tacticalrmm/test_data/winsvcs.json")
+WMI_1 = settings.BASE_DIR.joinpath("tacticalrmm/test_data/wmi1.json")
+WMI_2 = settings.BASE_DIR.joinpath("tacticalrmm/test_data/wmi2.json")
+WMI_3 = settings.BASE_DIR.joinpath("tacticalrmm/test_data/wmi3.json")
+SW_1 = settings.BASE_DIR.joinpath("tacticalrmm/test_data/software1.json")
+SW_2 = settings.BASE_DIR.joinpath("tacticalrmm/test_data/software2.json")
+WIN_UPDATES = settings.BASE_DIR.joinpath("tacticalrmm/test_data/winupdates.json")
+EVT_LOG_FAIL = settings.BASE_DIR.joinpath(
+    "tacticalrmm/test_data/eventlog_check_fail.json"
+)
+
+
+class Command(BaseCommand):
+    help = "populate database with fake agents"
+
+    def rand_string(self, length):
+        chars = string.ascii_letters
+        return "".join(random.choice(chars) for _ in range(length))
+
+    def handle(self, *args, **kwargs):
+
+        user = User.objects.first()
+        user.totp_key = "ABSA234234"
+        user.save(update_fields=["totp_key"])
+
+        Client.objects.all().delete()
+        Agent.objects.all().delete()
+        Check.objects.all().delete()
+        Script.objects.all().delete()
+        AutomatedTask.objects.all().delete()
+        CheckHistory.objects.all().delete()
+        Policy.objects.all().delete()
+        AuditLog.objects.all().delete()
+        PendingAction.objects.all().delete()
+
+        call_command("load_community_scripts")
+
+        # policies
+        check_policy = Policy()
+        check_policy.name = "Demo Checks Policy"
+        check_policy.desc = "Demo Checks Policy"
+        check_policy.active = True
+        check_policy.enforced = True
+        check_policy.save()
+
+        patch_policy = Policy()
+        patch_policy.name = "Demo Patch Policy"
+        patch_policy.desc = "Demo Patch Policy"
+        patch_policy.active = True
+        patch_policy.enforced = True
+        patch_policy.save()
+
+        update_policy = WinUpdatePolicy()
+        update_policy.policy = patch_policy
+        update_policy.critical = "approve"
+        update_policy.important = "approve"
+        update_policy.moderate = "approve"
+        update_policy.low = "ignore"
+        update_policy.other = "ignore"
+        update_policy.run_time_days = [6, 0, 2]
+        update_policy.run_time_day = 1
+        update_policy.reboot_after_install = "required"
+        update_policy.reprocess_failed = True
+        update_policy.email_if_fail = True
+        update_policy.save()
+
+        clients = [
+            "Company 2",
+            "Company 3",
+            "Company 1",
+            "Company 4",
+            "Company 5",
+            "Company 6",
+        ]
+        sites1 = ["HQ1", "LA Office 1", "NY Office 1"]
+        sites2 = ["HQ2", "LA Office 2", "NY Office 2"]
+        sites3 = ["HQ3", "LA Office 3", "NY Office 3"]
+        sites4 = ["HQ4", "LA Office 4", "NY Office 4"]
+        sites5 = ["HQ5", "LA Office 5", "NY Office 5"]
+        sites6 = ["HQ6", "LA Office 6", "NY Office 6"]
+
+        client1 = Client(name="Company 1")
+        client2 = Client(name="Company 2")
+        client3 = Client(name="Company 3")
+        client4 = Client(name="Company 4")
+        client5 = Client(name="Company 5")
+        client6 = Client(name="Company 6")
+
+        client1.save()
+        client2.save()
+        client3.save()
+        client4.save()
+        client5.save()
+        client6.save()
+
+        for site in sites1:
+            Site(client=client1, name=site).save()
+
+        for site in sites2:
+            Site(client=client2, name=site).save()
+
+        for site in sites3:
+            Site(client=client3, name=site).save()
+
+        for site in sites4:
+            Site(client=client4, name=site).save()
+
+        for site in sites5:
+            Site(client=client5, name=site).save()
+
+        for site in sites6:
+            Site(client=client6, name=site).save()
+
+        hostnames = [
+            "DC-1",
+            "DC-2",
+            "FSV-1",
+            "FSV-2",
+            "WSUS",
+            "DESKTOP-12345",
+            "LAPTOP-55443",
+        ]
+        descriptions = ["Bob's computer", "Primary DC", "File Server", "Karen's Laptop"]
+        modes = ["server", "workstation"]
+        op_systems_servers = [
+            "Microsoft Windows Server 2016 Standard, 64bit (build 14393)",
+            "Microsoft Windows Server 2012 R2 Standard, 64bit (build 9600)",
+            "Microsoft Windows Server 2019 Standard, 64bit (build 17763)",
+        ]
+
+        op_systems_workstations = [
+            "Microsoft Windows 8.1 Pro, 64bit (build 9600)",
+            "Microsoft Windows 10 Pro for Workstations, 64bit (build 18363)",
+            "Microsoft Windows 10 Pro, 64bit (build 18363)",
+        ]
+
+        public_ips = ["65.234.22.4", "74.123.43.5", "44.21.134.45"]
+
+        total_rams = [4, 8, 16, 32, 64, 128]
+
+        now = dt.datetime.now()
+
+        boot_times = []
+
+        for _ in range(15):
+            rand_hour = now - dt.timedelta(hours=random.randint(1, 22))
+            boot_times.append(str(rand_hour.timestamp()))
+
+        for _ in range(5):
+            rand_days = now - dt.timedelta(days=random.randint(2, 50))
+            boot_times.append(str(rand_days.timestamp()))
+
+        user_names = ["None", "Karen", "Steve", "jsmith", "jdoe"]
+
+        with open(SVCS) as f:
+            services = json.load(f)
+
+        # WMI
+        with open(WMI_1) as f:
+            wmi1 = json.load(f)
+
+        with open(WMI_2) as f:
+            wmi2 = json.load(f)
+
+        with open(WMI_3) as f:
+            wmi3 = json.load(f)
+
+        wmi_details = []
+        wmi_details.append(wmi1)
+        wmi_details.append(wmi2)
+        wmi_details.append(wmi3)
+
+        # software
+        with open(SW_1) as f:
+            software1 = json.load(f)
+
+        with open(SW_2) as f:
+            software2 = json.load(f)
+
+        softwares = []
+        softwares.append(software1)
+        softwares.append(software2)
+
+        # windows updates
+        with open(WIN_UPDATES) as f:
+            windows_updates = json.load(f)["samplecomputer"]
+
+        # event log check fail data
+        with open(EVT_LOG_FAIL) as f:
+            eventlog_check_fail_data = json.load(f)
+
+        # create scripts
+
+        clear_spool = Script()
+        clear_spool.name = "Clear Print Spooler"
+        clear_spool.description = "clears the print spooler. Fuck printers"
+        clear_spool.filename = "clear_print_spool.bat"
+        clear_spool.shell = "cmd"
+        clear_spool.save()
+
+        check_net_aware = Script()
+        check_net_aware.name = "Check Network Location Awareness"
+        check_net_aware.description = "Check's network location awareness on domain computers, should always be domain profile and not public or private. Sometimes happens when computer restarts before domain available. This script will return 0 if check passes or 1 if it fails."
+        check_net_aware.filename = "check_network_loc_aware.ps1"
+        check_net_aware.shell = "powershell"
+        check_net_aware.save()
+
+        check_pool_health = Script()
+        check_pool_health.name = "Check storage spool health"
+        check_pool_health.description = "loops through all storage pools and will fail if any of them are not healthy"
+        check_pool_health.filename = "check_storage_pool_health.ps1"
+        check_pool_health.shell = "powershell"
+        check_pool_health.save()
+
+        restart_nla = Script()
+        restart_nla.name = "Restart NLA Service"
+        restart_nla.description = "restarts the Network Location Awareness windows service to fix the nic profile. Run this after the check network service fails"
+        restart_nla.filename = "restart_nla.ps1"
+        restart_nla.shell = "powershell"
+        restart_nla.save()
+
+        show_tmp_dir_script = Script()
+        show_tmp_dir_script.name = "Check temp dir"
+        show_tmp_dir_script.description = "shows files in temp dir using python"
+        show_tmp_dir_script.filename = "show_temp_dir.py"
+        show_tmp_dir_script.shell = "python"
+        show_tmp_dir_script.save()
+
+        for count_agents in range(AGENTS_TO_GENERATE):
+
+            client = random.choice(clients)
+
+            if client == "Company 1":
+                site = random.choice(sites1)
+            elif client == "Company 2":
+                site = random.choice(sites2)
+            elif client == "Company 3":
+                site = random.choice(sites3)
+            elif client == "Company 4":
+                site = random.choice(sites4)
+            elif client == "Company 5":
+                site = random.choice(sites5)
+            elif client == "Company 6":
+                site = random.choice(sites6)
+
+            agent = Agent()
+
+            mode = random.choice(modes)
+            if mode == "server":
+                agent.operating_system = random.choice(op_systems_servers)
+            else:
+                agent.operating_system = random.choice(op_systems_workstations)
+
+            agent.hostname = random.choice(hostnames)
+            agent.version = settings.LATEST_AGENT_VER
+            agent.site = Site.objects.get(name=site)
+            agent.agent_id = self.rand_string(25)
+            agent.description = random.choice(descriptions)
+            agent.monitoring_type = mode
+            agent.public_ip = random.choice(public_ips)
+            agent.last_seen = djangotime.now()
+            agent.plat = "windows"
+            agent.plat_release = "windows-2019Server"
+            agent.total_ram = random.choice(total_rams)
+            agent.boot_time = random.choice(boot_times)
+            agent.logged_in_username = random.choice(user_names)
+            agent.mesh_node_id = (
+                "3UiLhe420@kaVQ0rswzBeonW$WY0xrFFUDBQlcYdXoriLXzvPmBpMrV99vRHXFlb"
+            )
+            agent.overdue_email_alert = random.choice([True, False])
+            agent.overdue_text_alert = random.choice([True, False])
+            agent.needs_reboot = random.choice([True, False])
+            agent.wmi_detail = random.choice(wmi_details)
+            agent.services = services
+            agent.disks = random.choice(disks)
+
+            agent.save()
+
+            InstalledSoftware(agent=agent, software=random.choice(softwares)).save()
+
+            if mode == "workstation":
+                WinUpdatePolicy(agent=agent, run_time_days=[5, 6]).save()
+            else:
+                WinUpdatePolicy(agent=agent).save()
+
+            # windows updates load
+            guids = []
+            for k in windows_updates.keys():
+                guids.append(k)
+
+            for i in guids:
+                WinUpdate(
+                    agent=agent,
+                    guid=i,
+                    kb=windows_updates[i]["KBs"][0],
+                    title=windows_updates[i]["Title"],
+                    installed=windows_updates[i]["Installed"],
+                    downloaded=windows_updates[i]["Downloaded"],
+                    description=windows_updates[i]["Description"],
+                    severity=windows_updates[i]["Severity"],
+                ).save()
+
+            # agent histories
+            hist = AgentHistory()
+            hist.agent = agent
+            hist.type = "cmd_run"
+            hist.command = "ping google.com"
+            hist.username = "demo"
+            hist.results = ping_success_output
+            hist.save()
+
+            hist1 = AgentHistory()
+            hist1.agent = agent
+            hist1.type = "script_run"
+            hist1.script = clear_spool
+            hist1.script_results = {
+                "id": 1,
+                "stderr": "",
+                "stdout": spooler_stdout,
+                "execution_time": 3.5554593,
+                "retcode": 0,
+            }
+            hist1.save()
+
+            # disk space check
+            check1 = Check()
+            check1.agent = agent
+            check1.check_type = "diskspace"
+            check1.status = "passing"
+            check1.last_run = djangotime.now()
+            check1.more_info = "Total: 498.7GB, Free: 287.4GB"
+            check1.warning_threshold = 25
+            check1.error_threshold = 10
+            check1.disk = "C:"
+            check1.email_alert = random.choice([True, False])
+            check1.text_alert = random.choice([True, False])
+            check1.save()
+
+            for i in range(30):
+                check1_history = CheckHistory()
+                check1_history.check_id = check1.id
+                check1_history.x = djangotime.now() - djangotime.timedelta(
+                    minutes=i * 2
+                )
+                check1_history.y = random.randint(13, 40)
+                check1_history.save()
+
+            # ping check
+            check2 = Check()
+            check2.agent = agent
+            check2.check_type = "ping"
+            check2.last_run = djangotime.now()
+            check2.email_alert = random.choice([True, False])
+            check2.text_alert = random.choice([True, False])
+
+            if site in sites5:
+                check2.name = "Synology NAS"
+                check2.status = "failing"
+                check2.ip = "172.17.14.26"
+                check2.more_info = ping_fail_output
+            else:
+                check2.name = "Google"
+                check2.status = "passing"
+                check2.ip = "8.8.8.8"
+                check2.more_info = ping_success_output
+
+            check2.save()
+
+            for i in range(30):
+                check2_history = CheckHistory()
+                check2_history.check_id = check2.id
+                check2_history.x = djangotime.now() - djangotime.timedelta(
+                    minutes=i * 2
+                )
+                if site in sites5:
+                    check2_history.y = 1
+                    check2_history.results = ping_fail_output
+                else:
+                    check2_history.y = 0
+                    check2_history.results = ping_success_output
+                check2_history.save()
+
+            # cpu load check
+            check3 = Check()
+            check3.agent = agent
+            check3.check_type = "cpuload"
+            check3.status = "passing"
+            check3.last_run = djangotime.now()
+            check3.warning_threshold = 70
+            check3.error_threshold = 90
+            check3.history = [15, 23, 16, 22, 22, 27, 15, 23, 23, 20, 10, 10, 13, 34]
+            check3.email_alert = random.choice([True, False])
+            check3.text_alert = random.choice([True, False])
+            check3.save()
+
+            for i in range(30):
+                check3_history = CheckHistory()
+                check3_history.check_id = check3.id
+                check3_history.x = djangotime.now() - djangotime.timedelta(
+                    minutes=i * 2
+                )
+                check3_history.y = random.randint(2, 79)
+                check3_history.save()
+
+            # memory check
+            check4 = Check()
+            check4.agent = agent
+            check4.check_type = "memory"
+            check4.status = "passing"
+            check4.warning_threshold = 70
+            check4.error_threshold = 85
+            check4.history = [34, 34, 35, 36, 34, 34, 34, 34, 34, 34]
+            check4.email_alert = random.choice([True, False])
+            check4.text_alert = random.choice([True, False])
+            check4.save()
+
+            for i in range(30):
+                check4_history = CheckHistory()
+                check4_history.check_id = check4.id
+                check4_history.x = djangotime.now() - djangotime.timedelta(
+                    minutes=i * 2
+                )
+                check4_history.y = random.randint(2, 79)
+                check4_history.save()
+
+            # script check storage pool
+            check5 = Check()
+            check5.agent = agent
+            check5.check_type = "script"
+            check5.status = "passing"
+            check5.last_run = djangotime.now()
+            check5.email_alert = random.choice([True, False])
+            check5.text_alert = random.choice([True, False])
+            check5.timeout = 120
+            check5.retcode = 0
+            check5.execution_time = "4.0000"
+            check5.script = check_pool_health
+            check5.save()
+
+            for i in range(30):
+                check5_history = CheckHistory()
+                check5_history.check_id = check5.id
+                check5_history.x = djangotime.now() - djangotime.timedelta(
+                    minutes=i * 2
+                )
+                if i == 10 or i == 18:
+                    check5_history.y = 1
+                else:
+                    check5_history.y = 0
+                check5_history.save()
+
+            check6 = Check()
+            check6.agent = agent
+            check6.check_type = "script"
+            check6.status = "passing"
+            check6.last_run = djangotime.now()
+            check6.email_alert = random.choice([True, False])
+            check6.text_alert = random.choice([True, False])
+            check6.timeout = 120
+            check6.retcode = 0
+            check6.execution_time = "4.0000"
+            check6.script = check_net_aware
+            check6.save()
+
+            for i in range(30):
+                check6_history = CheckHistory()
+                check6_history.check_id = check6.id
+                check6_history.x = djangotime.now() - djangotime.timedelta(
+                    minutes=i * 2
+                )
+                check6_history.y = 0
+                check6_history.save()
+
+            nla_task = AutomatedTask()
+            nla_task.agent = agent
+            actions = [
+                {
+                    "name": restart_nla.name,
+                    "type": "script",
+                    "script": restart_nla.pk,
+                    "timeout": 90,
+                    "script_args": [],
+                }
+            ]
+            nla_task.actions = actions
+            nla_task.assigned_check = check6
+            nla_task.name = "Restart NLA"
+            nla_task.task_type = "checkfailure"
+            nla_task.win_task_name = "demotask123"
+            nla_task.execution_time = "1.8443"
+            nla_task.last_run = djangotime.now()
+            nla_task.stdout = "no stdout"
+            nla_task.retcode = 0
+            nla_task.sync_status = "synced"
+            nla_task.save()
+
+            spool_task = AutomatedTask()
+            spool_task.agent = agent
+            actions = [
+                {
+                    "name": clear_spool.name,
+                    "type": "script",
+                    "script": clear_spool.pk,
+                    "timeout": 90,
+                    "script_args": [],
+                }
+            ]
+            spool_task.actions = actions
+            spool_task.name = "Clear the print spooler"
+            spool_task.task_type = "daily"
+            spool_task.run_time_date = djangotime.now() + djangotime.timedelta(
+                minutes=10
+            )
+            spool_task.expire_date = djangotime.now() + djangotime.timedelta(days=753)
+            spool_task.daily_interval = 1
+            spool_task.weekly_interval = 1
+            spool_task.task_repetition_duration = "2h"
+            spool_task.task_repetition_interval = "25m"
+            spool_task.random_task_delay = "3m"
+            spool_task.win_task_name = "demospool123"
+            spool_task.last_run = djangotime.now()
+            spool_task.retcode = 0
+            spool_task.stdout = spooler_stdout
+            spool_task.sync_status = "synced"
+            spool_task.save()
+
+            tmp_dir_task = AutomatedTask()
+            tmp_dir_task.agent = agent
+            tmp_dir_task.name = "show temp dir files"
+            actions = [
+                {
+                    "name": show_tmp_dir_script.name,
+                    "type": "script",
+                    "script": show_tmp_dir_script.pk,
+                    "timeout": 90,
+                    "script_args": [],
+                }
+            ]
+            tmp_dir_task.actions = actions
+            tmp_dir_task.task_type = "manual"
+            tmp_dir_task.win_task_name = "demotemp"
+            tmp_dir_task.last_run = djangotime.now()
+            tmp_dir_task.stdout = temp_dir_stdout
+            tmp_dir_task.retcode = 0
+            tmp_dir_task.sync_status = "synced"
+            tmp_dir_task.save()
+
+            check7 = Check()
+            check7.agent = agent
+            check7.check_type = "script"
+            check7.status = "passing"
+            check7.last_run = djangotime.now()
+            check7.email_alert = random.choice([True, False])
+            check7.text_alert = random.choice([True, False])
+            check7.timeout = 120
+            check7.retcode = 0
+            check7.execution_time = "3.1337"
+            check7.script = clear_spool
+            check7.stdout = spooler_stdout
+            check7.save()
+
+            for i in range(30):
+                check7_history = CheckHistory()
+                check7_history.check_id = check7.id
+                check7_history.x = djangotime.now() - djangotime.timedelta(
+                    minutes=i * 2
+                )
+                check7_history.y = 0
+                check7_history.save()
+
+            check8 = Check()
+            check8.agent = agent
+            check8.check_type = "winsvc"
+            check8.status = "passing"
+            check8.last_run = djangotime.now()
+            check8.email_alert = random.choice([True, False])
+            check8.text_alert = random.choice([True, False])
+            check8.more_info = "Status RUNNING"
+            check8.fails_b4_alert = 4
+            check8.svc_name = "Spooler"
+            check8.svc_display_name = "Print Spooler"
+            check8.pass_if_start_pending = False
+            check8.restart_if_stopped = True
+            check8.save()
+
+            for i in range(30):
+                check8_history = CheckHistory()
+                check8_history.check_id = check8.id
+                check8_history.x = djangotime.now() - djangotime.timedelta(
+                    minutes=i * 2
+                )
+                if i == 10 or i == 18:
+                    check8_history.y = 1
+                    check8_history.results = "Status STOPPED"
+                else:
+                    check8_history.y = 0
+                    check8_history.results = "Status RUNNING"
+                check8_history.save()
+
+            check9 = Check()
+            check9.agent = agent
+            check9.check_type = "eventlog"
+            check9.name = "unexpected shutdown"
+
+            check9.last_run = djangotime.now()
+            check9.email_alert = random.choice([True, False])
+            check9.text_alert = random.choice([True, False])
+            check9.fails_b4_alert = 2
+
+            if site in sites5:
+                check9.extra_details = eventlog_check_fail_data
+                check9.status = "failing"
+            else:
+                check9.extra_details = {"log": []}
+                check9.status = "passing"
+
+            check9.log_name = "Application"
+            check9.event_id = 1001
+            check9.event_type = "INFO"
+            check9.fail_when = "contains"
+            check9.search_last_days = 30
+
+            check9.save()
+
+            for i in range(30):
+                check9_history = CheckHistory()
+                check9_history.check_id = check9.id
+                check9_history.x = djangotime.now() - djangotime.timedelta(
+                    minutes=i * 2
+                )
+                if i == 10 or i == 18:
+                    check9_history.y = 1
+                    check9_history.results = "Events Found: 16"
+                else:
+                    check9_history.y = 0
+                    check9_history.results = "Events Found: 0"
+                check9_history.save()
+
+            pick = random.randint(1, 10)
+
+            if pick == 5 or pick == 3:
+
+                reboot_time = djangotime.now() + djangotime.timedelta(
+                    minutes=random.randint(1000, 500000)
+                )
+                date_obj = dt.datetime.strftime(reboot_time, "%Y-%m-%d %H:%M")
+
+                obj = dt.datetime.strptime(date_obj, "%Y-%m-%d %H:%M")
+
+                task_name = "TacticalRMM_SchedReboot_" + "".join(
+                    random.choice(string.ascii_letters) for _ in range(10)
+                )
+
+                sched_reboot = PendingAction()
+                sched_reboot.agent = agent
+                sched_reboot.action_type = "schedreboot"
+                sched_reboot.details = {
+                    "time": str(obj),
+                    "taskname": task_name,
+                }
+                sched_reboot.save()
+
+            self.stdout.write(self.style.SUCCESS(f"Added agent # {count_agents + 1}"))
+
+        call_command("load_demo_scripts")
+        self.stdout.write("done")
--- a/api/tacticalrmm/agents/management/commands/fix_salt_key.py
+++ b/api/tacticalrmm/agents/management/commands/fix_salt_key.py
@@ -1,16 +0,0 @@
-from django.core.management.base import BaseCommand
-
-from agents.models import Agent
-
-
-class Command(BaseCommand):
-    help = "Changes existing agents salt_id from a property to a model field"
-
-    def handle(self, *args, **kwargs):
-        agents = Agent.objects.filter(salt_id=None)
-        for agent in agents:
-            self.stdout.write(
-                self.style.SUCCESS(f"Setting salt_id on {agent.hostname}")
-            )
-            agent.salt_id = f"{agent.hostname}-{agent.pk}"
-            agent.save(update_fields=["salt_id"])
--- a/api/tacticalrmm/agents/management/commands/show_outdated_agents.py
+++ b/api/tacticalrmm/agents/management/commands/show_outdated_agents.py
@@ -1,8 +1,7 @@
+from agents.models import Agent
 from django.conf import settings
 from django.core.management.base import BaseCommand

-from agents.models import Agent
-

 class Command(BaseCommand):
    help = "Shows online agents that are not on the latest version"
--- a/api/tacticalrmm/agents/management/commands/update_agents.py
+++ b/api/tacticalrmm/agents/management/commands/update_agents.py
@@ -0,0 +1,25 @@
+from agents.models import Agent
+from agents.tasks import send_agent_update_task
+from core.models import CoreSettings
+from django.conf import settings
+from django.core.management.base import BaseCommand
+from packaging import version as pyver
+
+from tacticalrmm.constants import AGENT_DEFER
+
+
+class Command(BaseCommand):
+    help = "Triggers an agent update task to run"
+
+    def handle(self, *args, **kwargs):
+        core = CoreSettings.objects.first()
+        if not core.agent_auto_update:  # type: ignore
+            return
+
+        q = Agent.objects.defer(*AGENT_DEFER).exclude(version=settings.LATEST_AGENT_VER)
+        agent_ids: list[str] = [
+            i.agent_id
+            for i in q
+            if pyver.parse(i.version) < pyver.parse(settings.LATEST_AGENT_VER)
+        ]
+        send_agent_update_task.delay(agent_ids=agent_ids)
--- a/api/tacticalrmm/agents/migrations/0038_agenthistory.py
+++ b/api/tacticalrmm/agents/migrations/0038_agenthistory.py
@@ -0,0 +1,27 @@
+# Generated by Django 3.2.1 on 2021-07-06 02:01
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('agents', '0037_auto_20210627_0014'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='AgentHistory',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('time', models.DateTimeField(auto_now_add=True)),
+                ('type', models.CharField(choices=[('task_run', 'Task Run'), ('script_run', 'Script Run'), ('cmd_run', 'CMD Run')], default='cmd_run', max_length=50)),
+                ('command', models.TextField(blank=True, null=True)),
+                ('status', models.CharField(choices=[('success', 'Success'), ('failure', 'Failure')], default='success', max_length=50)),
+                ('username', models.CharField(default='system', max_length=50)),
+                ('results', models.TextField(blank=True, null=True)),
+                ('agent', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='history', to='agents.agent')),
+            ],
+        ),
+    ]
--- a/api/tacticalrmm/agents/migrations/0039_auto_20210714_0738.py
+++ b/api/tacticalrmm/agents/migrations/0039_auto_20210714_0738.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.2.5 on 2021-07-14 07:38
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scripts', '0008_script_guid'),
+        ('agents', '0038_agenthistory'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='agenthistory',
+            name='script',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='history', to='scripts.script'),
+        ),
+        migrations.AddField(
+            model_name='agenthistory',
+            name='script_results',
+            field=models.JSONField(blank=True, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/agents/migrations/0040_auto_20211010_0249.py
+++ b/api/tacticalrmm/agents/migrations/0040_auto_20211010_0249.py
@@ -0,0 +1,28 @@
+# Generated by Django 3.2.6 on 2021-10-10 02:49
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('agents', '0039_auto_20210714_0738'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='agent',
+            name='agent_id',
+            field=models.CharField(max_length=200, unique=True),
+        ),
+        migrations.AlterField(
+            model_name='agent',
+            name='created_by',
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name='agent',
+            name='modified_by',
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/agents/migrations/0041_alter_agenthistory_username.py
+++ b/api/tacticalrmm/agents/migrations/0041_alter_agenthistory_username.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.6 on 2021-10-18 03:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('agents', '0040_auto_20211010_0249'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='agenthistory',
+            name='username',
+            field=models.CharField(default='system', max_length=255),
+        ),
+    ]
--- a/api/tacticalrmm/agents/migrations/0042_alter_agent_time_zone.py
+++ b/api/tacticalrmm/agents/migrations/0042_alter_agent_time_zone.py
--- a/api/tacticalrmm/agents/migrations/0043_auto_20220227_0554.py
+++ b/api/tacticalrmm/agents/migrations/0043_auto_20220227_0554.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.2.12 on 2022-02-27 05:54
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('agents', '0042_alter_agent_time_zone'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='agent',
+            name='antivirus',
+        ),
+        migrations.RemoveField(
+            model_name='agent',
+            name='local_ip',
+        ),
+        migrations.RemoveField(
+            model_name='agent',
+            name='used_ram',
+        ),
+    ]
--- a/api/tacticalrmm/agents/migrations/0044_auto_20220227_0717.py
+++ b/api/tacticalrmm/agents/migrations/0044_auto_20220227_0717.py
@@ -0,0 +1,22 @@
+# Generated by Django 3.2.12 on 2022-02-27 07:17
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('agents', '0043_auto_20220227_0554'),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name='agent',
+            old_name='salt_id',
+            new_name='goarch',
+        ),
+        migrations.RemoveField(
+            model_name='agent',
+            name='salt_ver',
+        ),
+    ]
--- a/api/tacticalrmm/agents/migrations/0045_delete_recoveryaction.py
+++ b/api/tacticalrmm/agents/migrations/0045_delete_recoveryaction.py
@@ -0,0 +1,16 @@
+# Generated by Django 3.2.12 on 2022-03-12 02:30
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('agents', '0044_auto_20220227_0717'),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name='RecoveryAction',
+        ),
+    ]
--- a/api/tacticalrmm/agents/migrations/0046_alter_agenthistory_command.py
+++ b/api/tacticalrmm/agents/migrations/0046_alter_agenthistory_command.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.12 on 2022-03-17 17:15
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('agents', '0045_delete_recoveryaction'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='agenthistory',
+            name='command',
+            field=models.TextField(blank=True, default='', null=True),
+        ),
+    ]
--- a/api/tacticalrmm/agents/models.py
+++ b/api/tacticalrmm/agents/models.py
@@ -7,7 +7,10 @@ from distutils.version import LooseVersion
 from typing import Any

 import msgpack
+import nats
 import validators
+from asgiref.sync import sync_to_async
+from core.models import TZ_CHOICES, CoreSettings
 from Crypto.Cipher import AES
 from Crypto.Hash import SHA3_384
 from Crypto.Random import get_random_bytes
@@ -16,36 +19,30 @@ from django.conf import settings
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils import timezone as djangotime
-from loguru import logger
-from nats.aio.client import Client as NATS
-from nats.aio.errors import ErrTimeout
+from logs.models import BaseAuditModel, DebugLog
+from nats.errors import TimeoutError

-from core.models import TZ_CHOICES, CoreSettings
-from logs.models import BaseAuditModel
-
-logger.configure(**settings.LOG_CONFIG)
+from tacticalrmm.models import PermissionQuerySet


 class Agent(BaseAuditModel):
+    objects = PermissionQuerySet.as_manager()
+
    version = models.CharField(default="0.1.0", max_length=255)
-    salt_ver = models.CharField(default="1.0.3", max_length=255)
    operating_system = models.CharField(null=True, blank=True, max_length=255)
    plat = models.CharField(max_length=255, null=True, blank=True)
+    goarch = models.CharField(max_length=255, null=True, blank=True)
    plat_release = models.CharField(max_length=255, null=True, blank=True)
    hostname = models.CharField(max_length=255)
-    salt_id = models.CharField(null=True, blank=True, max_length=255)
-    local_ip = models.TextField(null=True, blank=True)  # deprecated
-    agent_id = models.CharField(max_length=200)
+    agent_id = models.CharField(max_length=200, unique=True)
    last_seen = models.DateTimeField(null=True, blank=True)
    services = models.JSONField(null=True, blank=True)
    public_ip = models.CharField(null=True, max_length=255)
    total_ram = models.IntegerField(null=True, blank=True)
-    used_ram = models.IntegerField(null=True, blank=True)  # deprecated
    disks = models.JSONField(null=True, blank=True)
    boot_time = models.FloatField(null=True, blank=True)
    logged_in_username = models.CharField(null=True, blank=True, max_length=255)
    last_logged_in_user = models.CharField(null=True, blank=True, max_length=255)
-    antivirus = models.CharField(default="n/a", max_length=255)  # deprecated
    monitoring_type = models.CharField(max_length=30)
    description = models.CharField(null=True, blank=True, max_length=255)
    mesh_node_id = models.CharField(null=True, blank=True, max_length=255)
@@ -89,14 +86,13 @@ class Agent(BaseAuditModel):
    )

    def save(self, *args, **kwargs):
-
        # get old agent if exists
-        old_agent = type(self).objects.get(pk=self.pk) if self.pk else None
-        super(BaseAuditModel, self).save(*args, **kwargs)
+        old_agent = Agent.objects.get(pk=self.pk) if self.pk else None
+        super(Agent, self).save(old_model=old_agent, *args, **kwargs)

        # check if new agent has been created
        # or check if policy have changed on agent
-        # or if site has changed on agent and if so generate-policies
+        # or if site has changed on agent and if so generate policies
        # or if agent was changed from server or workstation
        if (
            not old_agent
@@ -105,8 +101,9 @@ class Agent(BaseAuditModel):
            or (old_agent.monitoring_type != self.monitoring_type)
            or (old_agent.block_policy_inheritance != self.block_policy_inheritance)
        ):
-            self.generate_checks_from_policies()
-            self.generate_tasks_from_policies()
+            from automation.tasks import generate_agent_checks_task
+
+            generate_agent_checks_task.delay(agents=[self.pk], create_tasks=True)

    def __str__(self):
        return self.hostname
@@ -123,10 +120,17 @@ class Agent(BaseAuditModel):
        else:
            from core.models import CoreSettings

-            return CoreSettings.objects.first().default_time_zone
+            return CoreSettings.objects.first().default_time_zone  # type: ignore
+
+    @property
+    def is_posix(self):
+        return self.plat == "linux" or self.plat == "darwin"

    @property
    def arch(self):
+        if self.is_posix:
+            return self.goarch
+
        if self.operating_system is not None:
            if "64 bit" in self.operating_system or "64bit" in self.operating_system:
                return "64"
@@ -194,6 +198,12 @@ class Agent(BaseAuditModel):

    @property
    def cpu_model(self):
+        if self.is_posix:
+            try:
+                return self.wmi_detail["cpus"]
+            except:
+                return ["unknown cpu model"]
+
        ret = []
        try:
            cpus = self.wmi_detail["cpu"]
@@ -205,6 +215,14 @@ class Agent(BaseAuditModel):

    @property
    def graphics(self):
+        if self.is_posix:
+            try:
+                if not self.wmi_detail["gpus"]:
+                    return "No graphics cards"
+                return self.wmi_detail["gpus"]
+            except:
+                return "Error getting graphics cards"
+
        ret, mrda = [], []
        try:
            graphics = self.wmi_detail["graphics"]
@@ -226,6 +244,12 @@ class Agent(BaseAuditModel):

    @property
    def local_ips(self):
+        if self.is_posix:
+            try:
+                return ", ".join(self.wmi_detail["local_ips"])
+            except:
+                return "error getting local ips"
+
        ret = []
        try:
            ips = self.wmi_detail["network_config"]
@@ -252,6 +276,12 @@ class Agent(BaseAuditModel):

    @property
    def make_model(self):
+        if self.is_posix:
+            try:
+                return self.wmi_detail["make_model"]
+            except:
+                return "error getting make/model"
+
        try:
            comp_sys = self.wmi_detail["comp_sys"][0]
            comp_sys_prod = self.wmi_detail["comp_sys_prod"][0]
@@ -282,6 +312,12 @@ class Agent(BaseAuditModel):

    @property
    def physical_disks(self):
+        if self.is_posix:
+            try:
+                return self.wmi_detail["disks"]
+            except:
+                return ["unknown disk"]
+
        try:
            disks = self.wmi_detail["disk"]
            ret = []
@@ -303,6 +339,37 @@ class Agent(BaseAuditModel):
        except:
            return ["unknown disk"]

+    def is_supported_script(self, platforms: list) -> bool:
+        return self.plat.lower() in platforms if platforms else True
+
+    def get_agent_policies(self):
+        site_policy = getattr(self.site, f"{self.monitoring_type}_policy", None)
+        client_policy = getattr(self.client, f"{self.monitoring_type}_policy", None)
+        default_policy = getattr(
+            CoreSettings.objects.first(), f"{self.monitoring_type}_policy", None
+        )
+
+        return {
+            "agent_policy": self.policy
+            if self.policy and not self.policy.is_agent_excluded(self)
+            else None,
+            "site_policy": site_policy
+            if (site_policy and not site_policy.is_agent_excluded(self))
+            and not self.block_policy_inheritance
+            else None,
+            "client_policy": client_policy
+            if (client_policy and not client_policy.is_agent_excluded(self))
+            and not self.block_policy_inheritance
+            and not self.site.block_policy_inheritance
+            else None,
+            "default_policy": default_policy
+            if (default_policy and not default_policy.is_agent_excluded(self))
+            and not self.block_policy_inheritance
+            and not self.site.block_policy_inheritance
+            and not self.client.block_policy_inheritance
+            else None,
+        }
+
    def check_run_interval(self) -> int:
        interval = self.check_interval
        # determine if any agent checks have a custom interval and set the lowest interval
@@ -325,6 +392,7 @@ class Agent(BaseAuditModel):
        full: bool = False,
        wait: bool = False,
        run_on_any: bool = False,
+        history_pk: int = 0,
    ) -> Any:

        from scripts.models import Script
@@ -343,6 +411,9 @@ class Agent(BaseAuditModel):
            },
        }

+        if history_pk != 0:
+            data["id"] = history_pk
+
        running_agent = self
        if run_on_any:
            nats_ping = {"func": "ping"}
@@ -415,86 +486,20 @@ class Agent(BaseAuditModel):
    def get_patch_policy(self):

        # check if site has a patch policy and if so use it
-        site = self.site
-        core_settings = CoreSettings.objects.first()
        patch_policy = None
-        agent_policy = self.winupdatepolicy.get()  # type: ignore
+        agent_policy = self.winupdatepolicy.first()  # type: ignore

-        if self.monitoring_type == "server":
-            # check agent policy first which should override client or site policy
-            if self.policy and self.policy.winupdatepolicy.exists():
-                patch_policy = self.policy.winupdatepolicy.get()
+        policies = self.get_agent_policies()

-            # check site policy if agent policy doesn't have one
-            elif site.server_policy and site.server_policy.winupdatepolicy.exists():
-                # make sure agent isn;t blocking policy inheritance
-                if not self.block_policy_inheritance:
-                    patch_policy = site.server_policy.winupdatepolicy.get()
-
-            # if site doesn't have a patch policy check the client
-            elif (
-                site.client.server_policy
-                and site.client.server_policy.winupdatepolicy.exists()
+        processed_policies = list()
+        for _, policy in policies.items():
+            if (
+                policy
+                and policy.active
+                and policy.pk not in processed_policies
+                and policy.winupdatepolicy.exists()
            ):
-                # make sure agent and site are not blocking inheritance
-                if (
-                    not self.block_policy_inheritance
-                    and not site.block_policy_inheritance
-                ):
-                    patch_policy = site.client.server_policy.winupdatepolicy.get()
-
-            # if patch policy still doesn't exist check default policy
-            elif (
-                core_settings.server_policy
-                and core_settings.server_policy.winupdatepolicy.exists()
-            ):
-                # make sure agent site and client are not blocking inheritance
-                if (
-                    not self.block_policy_inheritance
-                    and not site.block_policy_inheritance
-                    and not site.client.block_policy_inheritance
-                ):
-                    patch_policy = core_settings.server_policy.winupdatepolicy.get()
-
-        elif self.monitoring_type == "workstation":
-            # check agent policy first which should override client or site policy
-            if self.policy and self.policy.winupdatepolicy.exists():
-                patch_policy = self.policy.winupdatepolicy.get()
-
-            elif (
-                site.workstation_policy
-                and site.workstation_policy.winupdatepolicy.exists()
-            ):
-                # make sure agent isn;t blocking policy inheritance
-                if not self.block_policy_inheritance:
-                    patch_policy = site.workstation_policy.winupdatepolicy.get()
-
-            # if site doesn't have a patch policy check the client
-            elif (
-                site.client.workstation_policy
-                and site.client.workstation_policy.winupdatepolicy.exists()
-            ):
-                # make sure agent and site are not blocking inheritance
-                if (
-                    not self.block_policy_inheritance
-                    and not site.block_policy_inheritance
-                ):
-                    patch_policy = site.client.workstation_policy.winupdatepolicy.get()
-
-            # if patch policy still doesn't exist check default policy
-            elif (
-                core_settings.workstation_policy
-                and core_settings.workstation_policy.winupdatepolicy.exists()
-            ):
-                # make sure agent site and client are not blocking inheritance
-                if (
-                    not self.block_policy_inheritance
-                    and not site.block_policy_inheritance
-                    and not site.client.block_policy_inheritance
-                ):
-                    patch_policy = (
-                        core_settings.workstation_policy.winupdatepolicy.get()
-                    )
+                patch_policy = policy.winupdatepolicy.first()

        # if policy still doesn't exist return the agent patch policy
        if not patch_policy:
@@ -541,137 +546,55 @@ class Agent(BaseAuditModel):
    # sets alert template assigned in the following order: policy, site, client, global
    # sets None if nothing is found
    def set_alert_template(self):
-
-        site = self.site
-        client = self.client
        core = CoreSettings.objects.first()
+        policies = self.get_agent_policies()

-        templates = list()
-        # check if alert template is on a policy assigned to agent
-        if (
-            self.policy
-            and self.policy.alert_template
-            and self.policy.alert_template.is_active
-        ):
-            templates.append(self.policy.alert_template)
-
-        # check if policy with alert template is assigned to the site
-        if (
-            self.monitoring_type == "server"
-            and site.server_policy
-            and site.server_policy.alert_template
-            and site.server_policy.alert_template.is_active
-            and not self.block_policy_inheritance
-        ):
-            templates.append(site.server_policy.alert_template)
-        if (
-            self.monitoring_type == "workstation"
-            and site.workstation_policy
-            and site.workstation_policy.alert_template
-            and site.workstation_policy.alert_template.is_active
-            and not self.block_policy_inheritance
-        ):
-            templates.append(site.workstation_policy.alert_template)
-
-        # check if alert template is assigned to site
-        if site.alert_template and site.alert_template.is_active:
-            templates.append(site.alert_template)
-
-        # check if policy with alert template is assigned to the client
-        if (
-            self.monitoring_type == "server"
-            and client.server_policy
-            and client.server_policy.alert_template
-            and client.server_policy.alert_template.is_active
-            and not self.block_policy_inheritance
-            and not site.block_policy_inheritance
-        ):
-            templates.append(client.server_policy.alert_template)
-        if (
-            self.monitoring_type == "workstation"
-            and client.workstation_policy
-            and client.workstation_policy.alert_template
-            and client.workstation_policy.alert_template.is_active
-            and not self.block_policy_inheritance
-            and not site.block_policy_inheritance
-        ):
-            templates.append(client.workstation_policy.alert_template)
-
-        # check if alert template is on client and return
-        if (
-            client.alert_template
-            and client.alert_template.is_active
-            and not self.block_policy_inheritance
-            and not site.block_policy_inheritance
-        ):
-            templates.append(client.alert_template)
-
-        # check if alert template is applied globally and return
-        if (
-            core.alert_template
-            and core.alert_template.is_active
-            and not self.block_policy_inheritance
-            and not site.block_policy_inheritance
-            and not client.block_policy_inheritance
-        ):
-            templates.append(core.alert_template)
-
-        # if agent is a workstation, check if policy with alert template is assigned to the site, client, or core
-        if (
-            self.monitoring_type == "server"
-            and core.server_policy
-            and core.server_policy.alert_template
-            and core.server_policy.alert_template.is_active
-            and not self.block_policy_inheritance
-            and not site.block_policy_inheritance
-            and not client.block_policy_inheritance
-        ):
-            templates.append(core.server_policy.alert_template)
-        if (
-            self.monitoring_type == "workstation"
-            and core.workstation_policy
-            and core.workstation_policy.alert_template
-            and core.workstation_policy.alert_template.is_active
-            and not self.block_policy_inheritance
-            and not site.block_policy_inheritance
-            and not client.block_policy_inheritance
-        ):
-            templates.append(core.workstation_policy.alert_template)
-
-        # go through the templates and return the first one that isn't excluded
-        for template in templates:
-            # check if client, site, or agent has been excluded from template
+        # loop through all policies applied to agent and return an alert_template if found
+        processed_policies = list()
+        for key, policy in policies.items():
+            # default alert_template will override a default policy with alert template applied
            if (
-                client.pk
-                in template.excluded_clients.all().values_list("pk", flat=True)
-                or site.pk in template.excluded_sites.all().values_list("pk", flat=True)
-                or self.pk
-                in template.excluded_agents.all()
-                .only("pk")
-                .values_list("pk", flat=True)
+                "default" in key
+                and core.alert_template
+                and core.alert_template.is_active
+                and not core.alert_template.is_agent_excluded(self)
            ):
-                continue
-
-            # check if template is excluding desktops
+                self.alert_template = core.alert_template
+                self.save(update_fields=["alert_template"])
+                return core.alert_template
            elif (
-                self.monitoring_type == "workstation" and template.exclude_workstations
+                policy
+                and policy.active
+                and policy.pk not in processed_policies
+                and policy.alert_template
+                and policy.alert_template.is_active
+                and not policy.alert_template.is_agent_excluded(self)
            ):
-                continue
-
-            # check if template is excluding servers
-            elif self.monitoring_type == "server" and template.exclude_servers:
-                continue
-
-            else:
-                # save alert_template to agent cache field
-                self.alert_template = template
-                self.save()
-
-                return template
+                self.alert_template = policy.alert_template
+                self.save(update_fields=["alert_template"])
+                return policy.alert_template
+            elif (
+                "site" in key
+                and self.site.alert_template
+                and self.site.alert_template.is_active
+                and not self.site.alert_template.is_agent_excluded(self)
+            ):
+                self.alert_template = self.site.alert_template
+                self.save(update_fields=["alert_template"])
+                return self.site.alert_template
+            elif (
+                "client" in key
+                and self.site.client.alert_template
+                and self.site.client.alert_template.is_active
+                and not self.site.client.alert_template.is_agent_excluded(self)
+            ):
+                self.alert_template = self.site.client.alert_template
+                self.save(update_fields=["alert_template"])
+                return self.site.client.alert_template

        # no alert templates found or agent has been excluded
        self.alert_template = None
-        self.save()
+        self.save(update_fields=["alert_template"])

        return None

@@ -697,7 +620,7 @@ class Agent(BaseAuditModel):
            key1 = key[0:48]
            key2 = key[48:]
            msg = '{{"a":{}, "u":"{}","time":{}}}'.format(
-                action, user, int(time.time())
+                action, user.lower(), int(time.time())
            )
            iv = get_random_bytes(16)

@@ -714,8 +637,10 @@ class Agent(BaseAuditModel):
        except Exception:
            return "err"

+    def _do_nats_debug(self, agent, message):
+        DebugLog.error(agent=agent, log_type="agent_issues", message=message)
+
    async def nats_cmd(self, data: dict, timeout: int = 30, wait: bool = True):
-        nc = NATS()
        options = {
            "servers": f"tls://{settings.ALLOWED_HOSTS[0]}:4222",
            "user": "tacticalrmm",
@@ -723,8 +648,9 @@ class Agent(BaseAuditModel):
            "connect_timeout": 3,
            "max_reconnect_attempts": 2,
        }
+
        try:
-            await nc.connect(**options)
+            nc = await nats.connect(**options)
        except:
            return "natsdown"

@@ -733,14 +659,16 @@ class Agent(BaseAuditModel):
                msg = await nc.request(
                    self.agent_id, msgpack.dumps(data), timeout=timeout
                )
-            except ErrTimeout:
+            except TimeoutError:
                ret = "timeout"
            else:
                try:
                    ret = msgpack.loads(msg.data)  # type: ignore
                except Exception as e:
-                    logger.error(e)
                    ret = str(e)
+                    await sync_to_async(self._do_nats_debug, thread_sensitive=False)(
+                        agent=self, message=ret
+                    )

            await nc.close()
            return ret
@@ -752,12 +680,9 @@ class Agent(BaseAuditModel):
    @staticmethod
    def serialize(agent):
        # serializes the agent and returns json
-        from .serializers import AgentEditSerializer
+        from .serializers import AgentAuditSerializer

-        ret = AgentEditSerializer(agent).data
-        del ret["all_timezones"]
-        del ret["client"]
-        return ret
+        return AgentAuditSerializer(agent).data

    def delete_superseded_updates(self):
        try:
@@ -772,7 +697,7 @@ class Agent(BaseAuditModel):
                # skip if no version info is available therefore nothing to parse
                try:
                    vers = [
-                        re.search(r"\(Version(.*?)\)", i).group(1).strip()
+                        re.search(r"\(Version(.*?)\)", i).group(1).strip()  # type: ignore
                        for i in titles
                    ]
                    sorted_vers = sorted(vers, key=LooseVersion)
@@ -807,7 +732,7 @@ class Agent(BaseAuditModel):
        from core.models import CoreSettings

        CORE = CoreSettings.objects.first()
-        CORE.send_mail(
+        CORE.send_mail(  # type: ignore
            f"{self.client.name}, {self.site.name}, {self.hostname} - data overdue",
            (
                f"Data has not been received from client {self.client.name}, "
@@ -822,7 +747,7 @@ class Agent(BaseAuditModel):
        from core.models import CoreSettings

        CORE = CoreSettings.objects.first()
-        CORE.send_mail(
+        CORE.send_mail(  # type: ignore
            f"{self.client.name}, {self.site.name}, {self.hostname} - data received",
            (
                f"Data has been received from client {self.client.name}, "
@@ -837,7 +762,7 @@ class Agent(BaseAuditModel):
        from core.models import CoreSettings

        CORE = CoreSettings.objects.first()
-        CORE.send_sms(
+        CORE.send_sms(  # type: ignore
            f"{self.client.name}, {self.site.name}, {self.hostname} - data overdue",
            alert_template=self.alert_template,
        )
@@ -846,36 +771,15 @@ class Agent(BaseAuditModel):
        from core.models import CoreSettings

        CORE = CoreSettings.objects.first()
-        CORE.send_sms(
+        CORE.send_sms(  # type: ignore
            f"{self.client.name}, {self.site.name}, {self.hostname} - data received",
            alert_template=self.alert_template,
        )


-RECOVERY_CHOICES = [
-    ("salt", "Salt"),
-    ("mesh", "Mesh"),
-    ("command", "Command"),
-    ("rpc", "Nats RPC"),
-    ("checkrunner", "Checkrunner"),
-]
-
-
-class RecoveryAction(models.Model):
-    agent = models.ForeignKey(
-        Agent,
-        related_name="recoveryactions",
-        on_delete=models.CASCADE,
-    )
-    mode = models.CharField(max_length=50, choices=RECOVERY_CHOICES, default="mesh")
-    command = models.TextField(null=True, blank=True)
-    last_run = models.DateTimeField(null=True, blank=True)
-
-    def __str__(self):
-        return f"{self.agent.hostname} - {self.mode}"
-
-
 class Note(models.Model):
+    objects = PermissionQuerySet.as_manager()
+
    agent = models.ForeignKey(
        Agent,
        related_name="notes",
@@ -896,6 +800,8 @@ class Note(models.Model):


 class AgentCustomField(models.Model):
+    objects = PermissionQuerySet.as_manager()
+
    agent = models.ForeignKey(
        Agent,
        related_name="custom_fields",
@@ -918,7 +824,7 @@ class AgentCustomField(models.Model):
    )

    def __str__(self):
-        return self.field
+        return self.field.name

    @property
    def value(self):
@@ -928,3 +834,59 @@ class AgentCustomField(models.Model):
            return self.bool_value
        else:
            return self.string_value
+
+    def save_to_field(self, value):
+        if self.field.type in [
+            "text",
+            "number",
+            "single",
+            "datetime",
+        ]:
+            self.string_value = value
+            self.save()
+        elif self.field.type == "multiple":
+            self.multiple_value = value.split(",")
+            self.save()
+        elif self.field.type == "checkbox":
+            self.bool_value = bool(value)
+            self.save()
+
+
+AGENT_HISTORY_TYPES = (
+    ("task_run", "Task Run"),
+    ("script_run", "Script Run"),
+    ("cmd_run", "CMD Run"),
+)
+
+AGENT_HISTORY_STATUS = (("success", "Success"), ("failure", "Failure"))
+
+
+class AgentHistory(models.Model):
+    objects = PermissionQuerySet.as_manager()
+
+    agent = models.ForeignKey(
+        Agent,
+        related_name="history",
+        on_delete=models.CASCADE,
+    )
+    time = models.DateTimeField(auto_now_add=True)
+    type = models.CharField(
+        max_length=50, choices=AGENT_HISTORY_TYPES, default="cmd_run"
+    )
+    command = models.TextField(null=True, blank=True, default="")
+    status = models.CharField(
+        max_length=50, choices=AGENT_HISTORY_STATUS, default="success"
+    )
+    username = models.CharField(max_length=255, default="system")
+    results = models.TextField(null=True, blank=True)
+    script = models.ForeignKey(
+        "scripts.Script",
+        null=True,
+        blank=True,
+        related_name="history",
+        on_delete=models.SET_NULL,
+    )
+    script_results = models.JSONField(null=True, blank=True)
+
+    def __str__(self):
+        return f"{self.agent.hostname} - {self.type}"
--- a/api/tacticalrmm/agents/permissions.py
+++ b/api/tacticalrmm/agents/permissions.py
@@ -1,16 +1,42 @@
 from rest_framework import permissions

-from tacticalrmm.permissions import _has_perm
+from tacticalrmm.permissions import _has_perm, _has_perm_on_agent
+
+
+class AgentPerms(permissions.BasePermission):
+    def has_permission(self, r, view):
+        if r.method == "GET":
+            if "agent_id" in view.kwargs.keys():
+                return _has_perm(r, "can_list_agents") and _has_perm_on_agent(
+                    r.user, view.kwargs["agent_id"]
+                )
+            else:
+                return _has_perm(r, "can_list_agents")
+        elif r.method == "DELETE":
+            return _has_perm(r, "can_uninstall_agents") and _has_perm_on_agent(
+                r.user, view.kwargs["agent_id"]
+            )
+        else:
+            if r.path == "/agents/maintenance/bulk/":
+                return _has_perm(r, "can_edit_agent")
+            else:
+                return _has_perm(r, "can_edit_agent") and _has_perm_on_agent(
+                    r.user, view.kwargs["agent_id"]
+                )
+
+
+class RecoverAgentPerms(permissions.BasePermission):
+    def has_permission(self, r, view):
+        return _has_perm(r, "can_recover_agents") and _has_perm_on_agent(
+            r.user, view.kwargs["agent_id"]
+        )


 class MeshPerms(permissions.BasePermission):
    def has_permission(self, r, view):
-        return _has_perm(r, "can_use_mesh")
-
-
-class UninstallPerms(permissions.BasePermission):
-    def has_permission(self, r, view):
-        return _has_perm(r, "can_uninstall_agents")
+        return _has_perm(r, "can_use_mesh") and _has_perm_on_agent(
+            r.user, view.kwargs["agent_id"]
+        )


 class UpdateAgentPerms(permissions.BasePermission):
@@ -18,29 +44,39 @@ class UpdateAgentPerms(permissions.BasePermission):
        return _has_perm(r, "can_update_agents")


-class EditAgentPerms(permissions.BasePermission):
+class PingAgentPerms(permissions.BasePermission):
    def has_permission(self, r, view):
-        return _has_perm(r, "can_edit_agent")
+        return _has_perm(r, "can_ping_agents") and _has_perm_on_agent(
+            r.user, view.kwargs["agent_id"]
+        )


 class ManageProcPerms(permissions.BasePermission):
    def has_permission(self, r, view):
-        return _has_perm(r, "can_manage_procs")
+        return _has_perm(r, "can_manage_procs") and _has_perm_on_agent(
+            r.user, view.kwargs["agent_id"]
+        )


 class EvtLogPerms(permissions.BasePermission):
    def has_permission(self, r, view):
-        return _has_perm(r, "can_view_eventlogs")
+        return _has_perm(r, "can_view_eventlogs") and _has_perm_on_agent(
+            r.user, view.kwargs["agent_id"]
+        )


 class SendCMDPerms(permissions.BasePermission):
    def has_permission(self, r, view):
-        return _has_perm(r, "can_send_cmd")
+        return _has_perm(r, "can_send_cmd") and _has_perm_on_agent(
+            r.user, view.kwargs["agent_id"]
+        )


 class RebootAgentPerms(permissions.BasePermission):
    def has_permission(self, r, view):
-        return _has_perm(r, "can_reboot_agents")
+        return _has_perm(r, "can_reboot_agents") and _has_perm_on_agent(
+            r.user, view.kwargs["agent_id"]
+        )


 class InstallAgentPerms(permissions.BasePermission):
@@ -50,14 +86,38 @@ class InstallAgentPerms(permissions.BasePermission):

 class RunScriptPerms(permissions.BasePermission):
    def has_permission(self, r, view):
-        return _has_perm(r, "can_run_scripts")
+        return _has_perm(r, "can_run_scripts") and _has_perm_on_agent(
+            r.user, view.kwargs["agent_id"]
+        )


-class ManageNotesPerms(permissions.BasePermission):
+class AgentNotesPerms(permissions.BasePermission):
    def has_permission(self, r, view):
-        return _has_perm(r, "can_manage_notes")
+
+        # permissions for GET /agents/notes/ endpoint
+        if r.method == "GET":
+
+            # permissions for /agents/<agent_id>/notes endpoint
+            if "agent_id" in view.kwargs.keys():
+                return _has_perm(r, "can_list_notes") and _has_perm_on_agent(
+                    r.user, view.kwargs["agent_id"]
+                )
+            else:
+                return _has_perm(r, "can_list_notes")
+        else:
+            return _has_perm(r, "can_manage_notes")


 class RunBulkPerms(permissions.BasePermission):
    def has_permission(self, r, view):
        return _has_perm(r, "can_run_bulk")
+
+
+class AgentHistoryPerms(permissions.BasePermission):
+    def has_permission(self, r, view):
+        if "agent_id" in view.kwargs.keys():
+            return _has_perm(r, "can_list_agent_history") and _has_perm_on_agent(
+                r.user, view.kwargs["agent_id"]
+            )
+        else:
+            return _has_perm(r, "can_list_agent_history")
--- a/api/tacticalrmm/agents/serializers.py
+++ b/api/tacticalrmm/agents/serializers.py
@@ -1,14 +1,30 @@
 import pytz
 from rest_framework import serializers
-
-from clients.serializers import ClientSerializer
 from winupdate.serializers import WinUpdatePolicySerializer

-from .models import Agent, AgentCustomField, Note
+from .models import Agent, AgentCustomField, AgentHistory, Note
+
+
+class AgentCustomFieldSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = AgentCustomField
+        fields = (
+            "id",
+            "field",
+            "agent",
+            "value",
+            "string_value",
+            "bool_value",
+            "multiple_value",
+        )
+        extra_kwargs = {
+            "string_value": {"write_only": True},
+            "bool_value": {"write_only": True},
+            "multiple_value": {"write_only": True},
+        }


 class AgentSerializer(serializers.ModelSerializer):
-    # for vue
    winupdatepolicy = WinUpdatePolicySerializer(many=True, read_only=True)
    status = serializers.ReadOnlyField()
    cpu_model = serializers.ReadOnlyField()
@@ -19,28 +35,45 @@ class AgentSerializer(serializers.ModelSerializer):
    checks = serializers.ReadOnlyField()
    timezone = serializers.ReadOnlyField()
    all_timezones = serializers.SerializerMethodField()
-    client_name = serializers.ReadOnlyField(source="client.name")
+    client = serializers.ReadOnlyField(source="client.name")
    site_name = serializers.ReadOnlyField(source="site.name")
+    custom_fields = AgentCustomFieldSerializer(many=True, read_only=True)
+    patches_last_installed = serializers.ReadOnlyField()
+    last_seen = serializers.ReadOnlyField()
+    applied_policies = serializers.SerializerMethodField()
+    effective_patch_policy = serializers.SerializerMethodField()
+    alert_template = serializers.SerializerMethodField()
+
+    def get_alert_template(self, obj):
+        from alerts.serializers import AlertTemplateSerializer
+
+        return (
+            AlertTemplateSerializer(obj.alert_template).data
+            if obj.alert_template
+            else None
+        )
+
+    def get_effective_patch_policy(self, obj):
+        return WinUpdatePolicySerializer(obj.get_patch_policy()).data
+
+    def get_applied_policies(self, obj):
+        from automation.serializers import PolicySerializer
+
+        policies = obj.get_agent_policies()
+
+        # need to serialize model objects manually
+        for key, policy in policies.items():
+            if policy:
+                policies[key] = PolicySerializer(policy).data
+
+        return policies

    def get_all_timezones(self, obj):
        return pytz.all_timezones

    class Meta:
        model = Agent
-        exclude = [
-            "last_seen",
-        ]
-
-
-class AgentOverdueActionSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Agent
-        fields = [
-            "pk",
-            "overdue_email_alert",
-            "overdue_text_alert",
-            "overdue_dashboard_alert",
-        ]
+        exclude = ["id"]


 class AgentTableSerializer(serializers.ModelSerializer):
@@ -88,10 +121,9 @@ class AgentTableSerializer(serializers.ModelSerializer):
    class Meta:
        model = Agent
        fields = [
-            "id",
+            "agent_id",
            "alert_template",
            "hostname",
-            "agent_id",
            "site_name",
            "client_name",
            "monitoring_type",
@@ -111,61 +143,12 @@ class AgentTableSerializer(serializers.ModelSerializer):
            "italic",
            "policy",
            "block_policy_inheritance",
+            "plat",
+            "goarch",
        ]
        depth = 2


-class AgentCustomFieldSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = AgentCustomField
-        fields = (
-            "id",
-            "field",
-            "agent",
-            "value",
-            "string_value",
-            "bool_value",
-            "multiple_value",
-        )
-        extra_kwargs = {
-            "string_value": {"write_only": True},
-            "bool_value": {"write_only": True},
-            "multiple_value": {"write_only": True},
-        }
-
-
-class AgentEditSerializer(serializers.ModelSerializer):
-    winupdatepolicy = WinUpdatePolicySerializer(many=True, read_only=True)
-    all_timezones = serializers.SerializerMethodField()
-    client = ClientSerializer(read_only=True)
-    custom_fields = AgentCustomFieldSerializer(many=True, read_only=True)
-
-    def get_all_timezones(self, obj):
-        return pytz.all_timezones
-
-    class Meta:
-        model = Agent
-        fields = [
-            "id",
-            "hostname",
-            "client",
-            "site",
-            "monitoring_type",
-            "description",
-            "time_zone",
-            "timezone",
-            "check_interval",
-            "overdue_time",
-            "offline_time",
-            "overdue_text_alert",
-            "overdue_email_alert",
-            "all_timezones",
-            "winupdatepolicy",
-            "policy",
-            "custom_fields",
-        ]
-
-
 class WinAgentSerializer(serializers.ModelSerializer):
    class Meta:
        model = Agent
@@ -179,24 +162,38 @@ class AgentHostnameSerializer(serializers.ModelSerializer):
    class Meta:
        model = Agent
        fields = (
+            "id",
            "hostname",
-            "pk",
+            "agent_id",
            "client",
            "site",
        )


-class NoteSerializer(serializers.ModelSerializer):
+class AgentNoteSerializer(serializers.ModelSerializer):
    username = serializers.ReadOnlyField(source="user.username")
+    agent_id = serializers.ReadOnlyField(source="agent.agent_id")

    class Meta:
        model = Note
-        fields = "__all__"
+        fields = ("pk", "entry_time", "agent", "user", "note", "username", "agent_id")
+        extra_kwargs = {"agent": {"write_only": True}, "user": {"write_only": True}}


-class NotesSerializer(serializers.ModelSerializer):
-    notes = NoteSerializer(many=True, read_only=True)
+class AgentHistorySerializer(serializers.ModelSerializer):
+    time = serializers.SerializerMethodField(read_only=True)
+    script_name = serializers.ReadOnlyField(source="script.name")

+    class Meta:
+        model = AgentHistory
+        fields = "__all__"
+
+    def get_time(self, history):
+        tz = self.context["default_tz"]
+        return history.time.astimezone(tz).strftime("%m %d %Y %H:%M:%S")
+
+
+class AgentAuditSerializer(serializers.ModelSerializer):
    class Meta:
        model = Agent
-        fields = ["hostname", "pk", "notes"]
+        exclude = ["disks", "services", "wmi_detail"]
--- a/api/tacticalrmm/agents/tasks.py
+++ b/api/tacticalrmm/agents/tasks.py
@@ -1,52 +1,40 @@
 import asyncio
 import datetime as dt
 import random
-import tempfile
-import json
-import subprocess
-import urllib.parse
 from time import sleep
 from typing import Union

+from agents.models import Agent
+from agents.utils import get_agent_url
+from core.models import CoreSettings
 from django.conf import settings
 from django.utils import timezone as djangotime
-from loguru import logger
+from logs.models import DebugLog, PendingAction
 from packaging import version as pyver
-
-from agents.models import Agent
-from core.models import CodeSignToken, CoreSettings
-from logs.models import PendingAction
 from scripts.models import Script
+
 from tacticalrmm.celery import app
-from tacticalrmm.utils import run_nats_api_cmd
-
-logger.configure(**settings.LOG_CONFIG)


-def agent_update(pk: int, codesigntoken: str = None, force: bool = False) -> str:
-    from agents.utils import get_exegen_url
+def agent_update(agent_id: str, force: bool = False) -> str:

-    agent = Agent.objects.get(pk=pk)
+    agent = Agent.objects.get(agent_id=agent_id)

    if pyver.parse(agent.version) <= pyver.parse("1.3.0"):
        return "not supported"

    # skip if we can't determine the arch
    if agent.arch is None:
-        logger.warning(
-            f"Unable to determine arch on {agent.hostname}. Skipping agent update."
+        DebugLog.warning(
+            agent=agent,
+            log_type="agent_issues",
+            message=f"Unable to determine arch on {agent.hostname}({agent.agent_id}). Skipping agent update.",
        )
        return "noarch"

    version = settings.LATEST_AGENT_VER
    inno = agent.win_inno_exe
-
-    if codesigntoken is not None and pyver.parse(version) >= pyver.parse("1.5.0"):
-        base_url = get_exegen_url() + "/api/v1/winagents/?"
-        params = {"version": version, "arch": agent.arch, "token": codesigntoken}
-        url = base_url + urllib.parse.urlencode(params)
-    else:
-        url = agent.winagent_dl
+    url = get_agent_url(agent.arch, agent.plat)

    if not force:
        if agent.pendingactions.filter(
@@ -79,31 +67,21 @@ def agent_update(pk: int, codesigntoken: str = None, force: bool = False) -> str


@app.task
-def force_code_sign(pks: list[int]) -> None:
-    try:
-        token = CodeSignToken.objects.first().token
-    except:
-        return
-
-    chunks = (pks[i : i + 50] for i in range(0, len(pks), 50))
+def force_code_sign(agent_ids: list[str]) -> None:
+    chunks = (agent_ids[i : i + 50] for i in range(0, len(agent_ids), 50))
    for chunk in chunks:
-        for pk in chunk:
-            agent_update(pk=pk, codesigntoken=token, force=True)
+        for agent_id in chunk:
+            agent_update(agent_id=agent_id, force=True)
            sleep(0.05)
        sleep(4)


@app.task
-def send_agent_update_task(pks: list[int]) -> None:
-    try:
-        codesigntoken = CodeSignToken.objects.first().token
-    except:
-        codesigntoken = None
-
-    chunks = (pks[i : i + 30] for i in range(0, len(pks), 30))
+def send_agent_update_task(agent_ids: list[str]) -> None:
+    chunks = (agent_ids[i : i + 50] for i in range(0, len(agent_ids), 50))
    for chunk in chunks:
-        for pk in chunk:
-            agent_update(pk, codesigntoken)
+        for agent_id in chunk:
+            agent_update(agent_id)
            sleep(0.05)
        sleep(4)

@@ -111,25 +89,20 @@ def send_agent_update_task(pks: list[int]) -> None:
@app.task
 def auto_self_agent_update_task() -> None:
    core = CoreSettings.objects.first()
-    if not core.agent_auto_update:
+    if not core.agent_auto_update:  # type:ignore
        return

-    try:
-        codesigntoken = CodeSignToken.objects.first().token
-    except:
-        codesigntoken = None
-
-    q = Agent.objects.only("pk", "version")
-    pks: list[int] = [
-        i.pk
+    q = Agent.objects.only("agent_id", "version")
+    agent_ids: list[str] = [
+        i.agent_id
        for i in q
        if pyver.parse(i.version) < pyver.parse(settings.LATEST_AGENT_VER)
    ]

-    chunks = (pks[i : i + 30] for i in range(0, len(pks), 30))
+    chunks = (agent_ids[i : i + 30] for i in range(0, len(agent_ids), 30))
    for chunk in chunks:
-        for pk in chunk:
-            agent_update(pk, codesigntoken)
+        for agent_id in chunk:
+            agent_update(agent_id)
            sleep(0.05)
        sleep(4)

@@ -235,14 +208,24 @@ def run_script_email_results_task(
    nats_timeout: int,
    emails: list[str],
    args: list[str] = [],
+    history_pk: int = 0,
 ):
    agent = Agent.objects.get(pk=agentpk)
    script = Script.objects.get(pk=scriptpk)
    r = agent.run_script(
-        scriptpk=script.pk, args=args, full=True, timeout=nats_timeout, wait=True
+        scriptpk=script.pk,
+        args=args,
+        full=True,
+        timeout=nats_timeout,
+        wait=True,
+        history_pk=history_pk,
    )
    if r == "timeout":
-        logger.error(f"{agent.hostname} timed out running script.")
+        DebugLog.error(
+            agent=agent,
+            log_type="scripting",
+            message=f"{agent.hostname}({agent.pk}) timed out running script.",
+        )
        return

    CORE = CoreSettings.objects.first()
@@ -258,33 +241,37 @@ def run_script_email_results_task(

    msg = EmailMessage()
    msg["Subject"] = subject
-    msg["From"] = CORE.smtp_from_email
+    msg["From"] = CORE.smtp_from_email  # type:ignore

    if emails:
        msg["To"] = ", ".join(emails)
    else:
-        msg["To"] = ", ".join(CORE.email_alert_recipients)
+        msg["To"] = ", ".join(CORE.email_alert_recipients)  # type:ignore

    msg.set_content(body)

    try:
-        with smtplib.SMTP(CORE.smtp_host, CORE.smtp_port, timeout=20) as server:
-            if CORE.smtp_requires_auth:
+        with smtplib.SMTP(
+            CORE.smtp_host, CORE.smtp_port, timeout=20  # type:ignore
+        ) as server:  # type:ignore
+            if CORE.smtp_requires_auth:  # type:ignore
                server.ehlo()
                server.starttls()
-                server.login(CORE.smtp_host_user, CORE.smtp_host_password)
+                server.login(
+                    CORE.smtp_host_user, CORE.smtp_host_password  # type:ignore
+                )  # type:ignore
                server.send_message(msg)
                server.quit()
            else:
                server.send_message(msg)
                server.quit()
    except Exception as e:
-        logger.error(e)
+        DebugLog.error(message=str(e))


@app.task
 def clear_faults_task(older_than_days: int) -> None:
-    # https://github.com/wh1te909/tacticalrmm/issues/484
+    # https://github.com/amidaware/tacticalrmm/issues/484
    agents = Agent.objects.exclude(last_seen__isnull=True).filter(
        last_seen__lt=djangotime.now() - djangotime.timedelta(days=older_than_days)
    )
@@ -311,37 +298,11 @@ def clear_faults_task(older_than_days: int) -> None:


@app.task
-def monitor_agents_task() -> None:
-    agents = Agent.objects.only(
-        "pk", "agent_id", "last_seen", "overdue_time", "offline_time"
-    )
-    ids = [i.agent_id for i in agents if i.status != "online"]
-    run_nats_api_cmd("monitor", ids)
+def prune_agent_history(older_than_days: int) -> str:
+    from .models import AgentHistory

+    AgentHistory.objects.filter(
+        time__lt=djangotime.now() - djangotime.timedelta(days=older_than_days)
+    ).delete()

-@app.task
-def get_wmi_task() -> None:
-    agents = Agent.objects.only(
-        "pk", "agent_id", "last_seen", "overdue_time", "offline_time"
-    )
-    ids = [i.agent_id for i in agents if i.status == "online"]
-    run_nats_api_cmd("wmi", ids, timeout=45)
-
-
-@app.task
-def agent_checkin_task() -> None:
-    db = settings.DATABASES["default"]
-    config = {
-        "key": settings.SECRET_KEY,
-        "natsurl": f"tls://{settings.ALLOWED_HOSTS[0]}:4222",
-        "user": db["USER"],
-        "pass": db["PASSWORD"],
-        "host": db["HOST"],
-        "port": int(db["PORT"]),
-        "dbname": db["NAME"],
-    }
-    with tempfile.NamedTemporaryFile() as fp:
-        with open(fp.name, "w") as f:
-            json.dump(config, f)
-        cmd = ["/usr/local/bin/nats-api", "-c", fp.name, "-m", "checkin"]
-        subprocess.run(cmd, timeout=30)
+    return "ok"
--- a/api/tacticalrmm/agents/tests.py
+++ b/api/tacticalrmm/agents/tests.py
--- a/api/tacticalrmm/agents/urls.py
+++ b/api/tacticalrmm/agents/urls.py
@@ -1,32 +1,43 @@
+from autotasks.views import GetAddAutoTasks
+from checks.views import GetAddChecks
 from django.urls import path
+from logs.views import PendingActions

 from . import views

 urlpatterns = [
-    path("listagents/", views.AgentsTableList.as_view()),
-    path("listagentsnodetail/", views.list_agents_no_detail),
-    path("<int:pk>/agenteditdetails/", views.agent_edit_details),
-    path("overdueaction/", views.overdue_action),
-    path("sendrawcmd/", views.send_raw_cmd),
-    path("<pk>/agentdetail/", views.agent_detail),
-    path("<int:pk>/meshcentral/", views.meshcentral),
-    path("<str:arch>/getmeshexe/", views.get_mesh_exe),
-    path("uninstall/", views.uninstall),
-    path("editagent/", views.edit_agent),
-    path("<pk>/geteventlog/<logtype>/<days>/", views.get_event_log),
-    path("getagentversions/", views.get_agent_versions),
-    path("updateagents/", views.update_agents),
-    path("<pk>/getprocs/", views.get_processes),
-    path("<pk>/<pid>/killproc/", views.kill_proc),
-    path("reboot/", views.Reboot.as_view()),
-    path("installagent/", views.install_agent),
-    path("<int:pk>/ping/", views.ping),
-    path("recover/", views.recover),
-    path("runscript/", views.run_script),
-    path("<int:pk>/recovermesh/", views.recover_mesh),
-    path("<int:pk>/notes/", views.GetAddNotes.as_view()),
-    path("<int:pk>/note/", views.GetEditDeleteNote.as_view()),
-    path("bulk/", views.bulk),
-    path("maintenance/", views.agent_maintenance),
-    path("<int:pk>/wmi/", views.WMI.as_view()),
+    # agent views
+    path("", views.GetAgents.as_view()),
+    path("<agent:agent_id>/", views.GetUpdateDeleteAgent.as_view()),
+    path("<agent:agent_id>/cmd/", views.send_raw_cmd),
+    path("<agent:agent_id>/runscript/", views.run_script),
+    path("<agent:agent_id>/wmi/", views.WMI.as_view()),
+    path("<agent:agent_id>/recover/", views.recover),
+    path("<agent:agent_id>/reboot/", views.Reboot.as_view()),
+    path("<agent:agent_id>/ping/", views.ping),
+    # alias for checks get view
+    path("<agent:agent_id>/checks/", GetAddChecks.as_view()),
+    # alias for autotasks get view
+    path("<agent:agent_id>/tasks/", GetAddAutoTasks.as_view()),
+    # alias for pending actions get view
+    path("<agent:agent_id>/pendingactions/", PendingActions.as_view()),
+    # agent remote background
+    path("<agent:agent_id>/meshcentral/", views.AgentMeshCentral.as_view()),
+    path("<agent:agent_id>/meshcentral/recover/", views.AgentMeshCentral.as_view()),
+    path("<agent:agent_id>/processes/", views.AgentProcesses.as_view()),
+    path("<agent:agent_id>/processes/<int:pid>/", views.AgentProcesses.as_view()),
+    path("<agent:agent_id>/eventlog/<str:logtype>/<int:days>/", views.get_event_log),
+    # agent history
+    path("history/", views.AgentHistoryView.as_view()),
+    path("<agent:agent_id>/history/", views.AgentHistoryView.as_view()),
+    # agent notes
+    path("notes/", views.GetAddNotes.as_view()),
+    path("notes/<int:pk>/", views.GetEditDeleteNote.as_view()),
+    path("<agent:agent_id>/notes/", views.GetAddNotes.as_view()),
+    # bulk actions
+    path("maintenance/bulk/", views.agent_maintenance),
+    path("actions/bulk/", views.bulk),
+    path("versions/", views.get_agent_versions),
+    path("update/", views.update_agents),
+    path("installer/", views.install_agent),
 ]
--- a/api/tacticalrmm/agents/utils.py
+++ b/api/tacticalrmm/agents/utils.py
@@ -1,37 +1,88 @@
-import random
+import asyncio
+import tempfile
 import urllib.parse

-import requests
+from core.models import CodeSignToken, CoreSettings
+from core.utils import get_mesh_device_id, get_mesh_ws_url
 from django.conf import settings
+from django.http import FileResponse
+
+from tacticalrmm.constants import MeshAgentIdent


-def get_exegen_url() -> str:
-    urls: list[str] = settings.EXE_GEN_URLS
-    for url in urls:
-        try:
-            r = requests.get(url, timeout=10)
-        except:
-            continue
+def get_agent_url(arch: str, plat: str) -> str:

-        if r.status_code == 200:
-            return url
-
-    return random.choice(urls)
-
-
-def get_winagent_url(arch: str) -> str:
-    from core.models import CodeSignToken
+    if plat == "windows":
+        endpoint = "winagents"
+        dl_url = settings.DL_32 if arch == "32" else settings.DL_64
+    else:
+        endpoint = "linuxagents"
+        dl_url = ""

    try:
-        codetoken = CodeSignToken.objects.first().token
-        base_url = get_exegen_url() + "/api/v1/winagents/?"
-        params = {
-            "version": settings.LATEST_AGENT_VER,
-            "arch": arch,
-            "token": codetoken,
-        }
-        dl_url = base_url + urllib.parse.urlencode(params)
+        t: CodeSignToken = CodeSignToken.objects.first()  # type: ignore
+        if t.is_valid:
+            base_url = settings.EXE_GEN_URL + f"/api/v1/{endpoint}/?"
+            params = {
+                "version": settings.LATEST_AGENT_VER,
+                "arch": arch,
+                "token": t.token,
+            }
+            dl_url = base_url + urllib.parse.urlencode(params)
    except:
-        dl_url = settings.DL_64 if arch == "64" else settings.DL_32
+        pass

    return dl_url
+
+
+def generate_linux_install(
+    client: str,
+    site: str,
+    agent_type: str,
+    arch: str,
+    token: str,
+    api: str,
+    download_url: str,
+) -> FileResponse:
+
+    match arch:
+        case "amd64":
+            arch_id = MeshAgentIdent.LINUX64
+        case "386":
+            arch_id = MeshAgentIdent.LINUX32
+        case "arm64":
+            arch_id = MeshAgentIdent.LINUX_ARM_64
+        case "arm":
+            arch_id = MeshAgentIdent.LINUX_ARM_HF
+
+    core: CoreSettings = CoreSettings.objects.first()  # type: ignore
+
+    uri = get_mesh_ws_url()
+    mesh_id = asyncio.run(get_mesh_device_id(uri, core.mesh_device_group))
+    mesh_dl = f"{core.mesh_site}/meshagents?id={mesh_id}&installflags=0&meshinstall={arch_id}"  # type: ignore
+
+    sh = settings.LINUX_AGENT_SCRIPT
+    with open(sh, "r") as f:
+        text = f.read()
+
+    replace = {
+        "agentDLChange": download_url,
+        "meshDLChange": mesh_dl,
+        "clientIDChange": client,
+        "siteIDChange": site,
+        "agentTypeChange": agent_type,
+        "tokenChange": token,
+        "apiURLChange": api,
+    }
+
+    for i, j in replace.items():
+        text = text.replace(i, j)
+
+    with tempfile.NamedTemporaryFile() as fp:
+        with open(fp.name, "w") as f:
+            f.write(text)
+            f.write("\n")
+
+        return FileResponse(
+            open(fp.name, "rb"), as_attachment=True, filename="linux_agent_install.sh"
+        )
--- a/api/tacticalrmm/agents/views.py
+++ b/api/tacticalrmm/agents/views.py
--- a/api/tacticalrmm/alerts/migrations/0007_auto_20210721_0423.py
+++ b/api/tacticalrmm/alerts/migrations/0007_auto_20210721_0423.py
@@ -0,0 +1,33 @@
+# Generated by Django 3.2.1 on 2021-07-21 04:23
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('alerts', '0006_auto_20210217_1736'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='alerttemplate',
+            name='created_by',
+            field=models.CharField(blank=True, max_length=100, null=True),
+        ),
+        migrations.AddField(
+            model_name='alerttemplate',
+            name='created_time',
+            field=models.DateTimeField(auto_now_add=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='alerttemplate',
+            name='modified_by',
+            field=models.CharField(blank=True, max_length=100, null=True),
+        ),
+        migrations.AddField(
+            model_name='alerttemplate',
+            name='modified_time',
+            field=models.DateTimeField(auto_now=True, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/alerts/migrations/0008_auto_20210721_1757.py
+++ b/api/tacticalrmm/alerts/migrations/0008_auto_20210721_1757.py
@@ -0,0 +1,28 @@
+# Generated by Django 3.2.1 on 2021-07-21 17:57
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('alerts', '0007_auto_20210721_0423'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='alerttemplate',
+            name='agent_script_actions',
+            field=models.BooleanField(blank=True, default=None, null=True),
+        ),
+        migrations.AddField(
+            model_name='alerttemplate',
+            name='check_script_actions',
+            field=models.BooleanField(blank=True, default=None, null=True),
+        ),
+        migrations.AddField(
+            model_name='alerttemplate',
+            name='task_script_actions',
+            field=models.BooleanField(blank=True, default=None, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/alerts/migrations/0009_auto_20210721_1810.py
+++ b/api/tacticalrmm/alerts/migrations/0009_auto_20210721_1810.py
@@ -0,0 +1,28 @@
+# Generated by Django 3.2.1 on 2021-07-21 18:10
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('alerts', '0008_auto_20210721_1757'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='alerttemplate',
+            name='agent_script_actions',
+            field=models.BooleanField(blank=True, default=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='alerttemplate',
+            name='check_script_actions',
+            field=models.BooleanField(blank=True, default=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='alerttemplate',
+            name='task_script_actions',
+            field=models.BooleanField(blank=True, default=True, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/alerts/migrations/0010_auto_20210917_1954.py
+++ b/api/tacticalrmm/alerts/migrations/0010_auto_20210917_1954.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.2.6 on 2021-09-17 19:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("alerts", "0009_auto_20210721_1810"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="alerttemplate",
+            name="created_by",
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name="alerttemplate",
+            name="modified_by",
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/alerts/models.py
+++ b/api/tacticalrmm/alerts/models.py
@@ -3,19 +3,19 @@ from __future__ import annotations
 import re
 from typing import TYPE_CHECKING, Union

-from django.conf import settings
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.db.models.fields import BooleanField, PositiveIntegerField
 from django.utils import timezone as djangotime
-from loguru import logger
+from logs.models import BaseAuditModel, DebugLog
+
+from tacticalrmm.models import PermissionQuerySet

 if TYPE_CHECKING:
    from agents.models import Agent
    from autotasks.models import AutomatedTask
    from checks.models import Check

-logger.configure(**settings.LOG_CONFIG)

 SEVERITY_CHOICES = [
    ("info", "Informational"),
@@ -32,6 +32,8 @@ ALERT_TYPE_CHOICES = [


 class Alert(models.Model):
+    objects = PermissionQuerySet.as_manager()
+
    agent = models.ForeignKey(
        "agents.Agent",
        related_name="agent",
@@ -173,6 +175,7 @@ class Alert(models.Model):
                always_email = alert_template.agent_always_email
                always_text = alert_template.agent_always_text
                alert_interval = alert_template.agent_periodic_alert_days
+                run_script_action = alert_template.agent_script_actions

            if instance.should_create_alert(alert_template):
                alert = cls.create_or_return_availability_alert(instance)
@@ -209,6 +212,7 @@ class Alert(models.Model):
                always_email = alert_template.check_always_email
                always_text = alert_template.check_always_text
                alert_interval = alert_template.check_periodic_alert_days
+                run_script_action = alert_template.check_script_actions

            if instance.should_create_alert(alert_template):
                alert = cls.create_or_return_check_alert(instance)
@@ -242,6 +246,7 @@ class Alert(models.Model):
                always_email = alert_template.task_always_email
                always_text = alert_template.task_always_text
                alert_interval = alert_template.task_periodic_alert_days
+                run_script_action = alert_template.task_script_actions

            if instance.should_create_alert(alert_template):
                alert = cls.create_or_return_task_alert(instance)
@@ -295,7 +300,7 @@ class Alert(models.Model):
                text_task.delay(pk=alert.pk, alert_interval=alert_interval)

        # check if any scripts should be run
-        if alert_template and alert_template.action and not alert.action_run:
+        if alert_template and alert_template.action and run_script_action and not alert.action_run:  # type: ignore
            r = agent.run_script(
                scriptpk=alert_template.action.pk,
                args=alert.parse_script_args(alert_template.action_args),
@@ -314,8 +319,10 @@ class Alert(models.Model):
                alert.action_run = djangotime.now()
                alert.save()
            else:
-                logger.error(
-                    f"Failure action: {alert_template.action.name} failed to run on any agent for {agent.hostname} failure alert"
+                DebugLog.error(
+                    agent=agent,
+                    log_type="scripting",
+                    message=f"Failure action: {alert_template.action.name} failed to run on any agent for {agent.hostname}({agent.pk}) failure alert",
                )

    @classmethod
@@ -345,6 +352,7 @@ class Alert(models.Model):
            if alert_template:
                email_on_resolved = alert_template.agent_email_on_resolved
                text_on_resolved = alert_template.agent_text_on_resolved
+                run_script_action = alert_template.agent_script_actions

        elif isinstance(instance, Check):
            from checks.tasks import (
@@ -363,6 +371,7 @@ class Alert(models.Model):
            if alert_template:
                email_on_resolved = alert_template.check_email_on_resolved
                text_on_resolved = alert_template.check_text_on_resolved
+                run_script_action = alert_template.check_script_actions

        elif isinstance(instance, AutomatedTask):
            from autotasks.tasks import (
@@ -381,6 +390,7 @@ class Alert(models.Model):
            if alert_template:
                email_on_resolved = alert_template.task_email_on_resolved
                text_on_resolved = alert_template.task_text_on_resolved
+                run_script_action = alert_template.task_script_actions

        else:
            return
@@ -403,6 +413,7 @@ class Alert(models.Model):
        if (
            alert_template
            and alert_template.resolved_action
+            and run_script_action  # type: ignore
            and not alert.resolved_action_run
        ):
            r = agent.run_script(
@@ -425,8 +436,10 @@ class Alert(models.Model):
                alert.resolved_action_run = djangotime.now()
                alert.save()
            else:
-                logger.error(
-                    f"Resolved action: {alert_template.action.name} failed to run on any agent for {agent.hostname} resolved alert"
+                DebugLog.error(
+                    agent=agent,
+                    log_type="scripting",
+                    message=f"Resolved action: {alert_template.action.name} failed to run on any agent for {agent.hostname}({agent.pk}) resolved alert",
                )

    def parse_script_args(self, args: list[str]):
@@ -443,7 +456,8 @@ class Alert(models.Model):
            if match:
                name = match.group(1)

-                if hasattr(self, name):
+                # check if attr exists and isn't a function
+                if hasattr(self, name) and not callable(getattr(self, name)):
                    value = f"'{getattr(self, name)}'"
                else:
                    continue
@@ -451,7 +465,7 @@ class Alert(models.Model):
                try:
                    temp_args.append(re.sub("\\{\\{.*\\}\\}", value, arg))  # type: ignore
                except Exception as e:
-                    logger.error(e)
+                    DebugLog.error(log_type="scripting", message=str(e))
                    continue

            else:
@@ -460,7 +474,7 @@ class Alert(models.Model):
        return temp_args


-class AlertTemplate(models.Model):
+class AlertTemplate(BaseAuditModel):
    name = models.CharField(max_length=100)
    is_active = models.BooleanField(default=True)

@@ -517,6 +531,7 @@ class AlertTemplate(models.Model):
    agent_always_text = BooleanField(null=True, blank=True, default=None)
    agent_always_alert = BooleanField(null=True, blank=True, default=None)
    agent_periodic_alert_days = PositiveIntegerField(blank=True, null=True, default=0)
+    agent_script_actions = BooleanField(null=True, blank=True, default=True)

    # check alert settings
    check_email_alert_severity = ArrayField(
@@ -540,6 +555,7 @@ class AlertTemplate(models.Model):
    check_always_text = BooleanField(null=True, blank=True, default=None)
    check_always_alert = BooleanField(null=True, blank=True, default=None)
    check_periodic_alert_days = PositiveIntegerField(blank=True, null=True, default=0)
+    check_script_actions = BooleanField(null=True, blank=True, default=True)

    # task alert settings
    task_email_alert_severity = ArrayField(
@@ -563,6 +579,7 @@ class AlertTemplate(models.Model):
    task_always_text = BooleanField(null=True, blank=True, default=None)
    task_always_alert = BooleanField(null=True, blank=True, default=None)
    task_periodic_alert_days = PositiveIntegerField(blank=True, null=True, default=0)
+    task_script_actions = BooleanField(null=True, blank=True, default=True)

    # exclusion settings
    exclude_workstations = BooleanField(null=True, blank=True, default=False)
@@ -581,6 +598,24 @@ class AlertTemplate(models.Model):
    def __str__(self):
        return self.name

+    def is_agent_excluded(self, agent):
+        return (
+            agent in self.excluded_agents.all()
+            or agent.site in self.excluded_sites.all()
+            or agent.client in self.excluded_clients.all()
+            or agent.monitoring_type == "workstation"
+            and self.exclude_workstations
+            or agent.monitoring_type == "server"
+            and self.exclude_servers
+        )
+
+    @staticmethod
+    def serialize(alert_template):
+        # serializes the agent and returns json
+        from .serializers import AlertTemplateAuditSerializer
+
+        return AlertTemplateAuditSerializer(alert_template).data
+
    @property
    def has_agent_settings(self) -> bool:
        return (
--- a/api/tacticalrmm/alerts/permissions.py
+++ b/api/tacticalrmm/alerts/permissions.py
@@ -1,11 +1,55 @@
+from django.shortcuts import get_object_or_404
 from rest_framework import permissions

-from tacticalrmm.permissions import _has_perm
+from tacticalrmm.permissions import _has_perm, _has_perm_on_agent


-class ManageAlertsPerms(permissions.BasePermission):
+def _has_perm_on_alert(user, id: int):
+    from alerts.models import Alert
+
+    role = user.role
+    if user.is_superuser or (role and getattr(role, "is_superuser")):
+        return True
+
+    # make sure non-superusers with empty roles aren't permitted
+    elif not role:
+        return False
+
+    alert = get_object_or_404(Alert, id=id)
+
+    if alert.agent:
+        agent_id = alert.agent.agent_id
+    elif alert.assigned_check:
+        agent_id = alert.assigned_check.agent.agent_id
+    elif alert.assigned_task:
+        agent_id = alert.assigned_task.agent.agent_id
+    else:
+        return True
+
+    return _has_perm_on_agent(user, agent_id)
+
+
+class AlertPerms(permissions.BasePermission):
    def has_permission(self, r, view):
        if r.method == "GET" or r.method == "PATCH":
-            return True
+            if "pk" in view.kwargs.keys():
+                return _has_perm(r, "can_list_alerts") and _has_perm_on_alert(
+                    r.user, view.kwargs["pk"]
+                )
+            else:
+                return _has_perm(r, "can_list_alerts")
+        else:
+            if "pk" in view.kwargs.keys():
+                return _has_perm(r, "can_manage_alerts") and _has_perm_on_alert(
+                    r.user, view.kwargs["pk"]
+                )
+            else:
+                return _has_perm(r, "can_manage_alerts")

-        return _has_perm(r, "can_manage_alerts")
+
+class AlertTemplatePerms(permissions.BasePermission):
+    def has_permission(self, r, view):
+        if r.method == "GET":
+            return _has_perm(r, "can_list_alerttemplates")
+        else:
+            return _has_perm(r, "can_manage_alerttemplates")
--- a/api/tacticalrmm/alerts/serializers.py
+++ b/api/tacticalrmm/alerts/serializers.py
@@ -1,8 +1,8 @@
+from automation.serializers import PolicySerializer
+from clients.serializers import ClientMinimumSerializer, SiteMinimumSerializer
 from rest_framework.fields import SerializerMethodField
 from rest_framework.serializers import ModelSerializer, ReadOnlyField

-from automation.serializers import PolicySerializer
-from clients.serializers import ClientSerializer, SiteSerializer
 from tacticalrmm.utils import get_default_timezone

 from .models import Alert, AlertTemplate
@@ -10,12 +10,29 @@ from .models import Alert, AlertTemplate

 class AlertSerializer(ModelSerializer):

-    hostname = SerializerMethodField(read_only=True)
-    client = SerializerMethodField(read_only=True)
-    site = SerializerMethodField(read_only=True)
-    alert_time = SerializerMethodField(read_only=True)
-    resolve_on = SerializerMethodField(read_only=True)
-    snoozed_until = SerializerMethodField(read_only=True)
+    hostname = SerializerMethodField()
+    agent_id = SerializerMethodField()
+    client = SerializerMethodField()
+    site = SerializerMethodField()
+    alert_time = SerializerMethodField()
+    resolve_on = SerializerMethodField()
+    snoozed_until = SerializerMethodField()
+
+    def get_agent_id(self, instance):
+        if instance.alert_type == "availability":
+            return instance.agent.agent_id if instance.agent else ""
+        elif instance.alert_type == "check":
+            return (
+                instance.assigned_check.agent.agent_id
+                if instance.assigned_check
+                else ""
+            )
+        elif instance.alert_type == "task":
+            return (
+                instance.assigned_task.agent.agent_id if instance.assigned_task else ""
+            )
+        else:
+            return ""

    def get_hostname(self, instance):
        if instance.alert_type == "availability":
@@ -113,9 +130,15 @@ class AlertTemplateSerializer(ModelSerializer):

 class AlertTemplateRelationSerializer(ModelSerializer):
    policies = PolicySerializer(read_only=True, many=True)
-    clients = ClientSerializer(read_only=True, many=True)
-    sites = SiteSerializer(read_only=True, many=True)
+    clients = ClientMinimumSerializer(read_only=True, many=True)
+    sites = SiteMinimumSerializer(read_only=True, many=True)

    class Meta:
        model = AlertTemplate
        fields = "__all__"
+
+
+class AlertTemplateAuditSerializer(ModelSerializer):
+    class Meta:
+        model = AlertTemplate
+        fields = "__all__"
--- a/api/tacticalrmm/alerts/tasks.py
+++ b/api/tacticalrmm/alerts/tasks.py
@@ -1,11 +1,11 @@
 from django.utils import timezone as djangotime

-from alerts.models import Alert
 from tacticalrmm.celery import app


@app.task
 def unsnooze_alerts() -> str:
+    from .models import Alert

    Alert.objects.filter(snoozed=True, snooze_until__lte=djangotime.now()).update(
        snoozed=False, snooze_until=None
@@ -22,3 +22,14 @@ def cache_agents_alert_template():
        agent.set_alert_template()

    return "ok"
+
+
+@app.task
+def prune_resolved_alerts(older_than_days: int) -> str:
+    from .models import Alert
+
+    Alert.objects.filter(resolved=True).filter(
+        alert_time__lt=djangotime.now() - djangotime.timedelta(days=older_than_days)
+    ).delete()
+
+    return "ok"
--- a/api/tacticalrmm/alerts/tests.py
+++ b/api/tacticalrmm/alerts/tests.py
@@ -1,13 +1,14 @@
 from datetime import datetime, timedelta
+from itertools import cycle
 from unittest.mock import patch

+from alerts.tasks import cache_agents_alert_template
+from core.models import CoreSettings
+from core.tasks import cache_db_fields_task
 from django.conf import settings
 from django.utils import timezone as djangotime
 from model_bakery import baker, seq

-from alerts.tasks import cache_agents_alert_template
-from autotasks.models import AutomatedTask
-from core.models import CoreSettings
 from tacticalrmm.test import TacticalTestCase

 from .models import Alert, AlertTemplate
@@ -17,6 +18,8 @@ from .serializers import (
    AlertTemplateSerializer,
 )

+base_url = "/alerts"
+

 class TestAlertsViews(TacticalTestCase):
    def setUp(self):
@@ -24,7 +27,7 @@ class TestAlertsViews(TacticalTestCase):
        self.setup_coresettings()

    def test_get_alerts(self):
-        url = "/alerts/alerts/"
+        url = "/alerts/"

        # create check, task, and agent to test each serializer function
        check = baker.make_recipe("checks.diskspace_check")
@@ -117,7 +120,7 @@ class TestAlertsViews(TacticalTestCase):
        self.check_not_authenticated("patch", url)

    def test_add_alert(self):
-        url = "/alerts/alerts/"
+        url = "/alerts/"

        agent = baker.make_recipe("agents.agent")
        data = {
@@ -134,11 +137,11 @@ class TestAlertsViews(TacticalTestCase):

    def test_get_alert(self):
        # returns 404 for invalid alert pk
-        resp = self.client.get("/alerts/alerts/500/", format="json")
+        resp = self.client.get("/alerts/500/", format="json")
        self.assertEqual(resp.status_code, 404)

        alert = baker.make("alerts.Alert")
-        url = f"/alerts/alerts/{alert.pk}/"  # type: ignore
+        url = f"/alerts/{alert.pk}/"  # type: ignore

        resp = self.client.get(url, format="json")
        serializer = AlertSerializer(alert)
@@ -150,16 +153,15 @@ class TestAlertsViews(TacticalTestCase):

    def test_update_alert(self):
        # returns 404 for invalid alert pk
-        resp = self.client.put("/alerts/alerts/500/", format="json")
+        resp = self.client.put("/alerts/500/", format="json")
        self.assertEqual(resp.status_code, 404)

        alert = baker.make("alerts.Alert", resolved=False, snoozed=False)

-        url = f"/alerts/alerts/{alert.pk}/"  # type: ignore
+        url = f"/alerts/{alert.pk}/"  # type: ignore

        # test resolving alert
        data = {
-            "id": alert.pk,  # type: ignore
            "type": "resolve",
        }
        resp = self.client.put(url, data, format="json")
@@ -168,26 +170,26 @@ class TestAlertsViews(TacticalTestCase):
        self.assertTrue(Alert.objects.get(pk=alert.pk).resolved_on)  # type: ignore

        # test snoozing alert
-        data = {"id": alert.pk, "type": "snooze", "snooze_days": "30"}  # type: ignore
+        data = {"type": "snooze", "snooze_days": "30"}  # type: ignore
        resp = self.client.put(url, data, format="json")
        self.assertEqual(resp.status_code, 200)
        self.assertTrue(Alert.objects.get(pk=alert.pk).snoozed)  # type: ignore
        self.assertTrue(Alert.objects.get(pk=alert.pk).snooze_until)  # type: ignore

        # test snoozing alert without snooze_days
-        data = {"id": alert.pk, "type": "snooze"}  # type: ignore
+        data = {"type": "snooze"}  # type: ignore
        resp = self.client.put(url, data, format="json")
        self.assertEqual(resp.status_code, 400)

        # test unsnoozing alert
-        data = {"id": alert.pk, "type": "unsnooze"}  # type: ignore
+        data = {"type": "unsnooze"}  # type: ignore
        resp = self.client.put(url, data, format="json")
        self.assertEqual(resp.status_code, 200)
        self.assertFalse(Alert.objects.get(pk=alert.pk).snoozed)  # type: ignore
        self.assertFalse(Alert.objects.get(pk=alert.pk).snooze_until)  # type: ignore

        # test invalid type
-        data = {"id": alert.pk, "type": "invalid"}  # type: ignore
+        data = {"type": "invalid"}  # type: ignore
        resp = self.client.put(url, data, format="json")
        self.assertEqual(resp.status_code, 400)

@@ -195,13 +197,13 @@ class TestAlertsViews(TacticalTestCase):

    def test_delete_alert(self):
        # returns 404 for invalid alert pk
-        resp = self.client.put("/alerts/alerts/500/", format="json")
+        resp = self.client.put("/alerts/500/", format="json")
        self.assertEqual(resp.status_code, 404)

        alert = baker.make("alerts.Alert")

        # test delete alert
-        url = f"/alerts/alerts/{alert.pk}/"  # type: ignore
+        url = f"/alerts/{alert.pk}/"  # type: ignore
        resp = self.client.delete(url, format="json")
        self.assertEqual(resp.status_code, 200)

@@ -243,7 +245,7 @@ class TestAlertsViews(TacticalTestCase):
        self.assertTrue(Alert.objects.filter(snoozed=False).exists())

    def test_get_alert_templates(self):
-        url = "/alerts/alerttemplates/"
+        url = "/alerts/templates/"

        alert_templates = baker.make("alerts.AlertTemplate", _quantity=3)
        resp = self.client.get(url, format="json")
@@ -255,7 +257,7 @@ class TestAlertsViews(TacticalTestCase):
        self.check_not_authenticated("get", url)

    def test_add_alert_template(self):
-        url = "/alerts/alerttemplates/"
+        url = "/alerts/templates/"

        data = {
            "name": "Test Template",
@@ -268,11 +270,11 @@ class TestAlertsViews(TacticalTestCase):

    def test_get_alert_template(self):
        # returns 404 for invalid alert template pk
-        resp = self.client.get("/alerts/alerttemplates/500/", format="json")
+        resp = self.client.get("/alerts/templates/500/", format="json")
        self.assertEqual(resp.status_code, 404)

        alert_template = baker.make("alerts.AlertTemplate")
-        url = f"/alerts/alerttemplates/{alert_template.pk}/"  # type: ignore
+        url = f"/alerts/templates/{alert_template.pk}/"  # type: ignore

        resp = self.client.get(url, format="json")
        serializer = AlertTemplateSerializer(alert_template)
@@ -284,16 +286,15 @@ class TestAlertsViews(TacticalTestCase):

    def test_update_alert_template(self):
        # returns 404 for invalid alert pk
-        resp = self.client.put("/alerts/alerttemplates/500/", format="json")
+        resp = self.client.put("/alerts/templates/500/", format="json")
        self.assertEqual(resp.status_code, 404)

        alert_template = baker.make("alerts.AlertTemplate")

-        url = f"/alerts/alerttemplates/{alert_template.pk}/"  # type: ignore
+        url = f"/alerts/templates/{alert_template.pk}/"  # type: ignore

        # test data
        data = {
-            "id": alert_template.pk,  # type: ignore
            "agent_email_on_resolved": True,
            "agent_text_on_resolved": True,
            "agent_include_desktops": True,
@@ -309,13 +310,13 @@ class TestAlertsViews(TacticalTestCase):

    def test_delete_alert_template(self):
        # returns 404 for invalid alert pk
-        resp = self.client.put("/alerts/alerttemplates/500/", format="json")
+        resp = self.client.put("/alerts/templates/500/", format="json")
        self.assertEqual(resp.status_code, 404)

        alert_template = baker.make("alerts.AlertTemplate")

        # test delete alert
-        url = f"/alerts/alerttemplates/{alert_template.pk}/"  # type: ignore
+        url = f"/alerts/templates/{alert_template.pk}/"  # type: ignore
        resp = self.client.delete(url, format="json")
        self.assertEqual(resp.status_code, 200)

@@ -330,10 +331,10 @@ class TestAlertsViews(TacticalTestCase):
        baker.make("clients.Site", alert_template=alert_template, _quantity=3)
        baker.make("automation.Policy", alert_template=alert_template)
        core = CoreSettings.objects.first()
-        core.alert_template = alert_template
-        core.save()
+        core.alert_template = alert_template  # type: ignore
+        core.save()  # type: ignore

-        url = f"/alerts/alerttemplates/{alert_template.pk}/related/"  # type: ignore
+        url = f"/alerts/templates/{alert_template.pk}/related/"  # type: ignore

        resp = self.client.get(url, format="json")
        serializer = AlertTemplateRelationSerializer(alert_template)
@@ -403,16 +404,16 @@ class TestAlertTasks(TacticalTestCase):
        # assign first Alert Template as to a policy and apply it as default
        policy.alert_template = alert_templates[0]  # type: ignore
        policy.save()  # type: ignore
-        core.workstation_policy = policy
-        core.server_policy = policy
-        core.save()
+        core.workstation_policy = policy  # type: ignore
+        core.server_policy = policy  # type: ignore
+        core.save()  # type: ignore

        self.assertEquals(server.set_alert_template().pk, alert_templates[0].pk)  # type: ignore
        self.assertEquals(workstation.set_alert_template().pk, alert_templates[0].pk)  # type: ignore

        # assign second Alert Template to as default alert template
        core.alert_template = alert_templates[1]  # type: ignore
-        core.save()
+        core.save()  # type: ignore

        self.assertEquals(workstation.set_alert_template().pk, alert_templates[1].pk)  # type: ignore
        self.assertEquals(server.set_alert_template().pk, alert_templates[1].pk)  # type: ignore
@@ -675,25 +676,14 @@ class TestAlertTasks(TacticalTestCase):
        url = "/api/v3/checkin/"

        agent_template_text.version = settings.LATEST_AGENT_VER
+        agent_template_text.last_seen = djangotime.now()
        agent_template_text.save()
+
        agent_template_email.version = settings.LATEST_AGENT_VER
+        agent_template_email.last_seen = djangotime.now()
        agent_template_email.save()

-        data = {
-            "agent_id": agent_template_text.agent_id,
-            "version": settings.LATEST_AGENT_VER,
-        }
-
-        resp = self.client.patch(url, data, format="json")
-        self.assertEqual(resp.status_code, 200)
-
-        data = {
-            "agent_id": agent_template_email.agent_id,
-            "version": settings.LATEST_AGENT_VER,
-        }
-
-        resp = self.client.patch(url, data, format="json")
-        self.assertEqual(resp.status_code, 200)
+        cache_db_fields_task()

        recovery_sms.assert_called_with(
            pk=Alert.objects.get(agent=agent_template_text).pk
@@ -1272,17 +1262,17 @@ class TestAlertTasks(TacticalTestCase):
        )

        core = CoreSettings.objects.first()
-        core.smtp_host = "test.test.com"
-        core.smtp_port = 587
-        core.smtp_recipients = ["recipient@test.com"]
-        core.twilio_account_sid = "test"
-        core.twilio_auth_token = "1234123412341234"
-        core.sms_alert_recipients = ["+1234567890"]
+        core.smtp_host = "test.test.com"  # type: ignore
+        core.smtp_port = 587  # type: ignore
+        core.smtp_recipients = ["recipient@test.com"]  # type: ignore
+        core.twilio_account_sid = "test"  # type: ignore
+        core.twilio_auth_token = "1234123412341234"  # type: ignore
+        core.sms_alert_recipients = ["+1234567890"]  # type: ignore

        # test sending email with alert template settings
-        core.send_mail("Test", "Test", alert_template=alert_template)
+        core.send_mail("Test", "Test", alert_template=alert_template)  # type: ignore

-        core.send_sms("Test", alert_template=alert_template)
+        core.send_sms("Test", alert_template=alert_template)  # type: ignore

    @patch("agents.models.Agent.nats_cmd")
    @patch("agents.tasks.agent_outage_sms_task.delay")
@@ -1315,6 +1305,7 @@ class TestAlertTasks(TacticalTestCase):
            "alerts.AlertTemplate",
            is_active=True,
            agent_always_alert=True,
+            agent_script_actions=False,
            action=failure_action,
            action_timeout=30,
            resolved_action=resolved_action,
@@ -1328,6 +1319,14 @@ class TestAlertTasks(TacticalTestCase):

        agent_outages_task()

+        # should not have been called since agent_script_actions is set to False
+        nats_cmd.assert_not_called()
+
+        alert_template.agent_script_actions = True  # type: ignore
+        alert_template.save()  # type: ignore
+
+        agent_outages_task()
+
        # this is what data should be
        data = {
            "func": "runscriptfull",
@@ -1340,14 +1339,6 @@ class TestAlertTasks(TacticalTestCase):

        nats_cmd.reset_mock()

-        # Setup cmd mock
-        success = {
-            "retcode": 0,
-            "stdout": "success!",
-            "stderr": "",
-            "execution_time": 5.0000,
-        }
-
        nats_cmd.side_effect = ["pong", success]

        # make sure script run results were stored
@@ -1361,15 +1352,7 @@ class TestAlertTasks(TacticalTestCase):
        agent.last_seen = djangotime.now()
        agent.save()

-        url = "/api/v3/checkin/"
-
-        data = {
-            "agent_id": agent.agent_id,
-            "version": settings.LATEST_AGENT_VER,
-        }
-
-        resp = self.client.patch(url, data, format="json")
-        self.assertEqual(resp.status_code, 200)
+        cache_db_fields_task()

        # this is what data should be
        data = {
@@ -1398,3 +1381,188 @@ class TestAlertTasks(TacticalTestCase):
            ["-Parameter", f"-Another '{alert.id}'"],  # type: ignore
            alert.parse_script_args(args=args),  # type: ignore
        )
+
+    def test_prune_resolved_alerts(self):
+        from .tasks import prune_resolved_alerts
+
+        # setup data
+        resolved_alerts = baker.make(
+            "alerts.Alert",
+            resolved=True,
+            _quantity=25,
+        )
+
+        alerts = baker.make(
+            "alerts.Alert",
+            resolved=False,
+            _quantity=25,
+        )
+
+        days = 0
+        for alert in resolved_alerts:  # type: ignore
+            alert.alert_time = djangotime.now() - djangotime.timedelta(days=days)
+            alert.save()
+            days = days + 5
+
+        days = 0
+        for alert in alerts:  # type: ignore
+            alert.alert_time = djangotime.now() - djangotime.timedelta(days=days)
+            alert.save()
+            days = days + 5
+
+        # delete AgentHistory older than 30 days
+        prune_resolved_alerts(30)
+
+        self.assertEqual(Alert.objects.count(), 31)
+
+
+class TestAlertPermissions(TacticalTestCase):
+    def setUp(self):
+        self.setup_coresettings()
+        self.client_setup()
+
+    def test_get_alerts_permissions(self):
+        agent = baker.make_recipe("agents.agent")
+        agent1 = baker.make_recipe("agents.agent")
+        agent2 = baker.make_recipe("agents.agent")
+        agents = [agent, agent1, agent2]
+        checks = baker.make("checks.Check", agent=cycle(agents), _quantity=3)
+        tasks = baker.make("autotasks.AutomatedTask", agent=cycle(agents), _quantity=3)
+        baker.make(
+            "alerts.Alert", alert_type="task", assigned_task=cycle(tasks), _quantity=3
+        )
+        baker.make(
+            "alerts.Alert",
+            alert_type="check",
+            assigned_check=cycle(checks),
+            _quantity=3,
+        )
+        baker.make(
+            "alerts.Alert", alert_type="availability", agent=cycle(agents), _quantity=3
+        )
+        baker.make("alerts.Alert", alert_type="custom", _quantity=4)
+
+        # test super user access
+        r = self.check_authorized_superuser("patch", f"{base_url}/")
+        self.assertEqual(len(r.data), 13)  # type: ignore
+
+        user = self.create_user_with_roles([])
+        self.client.force_authenticate(user=user)  # type: ignore
+
+        self.check_not_authorized("patch", f"{base_url}/")
+
+        # add list software role to user
+        user.role.can_list_alerts = True
+        user.role.save()
+
+        r = self.check_authorized("patch", f"{base_url}/")
+        self.assertEqual(len(r.data), 13)  # type: ignore
+
+        # test limiting to client
+        user.role.can_view_clients.set([agent.client])
+        r = self.check_authorized("patch", f"{base_url}/")
+        self.assertEqual(len(r.data), 7)  # type: ignore
+
+        # test limiting to site
+        user.role.can_view_clients.clear()
+        user.role.can_view_sites.set([agent1.site])
+        r = self.client.patch(f"{base_url}/")
+        self.assertEqual(len(r.data), 7)  # type: ignore
+
+        # test limiting to site and client
+        user.role.can_view_clients.set([agent2.client])
+        r = self.client.patch(f"{base_url}/")
+        self.assertEqual(len(r.data), 10)  # type: ignore
+
+    @patch("alerts.models.Alert.delete", return_value=1)
+    def test_edit_delete_get_alert_permissions(self, delete):
+        agent = baker.make_recipe("agents.agent")
+        agent1 = baker.make_recipe("agents.agent")
+        agent2 = baker.make_recipe("agents.agent")
+        agents = [agent, agent1, agent2]
+        checks = baker.make("checks.Check", agent=cycle(agents), _quantity=3)
+        tasks = baker.make("autotasks.AutomatedTask", agent=cycle(agents), _quantity=3)
+        alert_tasks = baker.make(
+            "alerts.Alert", alert_type="task", assigned_task=cycle(tasks), _quantity=3
+        )
+        alert_checks = baker.make(
+            "alerts.Alert",
+            alert_type="check",
+            assigned_check=cycle(checks),
+            _quantity=3,
+        )
+        alert_agents = baker.make(
+            "alerts.Alert", alert_type="availability", agent=cycle(agents), _quantity=3
+        )
+        alert_custom = baker.make("alerts.Alert", alert_type="custom", _quantity=4)
+
+        # alert task url
+        task_url = f"{base_url}/{alert_tasks[0].id}/"  # for agent
+        unauthorized_task_url = f"{base_url}/{alert_tasks[1].id}/"  # for agent1
+        # alert check url
+        check_url = f"{base_url}/{alert_checks[0].id}/"  # for agent
+        unauthorized_check_url = f"{base_url}/{alert_checks[1].id}/"  # for agent1
+        # alert agent url
+        agent_url = f"{base_url}/{alert_agents[0].id}/"  # for agent
+        unauthorized_agent_url = f"{base_url}/{alert_agents[1].id}/"  # for agent1
+        # custom alert url
+        custom_url = f"{base_url}/{alert_custom[0].id}/"  # no agent associated
+
+        authorized_urls = [task_url, check_url, agent_url, custom_url]
+        unauthorized_urls = [
+            unauthorized_agent_url,
+            unauthorized_check_url,
+            unauthorized_task_url,
+        ]
+
+        for method in ["get", "put", "delete"]:
+
+            # test superuser access
+            for url in authorized_urls:
+                self.check_authorized_superuser(method, url)
+
+            for url in unauthorized_urls:
+                self.check_authorized_superuser(method, url)
+
+            user = self.create_user_with_roles([])
+            self.client.force_authenticate(user=user)  # type: ignore
+
+            # test user without role
+            for url in authorized_urls:
+                self.check_not_authorized(method, url)
+
+            for url in unauthorized_urls:
+                self.check_not_authorized(method, url)
+
+            # add user to role and test
+            setattr(
+                user.role,
+                "can_list_alerts" if method == "get" else "can_manage_alerts",
+                True,
+            )
+            user.role.save()
+
+            # test user with role
+            for url in authorized_urls:
+                self.check_authorized(method, url)
+
+            for url in unauthorized_urls:
+                self.check_authorized(method, url)
+
+            # limit user to client if agent check
+            user.role.can_view_clients.set([agent.client])
+
+            for url in authorized_urls:
+                self.check_authorized(method, url)
+
+            for url in unauthorized_urls:
+                self.check_not_authorized(method, url)
+
+            # limit user to client if agent check
+            user.role.can_view_sites.set([agent1.site])
+
+            for url in authorized_urls:
+                self.check_authorized(method, url)
+
+            for url in unauthorized_urls:
+                self.check_authorized(method, url)
--- a/api/tacticalrmm/alerts/urls.py
+++ b/api/tacticalrmm/alerts/urls.py
@@ -3,10 +3,10 @@ from django.urls import path
 from . import views

 urlpatterns = [
-    path("alerts/", views.GetAddAlerts.as_view()),
+    path("", views.GetAddAlerts.as_view()),
+    path("<int:pk>/", views.GetUpdateDeleteAlert.as_view()),
    path("bulk/", views.BulkAlerts.as_view()),
-    path("alerts/<int:pk>/", views.GetUpdateDeleteAlert.as_view()),
-    path("alerttemplates/", views.GetAddAlertTemplates.as_view()),
-    path("alerttemplates/<int:pk>/", views.GetUpdateDeleteAlertTemplate.as_view()),
-    path("alerttemplates/<int:pk>/related/", views.RelatedAlertTemplate.as_view()),
+    path("templates/", views.GetAddAlertTemplates.as_view()),
+    path("templates/<int:pk>/", views.GetUpdateDeleteAlertTemplate.as_view()),
+    path("templates/<int:pk>/related/", views.RelatedAlertTemplate.as_view()),
 ]
--- a/api/tacticalrmm/alerts/views.py
+++ b/api/tacticalrmm/alerts/views.py
@@ -10,7 +10,7 @@ from rest_framework.views import APIView
 from tacticalrmm.utils import notify_error

 from .models import Alert, AlertTemplate
-from .permissions import ManageAlertsPerms
+from .permissions import AlertPerms, AlertTemplatePerms
 from .serializers import (
    AlertSerializer,
    AlertTemplateRelationSerializer,
@@ -20,7 +20,7 @@ from .tasks import cache_agents_alert_template


 class GetAddAlerts(APIView):
-    permission_classes = [IsAuthenticated, ManageAlertsPerms]
+    permission_classes = [IsAuthenticated, AlertPerms]

    def patch(self, request):

@@ -92,7 +92,8 @@ class GetAddAlerts(APIView):
                )

            alerts = (
-                Alert.objects.filter(clientFilter)
+                Alert.objects.filter_by_role(request.user)
+                .filter(clientFilter)
                .filter(severityFilter)
                .filter(resolvedFilter)
                .filter(snoozedFilter)
@@ -101,7 +102,7 @@ class GetAddAlerts(APIView):
            return Response(AlertSerializer(alerts, many=True).data)

        else:
-            alerts = Alert.objects.all()
+            alerts = Alert.objects.filter_by_role(request.user)
            return Response(AlertSerializer(alerts, many=True).data)

    def post(self, request):
@@ -113,11 +114,10 @@ class GetAddAlerts(APIView):


 class GetUpdateDeleteAlert(APIView):
-    permission_classes = [IsAuthenticated, ManageAlertsPerms]
+    permission_classes = [IsAuthenticated, AlertPerms]

    def get(self, request, pk):
        alert = get_object_or_404(Alert, pk=pk)
-
        return Response(AlertSerializer(alert).data)

    def put(self, request, pk):
@@ -169,7 +169,7 @@ class GetUpdateDeleteAlert(APIView):


 class BulkAlerts(APIView):
-    permission_classes = [IsAuthenticated, ManageAlertsPerms]
+    permission_classes = [IsAuthenticated, AlertPerms]

    def post(self, request):
        if request.data["bulk_action"] == "resolve":
@@ -193,11 +193,10 @@ class BulkAlerts(APIView):


 class GetAddAlertTemplates(APIView):
-    permission_classes = [IsAuthenticated, ManageAlertsPerms]
+    permission_classes = [IsAuthenticated, AlertTemplatePerms]

    def get(self, request):
        alert_templates = AlertTemplate.objects.all()
-
        return Response(AlertTemplateSerializer(alert_templates, many=True).data)

    def post(self, request):
@@ -212,7 +211,7 @@ class GetAddAlertTemplates(APIView):


 class GetUpdateDeleteAlertTemplate(APIView):
-    permission_classes = [IsAuthenticated, ManageAlertsPerms]
+    permission_classes = [IsAuthenticated, AlertTemplatePerms]

    def get(self, request, pk):
        alert_template = get_object_or_404(AlertTemplate, pk=pk)
@@ -243,6 +242,8 @@ class GetUpdateDeleteAlertTemplate(APIView):


 class RelatedAlertTemplate(APIView):
+    permission_classes = [IsAuthenticated, AlertTemplatePerms]
+
    def get(self, request, pk):
        alert_template = get_object_or_404(AlertTemplate, pk=pk)
        return Response(AlertTemplateRelationSerializer(alert_template).data)
--- a/api/tacticalrmm/apiv3/tests.py
+++ b/api/tacticalrmm/apiv3/tests.py
@@ -1,12 +1,11 @@
 import json
 import os
-from unittest.mock import patch

+from autotasks.models import AutomatedTask
 from django.conf import settings
 from django.utils import timezone as djangotime
 from model_bakery import baker

-from autotasks.models import AutomatedTask
 from tacticalrmm.test import TacticalTestCase


@@ -130,81 +129,6 @@ class TestAPIv3(TacticalTestCase):
        self.assertIsInstance(r.json()["check_interval"], int)
        self.assertEqual(len(r.json()["checks"]), 15)

-    def test_checkin_patch(self):
-        from logs.models import PendingAction
-
-        url = "/api/v3/checkin/"
-        agent_updated = baker.make_recipe("agents.agent", version="1.3.0")
-        PendingAction.objects.create(
-            agent=agent_updated,
-            action_type="agentupdate",
-            details={
-                "url": agent_updated.winagent_dl,
-                "version": agent_updated.version,
-                "inno": agent_updated.win_inno_exe,
-            },
-        )
-        action = agent_updated.pendingactions.filter(action_type="agentupdate").first()
-        self.assertEqual(action.status, "pending")
-
-        # test agent failed to update and still on same version
-        payload = {
-            "func": "hello",
-            "agent_id": agent_updated.agent_id,
-            "version": "1.3.0",
-        }
-        r = self.client.patch(url, payload, format="json")
-        self.assertEqual(r.status_code, 200)
-        action = agent_updated.pendingactions.filter(action_type="agentupdate").first()
-        self.assertEqual(action.status, "pending")
-
-        # test agent successful update
-        payload["version"] = settings.LATEST_AGENT_VER
-        r = self.client.patch(url, payload, format="json")
-        self.assertEqual(r.status_code, 200)
-        action = agent_updated.pendingactions.filter(action_type="agentupdate").first()
-        self.assertEqual(action.status, "completed")
-        action.delete()
-
-    @patch("apiv3.views.reload_nats")
-    def test_agent_recovery(self, reload_nats):
-        reload_nats.return_value = "ok"
-        r = self.client.get("/api/v3/34jahsdkjasncASDjhg2b3j4r/recover/")
-        self.assertEqual(r.status_code, 404)
-
-        agent = baker.make_recipe("agents.online_agent")
-        url = f"/api/v3/{agent.agent_id}/recovery/"
-
-        r = self.client.get(url)
-        self.assertEqual(r.status_code, 200)
-        self.assertEqual(r.json(), {"mode": "pass", "shellcmd": ""})
-        reload_nats.assert_not_called()
-
-        baker.make("agents.RecoveryAction", agent=agent, mode="mesh")
-        r = self.client.get(url)
-        self.assertEqual(r.status_code, 200)
-        self.assertEqual(r.json(), {"mode": "mesh", "shellcmd": ""})
-        reload_nats.assert_not_called()
-
-        baker.make(
-            "agents.RecoveryAction",
-            agent=agent,
-            mode="command",
-            command="shutdown /r /t 5 /f",
-        )
-        r = self.client.get(url)
-        self.assertEqual(r.status_code, 200)
-        self.assertEqual(
-            r.json(), {"mode": "command", "shellcmd": "shutdown /r /t 5 /f"}
-        )
-        reload_nats.assert_not_called()
-
-        baker.make("agents.RecoveryAction", agent=agent, mode="rpc")
-        r = self.client.get(url)
-        self.assertEqual(r.status_code, 200)
-        self.assertEqual(r.json(), {"mode": "rpc", "shellcmd": ""})
-        reload_nats.assert_called_once()
-
    def test_task_runner_get(self):
        from autotasks.serializers import TaskGOGetSerializer

--- a/api/tacticalrmm/apiv3/urls.py
+++ b/api/tacticalrmm/apiv3/urls.py
@@ -19,5 +19,5 @@ urlpatterns = [
    path("winupdates/", views.WinUpdates.as_view()),
    path("superseded/", views.SupersededWinUpdate.as_view()),
    path("<int:pk>/chocoresult/", views.ChocoResult.as_view()),
-    path("<str:agentid>/recovery/", views.AgentRecovery.as_view()),
+    path("<int:pk>/<str:agentid>/histresult/", views.AgentHistoryResult.as_view()),
 ]
--- a/api/tacticalrmm/apiv3/views.py
+++ b/api/tacticalrmm/apiv3/views.py
@@ -1,33 +1,30 @@
 import asyncio
-import os
 import time

+from accounts.models import User
+from agents.models import Agent, AgentHistory
+from agents.serializers import AgentHistorySerializer
+from autotasks.models import AutomatedTask
+from autotasks.serializers import TaskGOGetSerializer, TaskRunnerPatchSerializer
+from checks.models import Check
+from checks.serializers import CheckRunnerGetSerializer
+from core.models import CoreSettings
+from core.utils import download_mesh_agent, get_mesh_device_id, get_mesh_ws_url
 from django.conf import settings
-from django.http import HttpResponse
 from django.shortcuts import get_object_or_404
 from django.utils import timezone as djangotime
-from loguru import logger
+from logs.models import DebugLog, PendingAction
 from packaging import version as pyver
 from rest_framework.authentication import TokenAuthentication
 from rest_framework.authtoken.models import Token
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
-
-from accounts.models import User
-from agents.models import Agent, AgentCustomField
-from agents.serializers import WinAgentSerializer
-from autotasks.models import AutomatedTask
-from autotasks.serializers import TaskGOGetSerializer, TaskRunnerPatchSerializer
-from checks.models import Check
-from checks.serializers import CheckRunnerGetSerializer
-from checks.utils import bytes2human
-from logs.models import PendingAction
 from software.models import InstalledSoftware
-from tacticalrmm.utils import SoftwareList, filter_software, notify_error, reload_nats
 from winupdate.models import WinUpdate, WinUpdatePolicy

-logger.configure(**settings.LOG_CONFIG)
+from tacticalrmm.constants import MeshAgentIdent
+from tacticalrmm.utils import notify_error, reload_nats


 class CheckIn(APIView):
@@ -35,97 +32,6 @@ class CheckIn(APIView):
    authentication_classes = [TokenAuthentication]
    permission_classes = [IsAuthenticated]

-    def patch(self, request):
-        from alerts.models import Alert
-
-        updated = False
-        agent = get_object_or_404(Agent, agent_id=request.data["agent_id"])
-        if pyver.parse(request.data["version"]) > pyver.parse(
-            agent.version
-        ) or pyver.parse(request.data["version"]) == pyver.parse(
-            settings.LATEST_AGENT_VER
-        ):
-            updated = True
-        agent.version = request.data["version"]
-        agent.last_seen = djangotime.now()
-        agent.save(update_fields=["version", "last_seen"])
-
-        # change agent update pending status to completed if agent has just updated
-        if (
-            updated
-            and agent.pendingactions.filter(  # type: ignore
-                action_type="agentupdate", status="pending"
-            ).exists()
-        ):
-            agent.pendingactions.filter(  # type: ignore
-                action_type="agentupdate", status="pending"
-            ).update(status="completed")
-
-        # handles any alerting actions
-        if Alert.objects.filter(agent=agent, resolved=False).exists():
-            Alert.handle_alert_resolve(agent)
-
-        # sync scheduled tasks
-        if agent.autotasks.exclude(sync_status="synced").exists():  # type: ignore
-            tasks = agent.autotasks.exclude(sync_status="synced")  # type: ignore
-
-            for task in tasks:
-                if task.sync_status == "pendingdeletion":
-                    task.delete_task_on_agent()
-                elif task.sync_status == "initial":
-                    task.modify_task_on_agent()
-                elif task.sync_status == "notsynced":
-                    task.create_task_on_agent()
-
-        return Response("ok")
-
-    def put(self, request):
-        agent = get_object_or_404(Agent, agent_id=request.data["agent_id"])
-        serializer = WinAgentSerializer(instance=agent, data=request.data, partial=True)
-
-        if request.data["func"] == "disks":
-            disks = request.data["disks"]
-            new = []
-            for disk in disks:
-                tmp = {}
-                for _, _ in disk.items():
-                    tmp["device"] = disk["device"]
-                    tmp["fstype"] = disk["fstype"]
-                    tmp["total"] = bytes2human(disk["total"])
-                    tmp["used"] = bytes2human(disk["used"])
-                    tmp["free"] = bytes2human(disk["free"])
-                    tmp["percent"] = int(disk["percent"])
-                new.append(tmp)
-
-            serializer.is_valid(raise_exception=True)
-            serializer.save(disks=new)
-            return Response("ok")
-
-        if request.data["func"] == "loggedonuser":
-            if request.data["logged_in_username"] != "None":
-                serializer.is_valid(raise_exception=True)
-                serializer.save(last_logged_in_user=request.data["logged_in_username"])
-                return Response("ok")
-
-        if request.data["func"] == "software":
-            raw: SoftwareList = request.data["software"]
-            if not isinstance(raw, list):
-                return notify_error("err")
-
-            sw = filter_software(raw)
-            if not InstalledSoftware.objects.filter(agent=agent).exists():
-                InstalledSoftware(agent=agent, software=sw).save()
-            else:
-                s = agent.installedsoftware_set.first()  # type: ignore
-                s.software = sw
-                s.save(update_fields=["software"])
-
-            return Response("ok")
-
-        serializer.is_valid(raise_exception=True)
-        serializer.save()
-        return Response("ok")
-
    # called once during tacticalagent windows service startup
    def post(self, request):
        agent = get_object_or_404(Agent, agent_id=request.data["agent_id"])
@@ -167,22 +73,26 @@ class WinUpdates(APIView):

    def put(self, request):
        agent = get_object_or_404(Agent, agent_id=request.data["agent_id"])
+
+        needs_reboot: bool = request.data["needs_reboot"]
+        agent.needs_reboot = needs_reboot
+        agent.save(update_fields=["needs_reboot"])
+
        reboot_policy: str = agent.get_patch_policy().reboot_after_install
        reboot = False

        if reboot_policy == "always":
            reboot = True
-
-        if request.data["needs_reboot"]:
-            if reboot_policy == "required":
-                reboot = True
-            elif reboot_policy == "never":
-                agent.needs_reboot = True
-                agent.save(update_fields=["needs_reboot"])
+        elif needs_reboot and reboot_policy == "required":
+            reboot = True

        if reboot:
            asyncio.run(agent.nats_cmd({"func": "rebootnow"}, wait=False))
-            logger.info(f"{agent.hostname} is rebooting after updates were installed.")
+            DebugLog.info(
+                agent=agent,
+                log_type="windows_updates",
+                message=f"{agent.hostname} is rebooting after updates were installed.",
+            )

        agent.delete_superseded_updates()
        return Response("ok")
@@ -244,14 +154,6 @@ class WinUpdates(APIView):
                ).save()

        agent.delete_superseded_updates()
-
-        # more superseded updates cleanup
-        if pyver.parse(agent.version) <= pyver.parse("1.4.2"):
-            for u in agent.winupdates.filter(  # type: ignore
-                date_installed__isnull=True, result="failed"
-            ).exclude(installed=True):
-                u.delete()
-
        return Response("ok")


@@ -321,8 +223,6 @@ class CheckRunner(APIView):

    def patch(self, request):
        check = get_object_or_404(Check, pk=request.data["id"])
-        if pyver.parse(check.agent.version) < pyver.parse("1.5.7"):
-            return notify_error("unsupported")

        check.last_run = djangotime.now()
        check.save(update_fields=["last_run"])
@@ -350,13 +250,12 @@ class TaskRunner(APIView):
    permission_classes = [IsAuthenticated]

    def get(self, request, pk, agentid):
-        agent = get_object_or_404(Agent, agent_id=agentid)
+        _ = get_object_or_404(Agent, agent_id=agentid)
        task = get_object_or_404(AutomatedTask, pk=pk)
        return Response(TaskGOGetSerializer(task).data)

    def patch(self, request, pk, agentid):
        from alerts.models import Alert
-        from logs.models import AuditLog

        agent = get_object_or_404(Agent, agent_id=agentid)
        task = get_object_or_404(AutomatedTask, pk=pk)
@@ -367,42 +266,18 @@ class TaskRunner(APIView):
        serializer.is_valid(raise_exception=True)
        new_task = serializer.save(last_run=djangotime.now())

+        AgentHistory.objects.create(
+            agent=agent,
+            type="task_run",
+            script=task.script,
+            script_results=request.data,
+        )
+
        # check if task is a collector and update the custom field
        if task.custom_field:
            if not task.stderr:

-                if AgentCustomField.objects.filter(
-                    field=task.custom_field, agent=task.agent
-                ).exists():
-                    agent_field = AgentCustomField.objects.get(
-                        field=task.custom_field, agent=task.agent
-                    )
-                else:
-                    agent_field = AgentCustomField.objects.create(
-                        field=task.custom_field, agent=task.agent
-                    )
-
-                # get last line of stdout
-                value = (
-                    new_task.stdout
-                    if task.collector_all_output
-                    else new_task.stdout.split("\n")[-1].strip()
-                )
-
-                if task.custom_field.type in [
-                    "text",
-                    "number",
-                    "single",
-                    "datetime",
-                ]:
-                    agent_field.string_value = value
-                    agent_field.save()
-                elif task.custom_field.type == "multiple":
-                    agent_field.multiple_value = value.split(",")
-                    agent_field.save()
-                elif task.custom_field.type == "checkbox":
-                    agent_field.bool_value = bool(value)
-                    agent_field.save()
+                task.save_collector_results()

                status = "passing"
            else:
@@ -419,15 +294,6 @@ class TaskRunner(APIView):
        else:
            Alert.handle_alert_failure(new_task)

-        AuditLog.objects.create(
-            username=agent.hostname,
-            agent=agent.hostname,
-            object_type="agent",
-            action="task_run",
-            message=f"Scheduled Task {task.name} was run on {agent.hostname}",
-            after_value=AutomatedTask.serialize(new_task),
-        )
-
        return Response("ok")


@@ -450,25 +316,33 @@ class MeshExe(APIView):
    """Sends the mesh exe to the installer"""

    def post(self, request):
-        exe = "meshagent.exe" if request.data["arch"] == "64" else "meshagent-x86.exe"
-        mesh_exe = os.path.join(settings.EXE_DIR, exe)
+        match request.data:
+            case {"arch": "64", "plat": "windows"}:
+                arch = MeshAgentIdent.WIN64
+            case {"arch": "32", "plat": "windows"}:
+                arch = MeshAgentIdent.WIN32
+            case _:
+                return notify_error("Arch not specified")

-        if not os.path.exists(mesh_exe):
-            return notify_error("Mesh Agent executable not found")
+        core: CoreSettings = CoreSettings.objects.first()  # type: ignore

-        if settings.DEBUG:
-            with open(mesh_exe, "rb") as f:
-                response = HttpResponse(
-                    f.read(),
-                    content_type="application/vnd.microsoft.portable-executable",
-                )
-                response["Content-Disposition"] = f"inline; filename={exe}"
-                return response
+        try:
+            uri = get_mesh_ws_url()
+            mesh_id = asyncio.run(get_mesh_device_id(uri, core.mesh_device_group))
+        except:
+            return notify_error("Unable to connect to mesh to get group id information")
+
+        if settings.DOCKER_BUILD:
+            dl_url = f"{settings.MESH_WS_URL.replace('ws://', 'http://')}/meshagents?id={arch}&meshid={mesh_id}&installflags=0"
        else:
-            response = HttpResponse()
-            response["Content-Disposition"] = f"attachment; filename={exe}"
-            response["X-Accel-Redirect"] = f"/private/exe/{exe}"
-            return response
+            dl_url = (
+                f"{core.mesh_site}/meshagents?id={arch}&meshid={mesh_id}&installflags=0"
+            )
+
+        try:
+            return download_mesh_agent(dl_url)
+        except:
+            return notify_error("Unable to download mesh agent exe")


 class NewAgent(APIView):
@@ -489,11 +363,11 @@ class NewAgent(APIView):
            monitoring_type=request.data["monitoring_type"],
            description=request.data["description"],
            mesh_node_id=request.data["mesh_node_id"],
+            goarch=request.data["goarch"],
+            plat=request.data["plat"],
            last_seen=djangotime.now(),
        )
        agent.save()
-        agent.salt_id = f"{agent.hostname}-{agent.pk}"
-        agent.save(update_fields=["salt_id"])

        user = User.objects.create_user(  # type: ignore
            username=request.data["agent_id"],
@@ -518,15 +392,11 @@ class NewAgent(APIView):
            action="agent_install",
            message=f"{request.user} installed new agent {agent.hostname}",
            after_value=Agent.serialize(agent),
+            debug_info={"ip": request._client_ip},
        )

-        return Response(
-            {
-                "pk": agent.pk,
-                "saltid": f"{agent.hostname}-{agent.pk}",
-                "token": token.key,
-            }
-        )
+        ret = {"pk": agent.pk, "token": token.key}
+        return Response(ret)


 class Software(APIView):
@@ -535,11 +405,7 @@ class Software(APIView):

    def post(self, request):
        agent = get_object_or_404(Agent, agent_id=request.data["agent_id"])
-        raw: SoftwareList = request.data["software"]
-        if not isinstance(raw, list):
-            return notify_error("err")
-
-        sw = filter_software(raw)
+        sw = request.data["software"]
        if not InstalledSoftware.objects.filter(agent=agent).exists():
            InstalledSoftware(agent=agent, software=sw).save()
        else:
@@ -600,25 +466,14 @@ class ChocoResult(APIView):
        return Response("ok")


-class AgentRecovery(APIView):
+class AgentHistoryResult(APIView):
    authentication_classes = [TokenAuthentication]
    permission_classes = [IsAuthenticated]

-    def get(self, request, agentid):
-        agent = get_object_or_404(Agent, agent_id=agentid)
-        recovery = agent.recoveryactions.filter(last_run=None).last()  # type: ignore
-        ret = {"mode": "pass", "shellcmd": ""}
-        if recovery is None:
-            return Response(ret)
-
-        recovery.last_run = djangotime.now()
-        recovery.save(update_fields=["last_run"])
-
-        ret["mode"] = recovery.mode
-
-        if recovery.mode == "command":
-            ret["shellcmd"] = recovery.command
-        elif recovery.mode == "rpc":
-            reload_nats()
-
-        return Response(ret)
+    def patch(self, request, agentid, pk):
+        _ = get_object_or_404(Agent, agent_id=agentid)
+        hist = get_object_or_404(AgentHistory, pk=pk)
+        s = AgentHistorySerializer(instance=hist, data=request.data, partial=True)
+        s.is_valid(raise_exception=True)
+        s.save()
+        return Response("ok")
--- a/api/tacticalrmm/automation/migrations/0009_auto_20210917_1954.py
+++ b/api/tacticalrmm/automation/migrations/0009_auto_20210917_1954.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.2.6 on 2021-09-17 19:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("automation", "0008_auto_20210302_0415"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="policy",
+            name="created_by",
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name="policy",
+            name="modified_by",
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/automation/models.py
+++ b/api/tacticalrmm/automation/models.py
@@ -1,7 +1,6 @@
-from django.db import models
-
 from agents.models import Agent
 from core.models import CoreSettings
+from django.db import models
 from logs.models import BaseAuditModel


@@ -33,7 +32,7 @@ class Policy(BaseAuditModel):

        # get old policy if exists
        old_policy = type(self).objects.get(pk=self.pk) if self.pk else None
-        super(BaseAuditModel, self).save(*args, **kwargs)
+        super(Policy, self).save(old_model=old_policy, *args, **kwargs)

        # generate agent checks only if active and enforced were changed
        if old_policy:
@@ -50,7 +49,7 @@ class Policy(BaseAuditModel):
        from automation.tasks import generate_agent_checks_task

        agents = list(self.related_agents().only("pk").values_list("pk", flat=True))
-        super(BaseAuditModel, self).delete(*args, **kwargs)
+        super(Policy, self).delete(*args, **kwargs)

        generate_agent_checks_task.delay(agents=agents, create_tasks=True)

@@ -126,95 +125,37 @@ class Policy(BaseAuditModel):
    @staticmethod
    def serialize(policy):
        # serializes the policy and returns json
-        from .serializers import PolicySerializer
+        from .serializers import PolicyAuditSerializer

-        return PolicySerializer(policy).data
+        return PolicyAuditSerializer(policy).data

    @staticmethod
    def cascade_policy_tasks(agent):

        # List of all tasks to be applied
        tasks = list()
-        added_task_pks = list()

        agent_tasks_parent_pks = [
            task.parent_task for task in agent.autotasks.filter(managed_by_policy=True)
        ]

        # Get policies applied to agent and agent site and client
-        client = agent.client
-        site = agent.site
+        policies = agent.get_agent_policies()

-        default_policy = None
-        client_policy = None
-        site_policy = None
-        agent_policy = agent.policy
+        processed_policies = list()

-        # Get the Client/Site policy based on if the agent is server or workstation
-        if agent.monitoring_type == "server":
-            default_policy = CoreSettings.objects.first().server_policy
-            client_policy = client.server_policy
-            site_policy = site.server_policy
-        elif agent.monitoring_type == "workstation":
-            default_policy = CoreSettings.objects.first().workstation_policy
-            client_policy = client.workstation_policy
-            site_policy = site.workstation_policy
-
-        # check if client/site/agent is blocking inheritance and blank out policies
-        if agent.block_policy_inheritance:
-            site_policy = None
-            client_policy = None
-            default_policy = None
-        elif site.block_policy_inheritance:
-            client_policy = None
-            default_policy = None
-        elif client.block_policy_inheritance:
-            default_policy = None
-
-        if (
-            agent_policy
-            and agent_policy.active
-            and not agent_policy.is_agent_excluded(agent)
-        ):
-            for task in agent_policy.autotasks.all():
-                if task.pk not in added_task_pks:
+        for _, policy in policies.items():
+            if policy and policy.active and policy.pk not in processed_policies:
+                processed_policies.append(policy.pk)
+                for task in policy.autotasks.all():
                    tasks.append(task)
-                    added_task_pks.append(task.pk)
-        if (
-            site_policy
-            and site_policy.active
-            and not site_policy.is_agent_excluded(agent)
-        ):
-            for task in site_policy.autotasks.all():
-                if task.pk not in added_task_pks:
-                    tasks.append(task)
-                    added_task_pks.append(task.pk)
-        if (
-            client_policy
-            and client_policy.active
-            and not client_policy.is_agent_excluded(agent)
-        ):
-            for task in client_policy.autotasks.all():
-                if task.pk not in added_task_pks:
-                    tasks.append(task)
-                    added_task_pks.append(task.pk)
-
-        if (
-            default_policy
-            and default_policy.active
-            and not default_policy.is_agent_excluded(agent)
-        ):
-            for task in default_policy.autotasks.all():
-                if task.pk not in added_task_pks:
-                    tasks.append(task)
-                    added_task_pks.append(task.pk)

        # remove policy tasks from agent not included in policy
        for task in agent.autotasks.filter(
            parent_task__in=[
                taskpk
                for taskpk in agent_tasks_parent_pks
-                if taskpk not in added_task_pks
+                if taskpk not in [task.pk for task in tasks]
            ]
        ):
            if task.sync_status == "initial":
@@ -225,7 +166,7 @@ class Policy(BaseAuditModel):

        # change tasks from pendingdeletion to notsynced if policy was added or changed
        agent.autotasks.filter(sync_status="pendingdeletion").filter(
-            parent_task__in=[taskpk for taskpk in added_task_pks]
+            parent_task__in=[taskpk for taskpk in [task.pk for task in tasks]]
        ).update(sync_status="notsynced")

        return [task for task in tasks if task.pk not in agent_tasks_parent_pks]
@@ -241,86 +182,24 @@ class Policy(BaseAuditModel):
        ]

        # Get policies applied to agent and agent site and client
-        client = agent.client
-        site = agent.site
-
-        default_policy = None
-        client_policy = None
-        site_policy = None
-        agent_policy = agent.policy
-
-        if agent.monitoring_type == "server":
-            default_policy = CoreSettings.objects.first().server_policy
-            client_policy = client.server_policy
-            site_policy = site.server_policy
-        elif agent.monitoring_type == "workstation":
-            default_policy = CoreSettings.objects.first().workstation_policy
-            client_policy = client.workstation_policy
-            site_policy = site.workstation_policy
-
-        # check if client/site/agent is blocking inheritance and blank out policies
-        if agent.block_policy_inheritance:
-            site_policy = None
-            client_policy = None
-            default_policy = None
-        elif site.block_policy_inheritance:
-            client_policy = None
-            default_policy = None
-        elif client.block_policy_inheritance:
-            default_policy = None
+        policies = agent.get_agent_policies()

        # Used to hold the policies that will be applied and the order in which they are applied
        # Enforced policies are applied first
        enforced_checks = list()
        policy_checks = list()

-        if (
-            agent_policy
-            and agent_policy.active
-            and not agent_policy.is_agent_excluded(agent)
-        ):
-            if agent_policy.enforced:
-                for check in agent_policy.policychecks.all():
-                    enforced_checks.append(check)
-            else:
-                for check in agent_policy.policychecks.all():
-                    policy_checks.append(check)
+        processed_policies = list()

-        if (
-            site_policy
-            and site_policy.active
-            and not site_policy.is_agent_excluded(agent)
-        ):
-            if site_policy.enforced:
-                for check in site_policy.policychecks.all():
-                    enforced_checks.append(check)
-            else:
-                for check in site_policy.policychecks.all():
-                    policy_checks.append(check)
-
-        if (
-            client_policy
-            and client_policy.active
-            and not client_policy.is_agent_excluded(agent)
-        ):
-            if client_policy.enforced:
-                for check in client_policy.policychecks.all():
-                    enforced_checks.append(check)
-            else:
-                for check in client_policy.policychecks.all():
-                    policy_checks.append(check)
-
-        if (
-            default_policy
-            and default_policy.active
-            and not default_policy.is_agent_excluded(agent)
-        ):
-            if default_policy.enforced:
-                for check in default_policy.policychecks.all():
-                    enforced_checks.append(check)
-            else:
-                for check in default_policy.policychecks.all():
-                    policy_checks.append(check)
+        for _, policy in policies.items():
+            if policy and policy.active and policy.pk not in processed_policies:
+                processed_policies.append(policy.pk)
+                if policy.enforced:
+                    for check in policy.policychecks.all():
+                        enforced_checks.append(check)
+                else:
+                    for check in policy.policychecks.all():
+                        policy_checks.append(check)

        # Sorted Checks already added
        added_diskspace_checks = list()
@@ -342,7 +221,7 @@ class Policy(BaseAuditModel):

        # Loop over checks in with enforced policies first, then non-enforced policies
        for check in enforced_checks + agent_checks + policy_checks:
-            if check.check_type == "diskspace":
+            if check.check_type == "diskspace" and agent.plat == "windows":
                # Check if drive letter was already added
                if check.disk not in added_diskspace_checks:
                    added_diskspace_checks.append(check.disk)
@@ -364,7 +243,7 @@ class Policy(BaseAuditModel):
                    check.overriden_by_policy = True
                    check.save()

-            if check.check_type == "cpuload":
+            if check.check_type == "cpuload" and agent.plat == "windows":
                # Check if cpuload list is empty
                if not added_cpuload_checks:
                    added_cpuload_checks.append(check)
@@ -375,7 +254,7 @@ class Policy(BaseAuditModel):
                    check.overriden_by_policy = True
                    check.save()

-            if check.check_type == "memory":
+            if check.check_type == "memory" and agent.plat == "windows":
                # Check if memory check list is empty
                if not added_memory_checks:
                    added_memory_checks.append(check)
@@ -386,7 +265,7 @@ class Policy(BaseAuditModel):
                    check.overriden_by_policy = True
                    check.save()

-            if check.check_type == "winsvc":
+            if check.check_type == "winsvc" and agent.plat == "windows":
                # Check if service name was already added
                if check.svc_name not in added_winsvc_checks:
                    added_winsvc_checks.append(check.svc_name)
@@ -397,7 +276,9 @@ class Policy(BaseAuditModel):
                    check.overriden_by_policy = True
                    check.save()

-            if check.check_type == "script":
+            if check.check_type == "script" and agent.is_supported_script(
+                check.script.supported_platforms
+            ):
                # Check if script id was already added
                if check.script.id not in added_script_checks:
                    added_script_checks.append(check.script.id)
@@ -408,7 +289,7 @@ class Policy(BaseAuditModel):
                    check.overriden_by_policy = True
                    check.save()

-            if check.check_type == "eventlog":
+            if check.check_type == "eventlog" and agent.plat == "windows":
                # Check if events were already added
                if [check.log_name, check.event_id] not in added_eventlog_checks:
                    added_eventlog_checks.append([check.log_name, check.event_id])
--- a/api/tacticalrmm/automation/permissions.py
+++ b/api/tacticalrmm/automation/permissions.py
@@ -6,6 +6,6 @@ from tacticalrmm.permissions import _has_perm
 class AutomationPolicyPerms(permissions.BasePermission):
    def has_permission(self, r, view):
        if r.method == "GET":
-            return True
-
-        return _has_perm(r, "can_manage_automation_policies")
+            return _has_perm(r, "can_list_automation_policies")
+        else:
+            return _has_perm(r, "can_manage_automation_policies")
--- a/api/tacticalrmm/automation/serializers.py
+++ b/api/tacticalrmm/automation/serializers.py
@@ -1,14 +1,13 @@
+from agents.serializers import AgentHostnameSerializer
+from autotasks.models import AutomatedTask
+from checks.models import Check
+from clients.models import Client
+from clients.serializers import ClientMinimumSerializer, SiteMinimumSerializer
 from rest_framework.serializers import (
    ModelSerializer,
    ReadOnlyField,
    SerializerMethodField,
 )
-
-from agents.serializers import AgentHostnameSerializer
-from autotasks.models import AutomatedTask
-from checks.models import Check
-from clients.models import Client
-from clients.serializers import ClientSerializer, SiteSerializer
 from winupdate.serializers import WinUpdatePolicySerializer

 from .models import Policy
@@ -21,25 +20,70 @@ class PolicySerializer(ModelSerializer):


 class PolicyTableSerializer(ModelSerializer):
-
    default_server_policy = ReadOnlyField(source="is_default_server_policy")
    default_workstation_policy = ReadOnlyField(source="is_default_workstation_policy")
    agents_count = SerializerMethodField(read_only=True)
    winupdatepolicy = WinUpdatePolicySerializer(many=True, read_only=True)
    alert_template = ReadOnlyField(source="alert_template.id")
-    excluded_clients = ClientSerializer(many=True)
-    excluded_sites = SiteSerializer(many=True)
-    excluded_agents = AgentHostnameSerializer(many=True)

    class Meta:
        model = Policy
        fields = "__all__"
-        depth = 1

    def get_agents_count(self, policy):
        return policy.related_agents().count()


+class PolicyRelatedSerializer(ModelSerializer):
+    workstation_clients = SerializerMethodField()
+    server_clients = SerializerMethodField()
+    workstation_sites = SerializerMethodField()
+    server_sites = SerializerMethodField()
+    agents = SerializerMethodField()
+
+    def get_agents(self, policy):
+        return AgentHostnameSerializer(
+            policy.agents.filter_by_role(self.context["user"]).only(
+                "agent_id", "hostname"
+            ),
+            many=True,
+        ).data
+
+    def get_workstation_clients(self, policy):
+        return ClientMinimumSerializer(
+            policy.workstation_clients.filter_by_role(self.context["user"]), many=True
+        ).data
+
+    def get_server_clients(self, policy):
+        return ClientMinimumSerializer(
+            policy.server_clients.filter_by_role(self.context["user"]), many=True
+        ).data
+
+    def get_workstation_sites(self, policy):
+        return SiteMinimumSerializer(
+            policy.workstation_sites.filter_by_role(self.context["user"]), many=True
+        ).data
+
+    def get_server_sites(self, policy):
+        return SiteMinimumSerializer(
+            policy.server_sites.filter_by_role(self.context["user"]), many=True
+        ).data
+
+    class Meta:
+        model = Policy
+        fields = (
+            "pk",
+            "name",
+            "workstation_clients",
+            "workstation_sites",
+            "server_clients",
+            "server_sites",
+            "agents",
+            "is_default_server_policy",
+            "is_default_workstation_policy",
+        )
+
+
 class PolicyOverviewSerializer(ModelSerializer):
    class Meta:
        model = Client
@@ -48,7 +92,6 @@ class PolicyOverviewSerializer(ModelSerializer):


 class PolicyCheckStatusSerializer(ModelSerializer):
-
    hostname = ReadOnlyField(source="agent.hostname")

    class Meta:
@@ -57,7 +100,6 @@ class PolicyCheckStatusSerializer(ModelSerializer):


 class PolicyTaskStatusSerializer(ModelSerializer):
-
    hostname = ReadOnlyField(source="agent.hostname")

    class Meta:
@@ -65,27 +107,7 @@ class PolicyTaskStatusSerializer(ModelSerializer):
        fields = "__all__"


-class PolicyCheckSerializer(ModelSerializer):
+class PolicyAuditSerializer(ModelSerializer):
    class Meta:
-        model = Check
-        fields = (
-            "id",
-            "check_type",
-            "readable_desc",
-            "assignedtask",
-            "text_alert",
-            "email_alert",
-            "dashboard_alert",
-        )
-        depth = 1
-
-
-class AutoTasksFieldSerializer(ModelSerializer):
-    assigned_check = PolicyCheckSerializer(read_only=True)
-    script = ReadOnlyField(source="script.id")
-    custom_field = ReadOnlyField(source="custom_field.id")
-
-    class Meta:
-        model = AutomatedTask
+        model = Policy
        fields = "__all__"
-        depth = 1
--- a/api/tacticalrmm/automation/tasks.py
+++ b/api/tacticalrmm/automation/tasks.py
@@ -54,6 +54,8 @@ def generate_agent_checks_task(
        if create_tasks:
            agent.generate_tasks_from_policies()

+        agent.set_alert_template()
+
    return "ok"


--- a/api/tacticalrmm/automation/tests.py
+++ b/api/tacticalrmm/automation/tests.py
@@ -4,16 +4,14 @@ from unittest.mock import patch
 from agents.models import Agent
 from core.models import CoreSettings
 from model_bakery import baker, seq
-from tacticalrmm.test import TacticalTestCase
 from winupdate.models import WinUpdatePolicy

+from tacticalrmm.test import TacticalTestCase
+
 from .serializers import (
-    AutoTasksFieldSerializer,
-    PolicyCheckSerializer,
    PolicyCheckStatusSerializer,
    PolicyOverviewSerializer,
    PolicySerializer,
-    PolicyTableSerializer,
    PolicyTaskStatusSerializer,
 )

@@ -26,12 +24,10 @@ class TestPolicyViews(TacticalTestCase):
    def test_get_all_policies(self):
        url = "/automation/policies/"

-        policies = baker.make("automation.Policy", _quantity=3)
+        baker.make("automation.Policy", _quantity=3)
        resp = self.client.get(url, format="json")
-        serializer = PolicyTableSerializer(policies, many=True)
-
        self.assertEqual(resp.status_code, 200)
-        self.assertEqual(resp.data, serializer.data)  # type: ignore
+        self.assertEqual(len(resp.data), 3)

        self.check_not_authenticated("get", url)

@@ -74,7 +70,7 @@ class TestPolicyViews(TacticalTestCase):
        # create policy with tasks and checks
        policy = baker.make("automation.Policy")
        checks = self.create_checks(policy=policy)
-        tasks = baker.make("autotasks.AutomatedTask", policy=policy, _quantity=3)
+        tasks = baker.make_recipe("autotasks.task", policy=policy, _quantity=3)

        # assign a task to a check
        tasks[0].assigned_check = checks[0]  # type: ignore
@@ -181,38 +177,6 @@ class TestPolicyViews(TacticalTestCase):

        self.check_not_authenticated("delete", url)

-    def test_get_all_policy_tasks(self):
-        # create policy with tasks
-        policy = baker.make("automation.Policy")
-        tasks = baker.make("autotasks.AutomatedTask", policy=policy, _quantity=3)
-        url = f"/automation/{policy.pk}/policyautomatedtasks/"  # type: ignore
-
-        resp = self.client.get(url, format="json")
-        serializer = AutoTasksFieldSerializer(tasks, many=True)
-
-        self.assertEqual(resp.status_code, 200)
-        self.assertEqual(resp.data, serializer.data)  # type: ignore
-        self.assertEqual(len(resp.data), 3)  # type: ignore
-
-        self.check_not_authenticated("get", url)
-
-    def test_get_all_policy_checks(self):
-
-        # setup data
-        policy = baker.make("automation.Policy")
-        checks = self.create_checks(policy=policy)
-
-        url = f"/automation/{policy.pk}/policychecks/"  # type: ignore
-
-        resp = self.client.get(url, format="json")
-        serializer = PolicyCheckSerializer(checks, many=True)
-
-        self.assertEqual(resp.status_code, 200)
-        self.assertEqual(resp.data, serializer.data)  # type: ignore
-        self.assertEqual(len(resp.data), 7)  # type: ignore
-
-        self.check_not_authenticated("get", url)
-
    def test_get_policy_check_status(self):
        # setup data
        site = baker.make("clients.Site")
@@ -225,14 +189,14 @@ class TestPolicyViews(TacticalTestCase):
            managed_by_policy=True,
            parent_check=policy_diskcheck.pk,
        )
-        url = f"/automation/policycheckstatus/{policy_diskcheck.pk}/check/"
+        url = f"/automation/checks/{policy_diskcheck.pk}/status/"

-        resp = self.client.patch(url, format="json")
+        resp = self.client.get(url, format="json")
        serializer = PolicyCheckStatusSerializer([managed_check], many=True)

        self.assertEqual(resp.status_code, 200)
        self.assertEqual(resp.data, serializer.data)  # type: ignore
-        self.check_not_authenticated("patch", url)
+        self.check_not_authenticated("get", url)

    def test_policy_overview(self):
        from clients.models import Client
@@ -285,44 +249,44 @@ class TestPolicyViews(TacticalTestCase):

        # policy with a task
        policy = baker.make("automation.Policy")
-        task = baker.make("autotasks.AutomatedTask", policy=policy)
+        task = baker.make_recipe("autotasks.task", policy=policy)

        # create policy managed tasks
-        policy_tasks = baker.make(
-            "autotasks.AutomatedTask", parent_task=task.id, _quantity=5  # type: ignore
+        policy_tasks = baker.make_recipe(
+            "autotasks.task", parent_task=task.id, _quantity=5  # type: ignore
        )

-        url = f"/automation/policyautomatedtaskstatus/{task.id}/task/"  # type: ignore
+        url = f"/automation/tasks/{task.id}/status/"  # type: ignore

        serializer = PolicyTaskStatusSerializer(policy_tasks, many=True)
-        resp = self.client.patch(url, format="json")
+        resp = self.client.get(url, format="json")
        self.assertEqual(resp.status_code, 200)
        self.assertEqual(resp.data, serializer.data)  # type: ignore
        self.assertEqual(len(resp.data), 5)  # type: ignore

-        self.check_not_authenticated("patch", url)
+        self.check_not_authenticated("get", url)

    @patch("automation.tasks.run_win_policy_autotasks_task.delay")
    def test_run_win_task(self, mock_task):

        # create managed policy tasks
-        tasks = baker.make(
-            "autotasks.AutomatedTask",
+        tasks = baker.make_recipe(
+            "autotasks.task",
            managed_by_policy=True,
            parent_task=1,
            _quantity=6,
        )

-        url = "/automation/runwintask/1/"
-        resp = self.client.put(url, format="json")
+        url = "/automation/tasks/1/run/"
+        resp = self.client.post(url, format="json")
        self.assertEqual(resp.status_code, 200)

        mock_task.assert_called()  # type: ignore

-        self.check_not_authenticated("put", url)
+        self.check_not_authenticated("post", url)

    def test_create_new_patch_policy(self):
-        url = "/automation/winupdatepolicy/"
+        url = "/automation/patchpolicy/"

        # test policy doesn't exist
        data = {"policy": 500}
@@ -353,15 +317,14 @@ class TestPolicyViews(TacticalTestCase):
    def test_update_patch_policy(self):

        # test policy doesn't exist
-        resp = self.client.put("/automation/winupdatepolicy/500/", format="json")
+        resp = self.client.put("/automation/patchpolicy/500/", format="json")
        self.assertEqual(resp.status_code, 404)

        policy = baker.make("automation.Policy")
        patch_policy = baker.make("winupdate.WinUpdatePolicy", policy=policy)
-        url = f"/automation/winupdatepolicy/{patch_policy.pk}/"  # type: ignore
+        url = f"/automation/patchpolicy/{patch_policy.pk}/"  # type: ignore

        data = {
-            "id": patch_policy.pk,  # type: ignore
            "policy": policy.pk,  # type: ignore
            "critical": "approve",
            "important": "approve",
@@ -377,7 +340,7 @@ class TestPolicyViews(TacticalTestCase):
        self.check_not_authenticated("put", url)

    def test_reset_patch_policy(self):
-        url = "/automation/winupdatepolicy/reset/"
+        url = "/automation/patchpolicy/reset/"

        inherit_fields = {
            "critical": "inherit",
@@ -406,7 +369,7 @@ class TestPolicyViews(TacticalTestCase):
        # test reset agents in site
        data = {"site": sites[0].id}  # type: ignore

-        resp = self.client.patch(url, data, format="json")
+        resp = self.client.post(url, data, format="json")
        self.assertEqual(resp.status_code, 200)

        agents = Agent.objects.filter(site=sites[0])  # type: ignore
@@ -418,7 +381,7 @@ class TestPolicyViews(TacticalTestCase):
        # test reset agents in client
        data = {"client": clients[1].id}  # type: ignore

-        resp = self.client.patch(url, data, format="json")
+        resp = self.client.post(url, data, format="json")
        self.assertEqual(resp.status_code, 200)

        agents = Agent.objects.filter(site__client=clients[1])  # type: ignore
@@ -430,7 +393,7 @@ class TestPolicyViews(TacticalTestCase):
        # test reset all agents
        data = {}

-        resp = self.client.patch(url, data, format="json")
+        resp = self.client.post(url, data, format="json")
        self.assertEqual(resp.status_code, 200)

        agents = Agent.objects.all()
@@ -438,17 +401,17 @@ class TestPolicyViews(TacticalTestCase):
            for k, v in inherit_fields.items():
                self.assertEqual(getattr(agent.winupdatepolicy.get(), k), v)

-        self.check_not_authenticated("patch", url)
+        self.check_not_authenticated("post", url)

    def test_delete_patch_policy(self):
        # test patch policy doesn't exist
-        resp = self.client.delete("/automation/winupdatepolicy/500/", format="json")
+        resp = self.client.delete("/automation/patchpolicy/500/", format="json")
        self.assertEqual(resp.status_code, 404)

        winupdate_policy = baker.make_recipe(
            "winupdate.winupdate_policy", policy__name="Test Policy"
        )
-        url = f"/automation/winupdatepolicy/{winupdate_policy.pk}/"
+        url = f"/automation/patchpolicy/{winupdate_policy.pk}/"

        resp = self.client.delete(url, format="json")
        self.assertEqual(resp.status_code, 200)
@@ -503,7 +466,7 @@ class TestPolicyTasks(TacticalTestCase):

        # Add Client to Policy
        policy.server_clients.add(server_agents[13].client)  # type: ignore
-        policy.workstation_clients.add(workstation_agents[15].client)  # type: ignore
+        policy.workstation_clients.add(workstation_agents[13].client)  # type: ignore

        resp = self.client.get(
            f"/automation/policies/{policy.pk}/related/", format="json"  # type: ignore
@@ -511,22 +474,28 @@ class TestPolicyTasks(TacticalTestCase):

        self.assertEqual(resp.status_code, 200)
        self.assertEquals(len(resp.data["server_clients"]), 1)  # type: ignore
-        self.assertEquals(len(resp.data["server_sites"]), 5)  # type: ignore
+        self.assertEquals(len(resp.data["server_sites"]), 0)  # type: ignore
        self.assertEquals(len(resp.data["workstation_clients"]), 1)  # type: ignore
-        self.assertEquals(len(resp.data["workstation_sites"]), 5)  # type: ignore
-        self.assertEquals(len(resp.data["agents"]), 10)  # type: ignore
+        self.assertEquals(len(resp.data["workstation_sites"]), 0)  # type: ignore
+        self.assertEquals(len(resp.data["agents"]), 0)  # type: ignore

-        # Add Site to Policy and the agents and sites length shouldn't change
-        policy.server_sites.add(server_agents[13].site)  # type: ignore
-        policy.workstation_sites.add(workstation_agents[15].site)  # type: ignore
-        self.assertEquals(len(resp.data["server_sites"]), 5)  # type: ignore
-        self.assertEquals(len(resp.data["workstation_sites"]), 5)  # type: ignore
-        self.assertEquals(len(resp.data["agents"]), 10)  # type: ignore
+        # Add Site to Policy
+        policy.server_sites.add(server_agents[10].site)  # type: ignore
+        policy.workstation_sites.add(workstation_agents[10].site)  # type: ignore
+        resp = self.client.get(
+            f"/automation/policies/{policy.pk}/related/", format="json"  # type: ignore
+        )
+        self.assertEquals(len(resp.data["server_sites"]), 1)  # type: ignore
+        self.assertEquals(len(resp.data["workstation_sites"]), 1)  # type: ignore
+        self.assertEquals(len(resp.data["agents"]), 0)  # type: ignore

-        # Add Agent to Policy and the agents length shouldn't change
-        policy.agents.add(server_agents[13])  # type: ignore
-        policy.agents.add(workstation_agents[15])  # type: ignore
-        self.assertEquals(len(resp.data["agents"]), 10)  # type: ignore
+        # Add Agent to Policy
+        policy.agents.add(server_agents[2])  # type: ignore
+        policy.agents.add(workstation_agents[2])  # type: ignore
+        resp = self.client.get(
+            f"/automation/policies/{policy.pk}/related/", format="json"  # type: ignore
+        )
+        self.assertEquals(len(resp.data["agents"]), 2)  # type: ignore

    def test_generating_agent_policy_checks(self):
        from .tasks import generate_agent_checks_task
@@ -609,8 +578,8 @@ class TestPolicyTasks(TacticalTestCase):
        policy = baker.make("automation.Policy", active=True)
        self.create_checks(policy=policy)

-        baker.make(
-            "autotasks.AutomatedTask", policy=policy, name=seq("Task"), _quantity=3
+        baker.make_recipe(
+            "autotasks.task", policy=policy, name=seq("Task"), _quantity=3
        )

        server_agent = baker.make_recipe("agents.server_agent")
@@ -891,8 +860,8 @@ class TestPolicyTasks(TacticalTestCase):

        # create test data
        policy = baker.make("automation.Policy", active=True)
-        tasks = baker.make(
-            "autotasks.AutomatedTask", policy=policy, name=seq("Task"), _quantity=3
+        tasks = baker.make_recipe(
+            "autotasks.task", policy=policy, name=seq("Task"), _quantity=3
        )
        agent = baker.make_recipe("agents.server_agent", policy=policy)

@@ -918,11 +887,13 @@ class TestPolicyTasks(TacticalTestCase):
    @patch("autotasks.models.AutomatedTask.create_task_on_agent")
    @patch("autotasks.models.AutomatedTask.delete_task_on_agent")
    def test_delete_policy_tasks(self, delete_task_on_agent, create_task):
-        from .tasks import delete_policy_autotasks_task
+        from .tasks import delete_policy_autotasks_task, generate_agent_checks_task

        policy = baker.make("automation.Policy", active=True)
-        tasks = baker.make("autotasks.AutomatedTask", policy=policy, _quantity=3)
-        baker.make_recipe("agents.server_agent", policy=policy)
+        tasks = baker.make_recipe("autotasks.task", policy=policy, _quantity=3)
+        agent = baker.make_recipe("agents.server_agent", policy=policy)
+
+        generate_agent_checks_task(agents=[agent.pk], create_tasks=True)

        delete_policy_autotasks_task(task=tasks[0].id)  # type: ignore

@@ -931,11 +902,13 @@ class TestPolicyTasks(TacticalTestCase):
    @patch("autotasks.models.AutomatedTask.create_task_on_agent")
    @patch("autotasks.models.AutomatedTask.run_win_task")
    def test_run_policy_task(self, run_win_task, create_task):
-        from .tasks import run_win_policy_autotasks_task
+        from .tasks import generate_agent_checks_task, run_win_policy_autotasks_task

        policy = baker.make("automation.Policy", active=True)
-        tasks = baker.make("autotasks.AutomatedTask", policy=policy, _quantity=3)
-        baker.make_recipe("agents.server_agent", policy=policy)
+        tasks = baker.make_recipe("autotasks.task", policy=policy, _quantity=3)
+        agent = baker.make_recipe("agents.server_agent", policy=policy)
+
+        generate_agent_checks_task(agents=[agent.pk], create_tasks=True)

        run_win_policy_autotasks_task(task=tasks[0].id)  # type: ignore

@@ -944,18 +917,23 @@ class TestPolicyTasks(TacticalTestCase):
    @patch("autotasks.models.AutomatedTask.create_task_on_agent")
    @patch("autotasks.models.AutomatedTask.modify_task_on_agent")
    def test_update_policy_tasks(self, modify_task_on_agent, create_task):
-        from .tasks import update_policy_autotasks_fields_task
+        from .tasks import (
+            generate_agent_checks_task,
+            update_policy_autotasks_fields_task,
+        )

        # setup data
        policy = baker.make("automation.Policy", active=True)
-        tasks = baker.make(
-            "autotasks.AutomatedTask",
+        tasks = baker.make_recipe(
+            "autotasks.task",
            enabled=True,
            policy=policy,
            _quantity=3,
        )
        agent = baker.make_recipe("agents.server_agent", policy=policy)

+        generate_agent_checks_task(agents=[agent.pk], create_tasks=True)
+
        tasks[0].enabled = False  # type: ignore
        tasks[0].save()  # type: ignore

@@ -995,14 +973,18 @@ class TestPolicyTasks(TacticalTestCase):

    @patch("autotasks.models.AutomatedTask.create_task_on_agent")
    def test_policy_exclusions(self, create_task):
+        from .tasks import generate_agent_checks_task
+
        # setup data
        policy = baker.make("automation.Policy", active=True)
        baker.make_recipe("checks.memory_check", policy=policy)
-        task = baker.make("autotasks.AutomatedTask", policy=policy)
+        task = baker.make_recipe("autotasks.task", policy=policy)
        agent = baker.make_recipe(
            "agents.agent", policy=policy, monitoring_type="server"
        )

+        generate_agent_checks_task(agents=[agent.pk], create_tasks=True)
+
        # make sure related agents on policy returns correctly
        self.assertEqual(policy.related_agents().count(), 1)  # type: ignore
        self.assertEqual(agent.agentchecks.count(), 1)  # type: ignore
@@ -1091,7 +1073,7 @@ class TestPolicyTasks(TacticalTestCase):
        # setup data
        policy = baker.make("automation.Policy", active=True)
        baker.make_recipe("checks.memory_check", policy=policy)
-        baker.make("autotasks.AutomatedTask", policy=policy)
+        baker.make_recipe("autotasks.task", policy=policy)
        agent = baker.make_recipe("agents.agent", monitoring_type="server")

        core = CoreSettings.objects.first()
@@ -1164,3 +1146,9 @@ class TestPolicyTasks(TacticalTestCase):
        # should get policies from agent policy
        self.assertTrue(agent.autotasks.all())
        self.assertTrue(agent.agentchecks.all())
+
+
+class TestAutomationPermission(TacticalTestCase):
+    def setUp(self):
+        self.client_setup()
+        self.setup_coresettings()
--- a/api/tacticalrmm/automation/urls.py
+++ b/api/tacticalrmm/automation/urls.py
@@ -1,3 +1,5 @@
+from autotasks.views import GetAddAutoTasks
+from checks.views import GetAddChecks
 from django.urls import path

 from . import views
@@ -8,12 +10,14 @@ urlpatterns = [
    path("policies/overview/", views.OverviewPolicy.as_view()),
    path("policies/<int:pk>/", views.GetUpdateDeletePolicy.as_view()),
    path("sync/", views.PolicySync.as_view()),
-    path("<int:pk>/policychecks/", views.PolicyCheck.as_view()),
-    path("<int:pk>/policyautomatedtasks/", views.PolicyAutoTask.as_view()),
-    path("policycheckstatus/<int:check>/check/", views.PolicyCheck.as_view()),
-    path("policyautomatedtaskstatus/<int:task>/task/", views.PolicyAutoTask.as_view()),
-    path("runwintask/<int:task>/", views.PolicyAutoTask.as_view()),
-    path("winupdatepolicy/", views.UpdatePatchPolicy.as_view()),
-    path("winupdatepolicy/<int:patchpolicy>/", views.UpdatePatchPolicy.as_view()),
-    path("winupdatepolicy/reset/", views.UpdatePatchPolicy.as_view()),
+    # alias to get policy checks
+    path("policies/<int:policy>/checks/", GetAddChecks.as_view()),
+    # alias to get policy tasks
+    path("policies/<int:policy>/tasks/", GetAddAutoTasks.as_view()),
+    path("checks/<int:check>/status/", views.PolicyCheck.as_view()),
+    path("tasks/<int:task>/status/", views.PolicyAutoTask.as_view()),
+    path("tasks/<int:task>/run/", views.PolicyAutoTask.as_view()),
+    path("patchpolicy/", views.UpdatePatchPolicy.as_view()),
+    path("patchpolicy/<int:pk>/", views.UpdatePatchPolicy.as_view()),
+    path("patchpolicy/reset/", views.ResetPatchPolicy.as_view()),
 ]
--- a/api/tacticalrmm/automation/views.py
+++ b/api/tacticalrmm/automation/views.py
@@ -1,24 +1,24 @@
 from agents.models import Agent
-from agents.serializers import AgentHostnameSerializer
 from autotasks.models import AutomatedTask
 from checks.models import Check
 from clients.models import Client
-from clients.serializers import ClientSerializer, SiteSerializer
 from django.shortcuts import get_object_or_404
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
-from tacticalrmm.utils import notify_error
 from winupdate.models import WinUpdatePolicy
 from winupdate.serializers import WinUpdatePolicySerializer

+from tacticalrmm.permissions import _has_perm_on_client, _has_perm_on_site
+from tacticalrmm.utils import notify_error
+
 from .models import Policy
 from .permissions import AutomationPolicyPerms
 from .serializers import (
-    AutoTasksFieldSerializer,
-    PolicyCheckSerializer,
    PolicyCheckStatusSerializer,
    PolicyOverviewSerializer,
+    PolicyRelatedSerializer,
    PolicySerializer,
    PolicyTableSerializer,
    PolicyTaskStatusSerializer,
@@ -31,7 +31,11 @@ class GetAddPolicies(APIView):
    def get(self, request):
        policies = Policy.objects.all()

-        return Response(PolicyTableSerializer(policies, many=True).data)
+        return Response(
+            PolicyTableSerializer(
+                policies, context={"user": request.user}, many=True
+            ).data
+        )

    def post(self, request):
        serializer = PolicySerializer(data=request.data, partial=True)
@@ -102,19 +106,14 @@ class PolicySync(APIView):


 class PolicyAutoTask(APIView):
-    permission_classes = [IsAuthenticated, AutomationPolicyPerms]
-    # tasks associated with policy
-    def get(self, request, pk):
-        tasks = AutomatedTask.objects.filter(policy=pk)
-        return Response(AutoTasksFieldSerializer(tasks, many=True).data)

    # get status of all tasks
-    def patch(self, request, task):
+    def get(self, request, task):
        tasks = AutomatedTask.objects.filter(parent_task=task)
        return Response(PolicyTaskStatusSerializer(tasks, many=True).data)

    # bulk run win tasks associated with policy
-    def put(self, request, task):
+    def post(self, request, task):
        from .tasks import run_win_policy_autotasks_task

        run_win_policy_autotasks_task.delay(task=task)
@@ -124,11 +123,7 @@ class PolicyAutoTask(APIView):
 class PolicyCheck(APIView):
    permission_classes = [IsAuthenticated, AutomationPolicyPerms]

-    def get(self, request, pk):
-        checks = Check.objects.filter(policy__pk=pk, agent=None)
-        return Response(PolicyCheckSerializer(checks, many=True).data)
-
-    def patch(self, request, check):
+    def get(self, request, check):
        checks = Check.objects.filter(parent_check=check)
        return Response(PolicyCheckStatusSerializer(checks, many=True).data)

@@ -143,8 +138,6 @@ class OverviewPolicy(APIView):
 class GetRelated(APIView):
    def get(self, request, pk):

-        response = {}
-
        policy = (
            Policy.objects.filter(pk=pk)
            .prefetch_related(
@@ -156,43 +149,9 @@ class GetRelated(APIView):
            .first()
        )

-        response["default_server_policy"] = policy.is_default_server_policy
-        response["default_workstation_policy"] = policy.is_default_workstation_policy
-
-        response["server_clients"] = ClientSerializer(
-            policy.server_clients.all(), many=True
-        ).data
-        response["workstation_clients"] = ClientSerializer(
-            policy.workstation_clients.all(), many=True
-        ).data
-
-        filtered_server_sites = list()
-        filtered_workstation_sites = list()
-
-        for client in policy.server_clients.all():
-            for site in client.sites.all():
-                if site not in policy.server_sites.all():
-                    filtered_server_sites.append(site)
-
-        response["server_sites"] = SiteSerializer(
-            filtered_server_sites + list(policy.server_sites.all()), many=True
-        ).data
-
-        for client in policy.workstation_clients.all():
-            for site in client.sites.all():
-                if site not in policy.workstation_sites.all():
-                    filtered_workstation_sites.append(site)
-
-        response["workstation_sites"] = SiteSerializer(
-            filtered_workstation_sites + list(policy.workstation_sites.all()), many=True
-        ).data
-
-        response["agents"] = AgentHostnameSerializer(
-            policy.related_agents().only("pk", "hostname"),
-            many=True,
-        ).data
-
-        return Response(response)
+        return Response(
+            PolicyRelatedSerializer(policy, context={"user": request.user}).data
+        )


 class UpdatePatchPolicy(APIView):
@@ -209,8 +168,8 @@ class UpdatePatchPolicy(APIView):
        return Response("ok")

    # update patch policy
-    def put(self, request, patchpolicy):
-        policy = get_object_or_404(WinUpdatePolicy, pk=patchpolicy)
+    def put(self, request, pk):
+        policy = get_object_or_404(WinUpdatePolicy, pk=pk)

        serializer = WinUpdatePolicySerializer(
            instance=policy, data=request.data, partial=True
@@ -220,20 +179,41 @@ class UpdatePatchPolicy(APIView):

        return Response("ok")

-    # bulk reset agent patch policy
-    def patch(self, request):
+    # delete patch policy
+    def delete(self, request, pk):
+        get_object_or_404(WinUpdatePolicy, pk=pk).delete()
+
+        return Response("ok")
+
+
+class ResetPatchPolicy(APIView):
+    # bulk reset agent patch policy
+    def post(self, request):

-        agents = None
        if "client" in request.data:
-            agents = Agent.objects.prefetch_related("winupdatepolicy").filter(
-                site__client_id=request.data["client"]
+            if not _has_perm_on_client(request.user, request.data["client"]):
+                raise PermissionDenied()
+
+            agents = (
+                Agent.objects.filter_by_role(request.user)
+                .prefetch_related("winupdatepolicy")
+                .filter(site__client_id=request.data["client"])
            )
        elif "site" in request.data:
-            agents = Agent.objects.prefetch_related("winupdatepolicy").filter(
-                site_id=request.data["site"]
+            if not _has_perm_on_site(request.user, request.data["site"]):
+                raise PermissionDenied()
+
+            agents = (
+                Agent.objects.filter_by_role(request.user)
+                .prefetch_related("winupdatepolicy")
+                .filter(site_id=request.data["site"])
            )
        else:
-            agents = Agent.objects.prefetch_related("winupdatepolicy").only("pk")
+            agents = (
+                Agent.objects.filter_by_role(request.user)
+                .prefetch_related("winupdatepolicy")
+                .only("pk")
+            )

        for agent in agents:
            winupdatepolicy = agent.winupdatepolicy.get()
@@ -258,10 +238,4 @@ class UpdatePatchPolicy(APIView):
                ]
            )

-        return Response("ok")
-
-    # delete patch policy
-    def delete(self, request, patchpolicy):
-        get_object_or_404(WinUpdatePolicy, pk=patchpolicy).delete()
-
-        return Response("ok")
+        return Response("The patch policy on the affected agents has been reset.")
--- a/api/tacticalrmm/autotasks/baker_recipes.py
+++ b/api/tacticalrmm/autotasks/baker_recipes.py
@@ -0,0 +1,10 @@
+from itertools import cycle
+
+from model_bakery.recipe import Recipe, foreign_key, seq
+
+script = Recipe("scripts.script")
+
+task = Recipe(
+    "autotasks.AutomatedTask",
+    script=foreign_key(script),
+)
--- a/api/tacticalrmm/autotasks/management/commands/remove_orphaned_tasks.py
+++ b/api/tacticalrmm/autotasks/management/commands/remove_orphaned_tasks.py
@@ -1,7 +1,6 @@
-from django.core.management.base import BaseCommand
-
 from agents.models import Agent
 from autotasks.tasks import remove_orphaned_win_tasks
+from django.core.management.base import BaseCommand


 class Command(BaseCommand):
--- a/api/tacticalrmm/autotasks/migrations/0023_auto_20210917_1954.py
+++ b/api/tacticalrmm/autotasks/migrations/0023_auto_20210917_1954.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.2.6 on 2021-09-17 19:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("autotasks", "0022_automatedtask_collector_all_output"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="automatedtask",
+            name="created_by",
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AlterField(
+            model_name="automatedtask",
+            name="modified_by",
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/autotasks/migrations/0024_auto_20211214_0040.py
+++ b/api/tacticalrmm/autotasks/migrations/0024_auto_20211214_0040.py
@@ -0,0 +1,87 @@
+# Generated by Django 3.2.9 on 2021-12-14 00:40
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('autotasks', '0023_auto_20210917_1954'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='automatedtask',
+            name='run_time_days',
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='actions',
+            field=models.JSONField(default=dict),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='daily_interval',
+            field=models.PositiveSmallIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='expire_date',
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='monthly_days_of_month',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='monthly_months_of_year',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='monthly_weeks_of_month',
+            field=models.PositiveSmallIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='random_task_delay',
+            field=models.CharField(blank=True, max_length=10, null=True),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='stop_task_at_duration_end',
+            field=models.BooleanField(blank=True, default=False),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='task_instance_policy',
+            field=models.PositiveSmallIntegerField(blank=True, default=1),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='task_repetition_duration',
+            field=models.CharField(blank=True, max_length=10, null=True),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='task_repetition_interval',
+            field=models.CharField(blank=True, max_length=10, null=True),
+        ),
+        migrations.AddField(
+            model_name='automatedtask',
+            name='weekly_interval',
+            field=models.PositiveSmallIntegerField(blank=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='automatedtask',
+            name='task_type',
+            field=models.CharField(choices=[('daily', 'Daily'), ('weekly', 'Weekly'), ('monthly', 'Monthly'), ('monthlydow', 'Monthly Day of Week'), ('checkfailure', 'On Check Failure'), ('manual', 'Manual'), ('runonce', 'Run Once')], default='manual', max_length=100),
+        ),
+        migrations.AlterField(
+            model_name='automatedtask',
+            name='timeout',
+            field=models.PositiveIntegerField(blank=True, default=120),
+        ),
+    ]
--- a/api/tacticalrmm/autotasks/migrations/0025_automatedtask_continue_on_error.py
+++ b/api/tacticalrmm/autotasks/migrations/0025_automatedtask_continue_on_error.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.10 on 2021-12-29 14:57
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('autotasks', '0024_auto_20211214_0040'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='automatedtask',
+            name='continue_on_error',
+            field=models.BooleanField(default=True),
+        ),
+    ]
--- a/api/tacticalrmm/autotasks/migrations/0026_alter_automatedtask_monthly_days_of_month.py
+++ b/api/tacticalrmm/autotasks/migrations/0026_alter_automatedtask_monthly_days_of_month.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.10 on 2021-12-30 14:46
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('autotasks', '0025_automatedtask_continue_on_error'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='automatedtask',
+            name='monthly_days_of_month',
+            field=models.PositiveBigIntegerField(blank=True, null=True),
+        ),
+    ]
--- a/api/tacticalrmm/autotasks/migrations/0027_auto_20220107_0643.py
+++ b/api/tacticalrmm/autotasks/migrations/0027_auto_20220107_0643.py
@@ -0,0 +1,24 @@
+# Generated by Django 3.2.11 on 2022-01-07 06:43
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('autotasks', '0026_alter_automatedtask_monthly_days_of_month'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='automatedtask',
+            name='daily_interval',
+            field=models.PositiveSmallIntegerField(blank=True, null=True, validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(255)]),
+        ),
+        migrations.AlterField(
+            model_name='automatedtask',
+            name='weekly_interval',
+            field=models.PositiveSmallIntegerField(blank=True, null=True, validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(52)]),
+        ),
+    ]
--- a/api/tacticalrmm/autotasks/migrations/0028_alter_automatedtask_actions.py
+++ b/api/tacticalrmm/autotasks/migrations/0028_alter_automatedtask_actions.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.11 on 2022-01-09 21:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('autotasks', '0027_auto_20220107_0643'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='automatedtask',
+            name='actions',
+            field=models.JSONField(default=list),
+        ),
+    ]
--- a/api/tacticalrmm/autotasks/migrations/0029_alter_automatedtask_task_type.py
+++ b/api/tacticalrmm/autotasks/migrations/0029_alter_automatedtask_task_type.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.10 on 2022-01-10 01:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('autotasks', '0028_alter_automatedtask_actions'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='automatedtask',
+            name='task_type',
+            field=models.CharField(choices=[('daily', 'Daily'), ('weekly', 'Weekly'), ('monthly', 'Monthly'), ('monthlydow', 'Monthly Day of Week'), ('checkfailure', 'On Check Failure'), ('manual', 'Manual'), ('runonce', 'Run Once'), ('scheduled', 'Scheduled')], default='manual', max_length=100),
+        ),
+    ]
--- a/api/tacticalrmm/autotasks/models.py
+++ b/api/tacticalrmm/autotasks/models.py
@@ -6,34 +6,34 @@ from typing import List

 import pytz
 from alerts.models import SEVERITY_CHOICES
-from django.conf import settings
 from django.contrib.postgres.fields import ArrayField
+from django.core.validators import MaxValueValidator, MinValueValidator
 from django.db import models
 from django.db.models.fields import DateTimeField
+from django.db.models.fields.json import JSONField
 from django.db.utils import DatabaseError
 from django.utils import timezone as djangotime
-from logs.models import BaseAuditModel
-from loguru import logger
+from logs.models import BaseAuditModel, DebugLog
 from packaging import version as pyver
-from tacticalrmm.utils import bitdays_to_string

-logger.configure(**settings.LOG_CONFIG)
-
-RUN_TIME_DAY_CHOICES = [
-    (0, "Monday"),
-    (1, "Tuesday"),
-    (2, "Wednesday"),
-    (3, "Thursday"),
-    (4, "Friday"),
-    (5, "Saturday"),
-    (6, "Sunday"),
-]
+from tacticalrmm.models import PermissionQuerySet
+from tacticalrmm.utils import (
+    bitdays_to_string,
+    bitmonthdays_to_string,
+    bitmonths_to_string,
+    bitweeks_to_string,
+    convert_to_iso_duration,
+)

 TASK_TYPE_CHOICES = [
-    ("scheduled", "Scheduled"),
+    ("daily", "Daily"),
+    ("weekly", "Weekly"),
+    ("monthly", "Monthly"),
+    ("monthlydow", "Monthly Day of Week"),
    ("checkfailure", "On Check Failure"),
    ("manual", "Manual"),
    ("runonce", "Run Once"),
+    ("scheduled", "Scheduled"),  # deprecated
 ]

 SYNC_STATUS_CHOICES = [
@@ -51,6 +51,8 @@ TASK_STATUS_CHOICES = [


 class AutomatedTask(BaseAuditModel):
+    objects = PermissionQuerySet.as_manager()
+
    agent = models.ForeignKey(
        "agents.Agent",
        related_name="autotasks",
@@ -72,6 +74,8 @@ class AutomatedTask(BaseAuditModel):
        blank=True,
        on_delete=models.SET_NULL,
    )
+
+    # deprecated
    script = models.ForeignKey(
        "scripts.Script",
        null=True,
@@ -79,12 +83,18 @@ class AutomatedTask(BaseAuditModel):
        related_name="autoscript",
        on_delete=models.SET_NULL,
    )
+    # deprecated
    script_args = ArrayField(
        models.CharField(max_length=255, null=True, blank=True),
        null=True,
        blank=True,
        default=list,
    )
+    # deprecated
+    timeout = models.PositiveIntegerField(blank=True, default=120)
+
+    # format -> {"actions": [{"type": "script", "script": 1, "name": "Script Name", "timeout": 90, "script_args": []}, {"type": "cmd", "command": "whoami", "timeout": 90}]}
+    actions = JSONField(default=list)
    assigned_check = models.ForeignKey(
        "checks.Check",
        null=True,
@@ -93,26 +103,9 @@ class AutomatedTask(BaseAuditModel):
        on_delete=models.SET_NULL,
    )
    name = models.CharField(max_length=255)
-    run_time_bit_weekdays = models.IntegerField(null=True, blank=True)
-    # run_time_days is deprecated, use bit weekdays
-    run_time_days = ArrayField(
-        models.IntegerField(choices=RUN_TIME_DAY_CHOICES, null=True, blank=True),
-        null=True,
-        blank=True,
-        default=list,
-    )
-    run_time_minute = models.CharField(max_length=5, null=True, blank=True)
-    task_type = models.CharField(
-        max_length=100, choices=TASK_TYPE_CHOICES, default="manual"
-    )
    collector_all_output = models.BooleanField(default=False)
-    run_time_date = DateTimeField(null=True, blank=True)
-    remove_if_not_scheduled = models.BooleanField(default=False)
-    run_asap_after_missed = models.BooleanField(default=False)  # added in agent v1.4.7
    managed_by_policy = models.BooleanField(default=False)
    parent_task = models.PositiveIntegerField(null=True, blank=True)
-    win_task_name = models.CharField(max_length=255, null=True, blank=True)
-    timeout = models.PositiveIntegerField(default=120)
    retvalue = models.TextField(null=True, blank=True)
    retcode = models.IntegerField(null=True, blank=True)
    stdout = models.TextField(null=True, blank=True)
@@ -120,6 +113,7 @@ class AutomatedTask(BaseAuditModel):
    execution_time = models.CharField(max_length=100, default="0.0000")
    last_run = models.DateTimeField(null=True, blank=True)
    enabled = models.BooleanField(default=True)
+    continue_on_error = models.BooleanField(default=True)
    status = models.CharField(
        max_length=30, choices=TASK_STATUS_CHOICES, default="pending"
    )
@@ -133,9 +127,80 @@ class AutomatedTask(BaseAuditModel):
    text_alert = models.BooleanField(default=False)
    dashboard_alert = models.BooleanField(default=False)

+    # options sent to agent for task creation
+    # general task settings
+    task_type = models.CharField(
+        max_length=100, choices=TASK_TYPE_CHOICES, default="manual"
+    )
+    win_task_name = models.CharField(max_length=255, null=True, blank=True)
+    run_time_date = DateTimeField(null=True, blank=True)
+    expire_date = DateTimeField(null=True, blank=True)
+
+    # daily
+    daily_interval = models.PositiveSmallIntegerField(
+        blank=True, null=True, validators=[MinValueValidator(1), MaxValueValidator(255)]
+    )
+
+    # weekly
+    run_time_bit_weekdays = models.IntegerField(null=True, blank=True)
+    weekly_interval = models.PositiveSmallIntegerField(
+        blank=True, null=True, validators=[MinValueValidator(1), MaxValueValidator(52)]
+    )
+    run_time_minute = models.CharField(
+        max_length=5, null=True, blank=True
+    )  # deprecated
+
+    # monthly
+    monthly_days_of_month = models.PositiveBigIntegerField(blank=True, null=True)
+    monthly_months_of_year = models.PositiveIntegerField(blank=True, null=True)
+
+    # monthly days of week
+    monthly_weeks_of_month = models.PositiveSmallIntegerField(blank=True, null=True)
+
+    # additional task settings
+    task_repetition_duration = models.CharField(max_length=10, null=True, blank=True)
+    task_repetition_interval = models.CharField(max_length=10, null=True, blank=True)
+    stop_task_at_duration_end = models.BooleanField(blank=True, default=False)
+    random_task_delay = models.CharField(max_length=10, null=True, blank=True)
+    remove_if_not_scheduled = models.BooleanField(default=False)
+    run_asap_after_missed = models.BooleanField(default=False)  # added in agent v1.4.7
+    task_instance_policy = models.PositiveSmallIntegerField(blank=True, default=1)
+
    def __str__(self):
        return self.name

+    def save(self, *args, **kwargs):
+        from automation.tasks import update_policy_autotasks_fields_task
+        from autotasks.tasks import modify_win_task
+
+        # get old agent if exists
+        old_task = AutomatedTask.objects.get(pk=self.pk) if self.pk else None
+        super(AutomatedTask, self).save(old_model=old_task, *args, **kwargs)
+
+        # check if fields were updated that require a sync to the agent
+        update_agent = False
+        if old_task:
+            for field in self.fields_that_trigger_task_update_on_agent:
+                if getattr(self, field) != getattr(old_task, field):
+                    update_agent = True
+                    break
+
+        # check if automated task was enabled/disabled and send celery task
+        if old_task and old_task.agent and update_agent:
+            modify_win_task.delay(pk=self.pk)
+
+        # check if policy task was edited and then check if it was a field worth copying to rest of agent tasks
+        elif old_task and old_task.policy:
+            if update_agent:
+                update_policy_autotasks_fields_task.delay(
+                    task=self.pk, update_agent=update_agent
+                )
+            else:
+                for field in self.policy_fields_to_copy:
+                    if getattr(self, field) != getattr(old_task, field):
+                        update_policy_autotasks_fields_task.delay(task=self.pk)
+                        break
+
    @property
    def schedule(self):
        if self.task_type == "manual":
@@ -144,13 +209,30 @@ class AutomatedTask(BaseAuditModel):
            return "Every time check fails"
        elif self.task_type == "runonce":
            return f'Run once on {self.run_time_date.strftime("%m/%d/%Y %I:%M%p")}'
-        elif self.task_type == "scheduled":
-            run_time_nice = dt.datetime.strptime(
-                self.run_time_minute, "%H:%M"
-            ).strftime("%I:%M %p")
-
+        elif self.task_type == "daily":
+            run_time_nice = self.run_time_date.strftime("%I:%M%p")
+            if self.daily_interval == 1:
+                return f"Daily at {run_time_nice}"
+            else:
+                return f"Every {self.daily_interval} days at {run_time_nice}"
+        elif self.task_type == "weekly":
+            run_time_nice = self.run_time_date.strftime("%I:%M%p")
            days = bitdays_to_string(self.run_time_bit_weekdays)
-            return f"{days} at {run_time_nice}"
+            if self.weekly_interval != 1:
+                return f"{days} at {run_time_nice}"
+            else:
+                return f"{days} at {run_time_nice} every {self.weekly_interval} weeks"
+        elif self.task_type == "monthly":
+            run_time_nice = self.run_time_date.strftime("%I:%M%p")
+            months = bitmonths_to_string(self.monthly_months_of_year)
+            days = bitmonthdays_to_string(self.monthly_days_of_month)
+            return f"Runs on {months} on days {days} at {run_time_nice}"
+        elif self.task_type == "monthlydow":
+            run_time_nice = self.run_time_date.strftime("%I:%M%p")
+            months = bitmonths_to_string(self.monthly_months_of_year)
+            weeks = bitweeks_to_string(self.monthly_weeks_of_month)
+            days = bitdays_to_string(self.run_time_bit_weekdays)
+            return f"Runs on {months} on {weeks} on {days} at {run_time_nice}"

    @property
    def last_run_as_timezone(self):
@@ -169,22 +251,53 @@ class AutomatedTask(BaseAuditModel):
            "email_alert",
            "text_alert",
            "dashboard_alert",
-            "script",
-            "script_args",
            "assigned_check",
            "name",
-            "run_time_days",
-            "run_time_minute",
+            "actions",
            "run_time_bit_weekdays",
            "run_time_date",
+            "expire_date",
+            "daily_interval",
+            "weekly_interval",
            "task_type",
            "win_task_name",
-            "timeout",
            "enabled",
            "remove_if_not_scheduled",
            "run_asap_after_missed",
            "custom_field",
            "collector_all_output",
+            "monthly_days_of_month",
+            "monthly_months_of_year",
+            "monthly_weeks_of_month",
+            "task_repetition_duration",
+            "task_repetition_interval",
+            "stop_task_at_duration_end",
+            "random_task_delay",
+            "run_asap_after_missed",
+            "task_instance_policy",
+            "continue_on_error",
+        ]
+
+    @property
+    def fields_that_trigger_task_update_on_agent(self) -> List[str]:
+        return [
+            "run_time_bit_weekdays",
+            "run_time_date",
+            "expire_date",
+            "daily_interval",
+            "weekly_interval",
+            "enabled",
+            "remove_if_not_scheduled",
+            "run_asap_after_missed",
+            "monthly_days_of_month",
+            "monthly_months_of_year",
+            "monthly_weeks_of_month",
+            "task_repetition_duration",
+            "task_repetition_interval",
+            "stop_task_at_duration_end",
+            "random_task_delay",
+            "run_asap_after_missed",
+            "task_instance_policy",
        ]

    @staticmethod
@@ -195,12 +308,20 @@ class AutomatedTask(BaseAuditModel):
    @staticmethod
    def serialize(task):
        # serializes the task and returns json
-        from .serializers import TaskSerializer
+        from .serializers import TaskAuditSerializer

-        return TaskSerializer(task).data
+        return TaskAuditSerializer(task).data

    def create_policy_task(self, agent=None, policy=None, assigned_check=None):

+        # added to allow new policy tasks to be assigned to check only when the agent check exists already
+        if (
+            self.assigned_check
+            and agent
+            and agent.agentchecks.filter(parent_check=self.assigned_check.id).exists()
+        ):
+            assigned_check = agent.agentchecks.get(parent_check=self.assigned_check.id)
+
        # if policy is present, then this task is being copied to another policy
        # if agent is present, then this task is being created on an agent from a policy
        # exit if neither are set or if both are set
@@ -229,91 +350,179 @@ class AutomatedTask(BaseAuditModel):
        if agent:
            task.create_task_on_agent()

+    # agent version >= 1.8.0
+    def generate_nats_task_payload(self, editing=False):
+        task = {
+            "pk": self.pk,
+            "type": "rmm",
+            "name": self.win_task_name,
+            "overwrite_task": editing,
+            "enabled": self.enabled,
+            "trigger": self.task_type if self.task_type != "checkfailure" else "manual",
+            "multiple_instances": self.task_instance_policy
+            if self.task_instance_policy
+            else 0,
+            "delete_expired_task_after": self.remove_if_not_scheduled
+            if self.expire_date
+            else False,
+            "start_when_available": self.run_asap_after_missed
+            if self.task_type != "runonce"
+            else True,
+        }
+
+        if self.task_type in ["runonce", "daily", "weekly", "monthly", "monthlydow"]:
+
+            task["start_year"] = int(self.run_time_date.strftime("%Y"))
+            task["start_month"] = int(self.run_time_date.strftime("%-m"))
+            task["start_day"] = int(self.run_time_date.strftime("%-d"))
+            task["start_hour"] = int(self.run_time_date.strftime("%-H"))
+            task["start_min"] = int(self.run_time_date.strftime("%-M"))
+
+            if self.expire_date:
+                task["expire_year"] = int(self.expire_date.strftime("%Y"))
+                task["expire_month"] = int(self.expire_date.strftime("%-m"))
+                task["expire_day"] = int(self.expire_date.strftime("%-d"))
+                task["expire_hour"] = int(self.expire_date.strftime("%-H"))
+                task["expire_min"] = int(self.expire_date.strftime("%-M"))
+
+            if self.random_task_delay:
+                task["random_delay"] = convert_to_iso_duration(self.random_task_delay)
+
+            if self.task_repetition_interval:
+                task["repetition_interval"] = convert_to_iso_duration(
+                    self.task_repetition_interval
+                )
+                task["repetition_duration"] = convert_to_iso_duration(
+                    self.task_repetition_duration
+                )
+                task["stop_at_duration_end"] = self.stop_task_at_duration_end
+
+            if self.task_type == "daily":
+                task["day_interval"] = self.daily_interval
+
+            elif self.task_type == "weekly":
+                task["week_interval"] = self.weekly_interval
+                task["days_of_week"] = self.run_time_bit_weekdays
+
+            elif self.task_type == "monthly":
+
+                # check if "last day is configured"
+                if self.monthly_days_of_month >= 0x80000000:
+                    task["days_of_month"] = self.monthly_days_of_month - 0x80000000
+                    task["run_on_last_day_of_month"] = True
+                else:
+                    task["days_of_month"] = self.monthly_days_of_month
+                    task["run_on_last_day_of_month"] = False
+
+                task["months_of_year"] = self.monthly_months_of_year
+
+            elif self.task_type == "monthlydow":
+                task["days_of_week"] = self.run_time_bit_weekdays
+                task["months_of_year"] = self.monthly_months_of_year
+                task["weeks_of_month"] = self.monthly_weeks_of_month
+
+        return task
+
    def create_task_on_agent(self):
        from agents.models import Agent

        agent = (
            Agent.objects.filter(pk=self.agent.pk)
            .only("pk", "version", "hostname", "agent_id")
-            .first()
+            .get()
        )

-        if self.task_type == "scheduled":
+        if pyver.parse(agent.version) >= pyver.parse("1.8.0"):
            nats_data = {
                "func": "schedtask",
-                "schedtaskpayload": {
-                    "type": "rmm",
-                    "trigger": "weekly",
-                    "weekdays": self.run_time_bit_weekdays,
-                    "pk": self.pk,
-                    "name": self.win_task_name,
-                    "hour": dt.datetime.strptime(self.run_time_minute, "%H:%M").hour,
-                    "min": dt.datetime.strptime(self.run_time_minute, "%H:%M").minute,
-                },
-            }
-
-        elif self.task_type == "runonce":
-            # check if scheduled time is in the past
-            agent_tz = pytz.timezone(agent.timezone)
-            task_time_utc = self.run_time_date.replace(tzinfo=agent_tz).astimezone(
-                pytz.utc
-            )
-            now = djangotime.now()
-            if task_time_utc < now:
-                self.run_time_date = now.astimezone(agent_tz).replace(
-                    tzinfo=pytz.utc
-                ) + djangotime.timedelta(minutes=5)
-                self.save(update_fields=["run_time_date"])
-
-            nats_data = {
-                "func": "schedtask",
-                "schedtaskpayload": {
-                    "type": "rmm",
-                    "trigger": "once",
-                    "pk": self.pk,
-                    "name": self.win_task_name,
-                    "year": int(dt.datetime.strftime(self.run_time_date, "%Y")),
-                    "month": dt.datetime.strftime(self.run_time_date, "%B"),
-                    "day": int(dt.datetime.strftime(self.run_time_date, "%d")),
-                    "hour": int(dt.datetime.strftime(self.run_time_date, "%H")),
-                    "min": int(dt.datetime.strftime(self.run_time_date, "%M")),
-                },
-            }
-
-            if self.run_asap_after_missed and pyver.parse(agent.version) >= pyver.parse(
-                "1.4.7"
-            ):
-                nats_data["schedtaskpayload"]["run_asap_after_missed"] = True
-
-            if self.remove_if_not_scheduled:
-                nats_data["schedtaskpayload"]["deleteafter"] = True
-
-        elif self.task_type == "checkfailure" or self.task_type == "manual":
-            nats_data = {
-                "func": "schedtask",
-                "schedtaskpayload": {
-                    "type": "rmm",
-                    "trigger": "manual",
-                    "pk": self.pk,
-                    "name": self.win_task_name,
-                },
+                "schedtaskpayload": self.generate_nats_task_payload(),
            }
        else:
-            return "error"
+
+            if self.task_type == "scheduled":
+                nats_data = {
+                    "func": "schedtask",
+                    "schedtaskpayload": {
+                        "type": "rmm",
+                        "trigger": "weekly",
+                        "weekdays": self.run_time_bit_weekdays,
+                        "pk": self.pk,
+                        "name": self.win_task_name,
+                        "hour": dt.datetime.strptime(
+                            self.run_time_minute, "%H:%M"
+                        ).hour,
+                        "min": dt.datetime.strptime(
+                            self.run_time_minute, "%H:%M"
+                        ).minute,
+                    },
+                }
+
+            elif self.task_type == "runonce":
+                # check if scheduled time is in the past
+                agent_tz = pytz.timezone(agent.timezone)
+                task_time_utc = self.run_time_date.replace(tzinfo=agent_tz).astimezone(
+                    pytz.utc
+                )
+                now = djangotime.now()
+                if task_time_utc < now:
+                    self.run_time_date = now.astimezone(agent_tz).replace(
+                        tzinfo=pytz.utc
+                    ) + djangotime.timedelta(minutes=5)
+                    self.save(update_fields=["run_time_date"])
+
+                nats_data = {
+                    "func": "schedtask",
+                    "schedtaskpayload": {
+                        "type": "rmm",
+                        "trigger": "once",
+                        "pk": self.pk,
+                        "name": self.win_task_name,
+                        "year": int(dt.datetime.strftime(self.run_time_date, "%Y")),
+                        "month": dt.datetime.strftime(self.run_time_date, "%B"),
+                        "day": int(dt.datetime.strftime(self.run_time_date, "%d")),
+                        "hour": int(dt.datetime.strftime(self.run_time_date, "%H")),
+                        "min": int(dt.datetime.strftime(self.run_time_date, "%M")),
+                    },
+                }
+
+                if self.run_asap_after_missed:
+                    nats_data["schedtaskpayload"]["run_asap_after_missed"] = True
+
+                if self.remove_if_not_scheduled:
+                    nats_data["schedtaskpayload"]["deleteafter"] = True
+
+            elif self.task_type == "checkfailure" or self.task_type == "manual":
+                nats_data = {
+                    "func": "schedtask",
+                    "schedtaskpayload": {
+                        "type": "rmm",
+                        "trigger": "manual",
+                        "pk": self.pk,
+                        "name": self.win_task_name,
+                    },
+                }
+            else:
+                return "error"

        r = asyncio.run(agent.nats_cmd(nats_data, timeout=5))

        if r != "ok":
            self.sync_status = "initial"
            self.save(update_fields=["sync_status"])
-            logger.warning(
-                f"Unable to create scheduled task {self.name} on {agent.hostname}. It will be created when the agent checks in."
+            DebugLog.warning(
+                agent=agent,
+                log_type="agent_issues",
+                message=f"Unable to create scheduled task {self.name} on {agent.hostname}. It will be created when the agent checks in.",
            )
            return "timeout"
        else:
            self.sync_status = "synced"
            self.save(update_fields=["sync_status"])
-            logger.info(f"{agent.hostname} task {self.name} was successfully created")
+            DebugLog.info(
+                agent=agent,
+                log_type="agent_issues",
+                message=f"{agent.hostname} task {self.name} was successfully created",
+            )

        return "ok"

@@ -323,29 +532,41 @@ class AutomatedTask(BaseAuditModel):
        agent = (
            Agent.objects.filter(pk=self.agent.pk)
            .only("pk", "version", "hostname", "agent_id")
-            .first()
+            .get()
        )

-        nats_data = {
-            "func": "enableschedtask",
-            "schedtaskpayload": {
-                "name": self.win_task_name,
-                "enabled": self.enabled,
-            },
-        }
+        if pyver.parse(agent.version) >= pyver.parse("1.8.0"):
+            nats_data = {
+                "func": "schedtask",
+                "schedtaskpayload": self.generate_nats_task_payload(editing=True),
+            }
+        else:
+            nats_data = {
+                "func": "enableschedtask",
+                "schedtaskpayload": {
+                    "name": self.win_task_name,
+                    "enabled": self.enabled,
+                },
+            }
        r = asyncio.run(agent.nats_cmd(nats_data, timeout=5))

        if r != "ok":
            self.sync_status = "notsynced"
            self.save(update_fields=["sync_status"])
-            logger.warning(
-                f"Unable to modify scheduled task {self.name} on {agent.hostname}. It will try again on next agent checkin"
+            DebugLog.warning(
+                agent=agent,
+                log_type="agent_issues",
+                message=f"Unable to modify scheduled task {self.name} on {agent.hostname}({agent.pk}). It will try again on next agent checkin",
            )
            return "timeout"
        else:
            self.sync_status = "synced"
            self.save(update_fields=["sync_status"])
-            logger.info(f"{agent.hostname} task {self.name} was successfully modified")
+            DebugLog.info(
+                agent=agent,
+                log_type="agent_issues",
+                message=f"{agent.hostname} task {self.name} was successfully modified",
+            )

        return "ok"

@@ -355,7 +576,7 @@ class AutomatedTask(BaseAuditModel):
        agent = (
            Agent.objects.filter(pk=self.agent.pk)
            .only("pk", "version", "hostname", "agent_id")
-            .first()
+            .get()
        )

        nats_data = {
@@ -372,13 +593,19 @@ class AutomatedTask(BaseAuditModel):
            except DatabaseError:
                pass

-            logger.warning(
-                f"{agent.hostname} task {self.name} will be deleted on next checkin"
+            DebugLog.warning(
+                agent=agent,
+                log_type="agent_issues",
+                message=f"{agent.hostname} task {self.name} will be deleted on next checkin",
            )
            return "timeout"
        else:
            self.delete()
-            logger.info(f"{agent.hostname} task {self.name} was deleted")
+            DebugLog.info(
+                agent=agent,
+                log_type="agent_issues",
+                message=f"{agent.hostname}({agent.pk}) task {self.name} was deleted",
+            )

        return "ok"

@@ -388,12 +615,23 @@ class AutomatedTask(BaseAuditModel):
        agent = (
            Agent.objects.filter(pk=self.agent.pk)
            .only("pk", "version", "hostname", "agent_id")
-            .first()
+            .get()
        )

        asyncio.run(agent.nats_cmd({"func": "runtask", "taskpk": self.pk}, wait=False))
        return "ok"

+    def save_collector_results(self):
+
+        agent_field = self.custom_field.get_or_create_field_value(self.agent)
+
+        value = (
+            self.stdout.strip()
+            if self.collector_all_output
+            else self.stdout.strip().split("\n")[-1].strip()
+        )
+        agent_field.save_to_field(value)
+
    def should_create_alert(self, alert_template=None):
        return (
            self.dashboard_alert
@@ -413,7 +651,7 @@ class AutomatedTask(BaseAuditModel):
        from core.models import CoreSettings

        CORE = CoreSettings.objects.first()
-
+        # Format of Email sent when Task has email alert
        if self.agent:
            subject = f"{self.agent.client.name}, {self.agent.site.name}, {self.agent.hostname} - {self} Failed"
        else:
@@ -424,14 +662,13 @@ class AutomatedTask(BaseAuditModel):
            + f" - Return code: {self.retcode}\nStdout:{self.stdout}\nStderr: {self.stderr}"
        )

-        CORE.send_mail(subject, body, self.agent.alert_template)
+        CORE.send_mail(subject, body, self.agent.alert_template)  # type: ignore

    def send_sms(self):
-
        from core.models import CoreSettings

        CORE = CoreSettings.objects.first()
-
+        # Format of SMS sent when Task has SMS alert
        if self.agent:
            subject = f"{self.agent.client.name}, {self.agent.site.name}, {self.agent.hostname} - {self} Failed"
        else:
@@ -442,7 +679,7 @@ class AutomatedTask(BaseAuditModel):
            + f" - Return code: {self.retcode}\nStdout:{self.stdout}\nStderr: {self.stderr}"
        )

-        CORE.send_sms(body, alert_template=self.agent.alert_template)
+        CORE.send_sms(body, alert_template=self.agent.alert_template)  # type: ignore

    def send_resolved_email(self):
        from core.models import CoreSettings
@@ -454,7 +691,7 @@ class AutomatedTask(BaseAuditModel):
            + f" - Return code: {self.retcode}\nStdout:{self.stdout}\nStderr: {self.stderr}"
        )

-        CORE.send_mail(subject, body, alert_template=self.agent.alert_template)
+        CORE.send_mail(subject, body, alert_template=self.agent.alert_template)  # type: ignore

    def send_resolved_sms(self):
        from core.models import CoreSettings
@@ -465,4 +702,4 @@ class AutomatedTask(BaseAuditModel):
            subject
            + f" - Return code: {self.retcode}\nStdout:{self.stdout}\nStderr: {self.stderr}"
        )
-        CORE.send_sms(body, alert_template=self.agent.alert_template)
+        CORE.send_sms(body, alert_template=self.agent.alert_template)  # type: ignore
--- a/api/tacticalrmm/autotasks/permissions.py
+++ b/api/tacticalrmm/autotasks/permissions.py
@@ -1,14 +1,19 @@
 from rest_framework import permissions

-from tacticalrmm.permissions import _has_perm
+from tacticalrmm.permissions import _has_perm, _has_perm_on_agent


-class ManageAutoTaskPerms(permissions.BasePermission):
+class AutoTaskPerms(permissions.BasePermission):
    def has_permission(self, r, view):
        if r.method == "GET":
-            return True
-
-        return _has_perm(r, "can_manage_autotasks")
+            if "agent_id" in view.kwargs.keys():
+                return _has_perm(r, "can_list_autotasks") and _has_perm_on_agent(
+                    r.user, view.kwargs["agent_id"]
+                )
+            else:
+                return _has_perm(r, "can_list_autotasks")
+        else:
+            return _has_perm(r, "can_manage_autotasks")


 class RunAutoTaskPerms(permissions.BasePermission):
--- a/api/tacticalrmm/autotasks/serializers.py
+++ b/api/tacticalrmm/autotasks/serializers.py
@@ -1,19 +1,163 @@
 from rest_framework import serializers
-
-from agents.models import Agent
-from checks.serializers import CheckSerializer
 from scripts.models import Script
-from scripts.serializers import ScriptCheckSerializer
+from django.core.exceptions import ObjectDoesNotExist

 from .models import AutomatedTask


 class TaskSerializer(serializers.ModelSerializer):

-    assigned_check = CheckSerializer(read_only=True)
+    check_name = serializers.ReadOnlyField(source="assigned_check.readable_desc")
    schedule = serializers.ReadOnlyField()
    last_run = serializers.ReadOnlyField(source="last_run_as_timezone")
    alert_template = serializers.SerializerMethodField()
+    run_time_date = serializers.DateTimeField(format="iso-8601", required=False)
+    expire_date = serializers.DateTimeField(
+        format="iso-8601", allow_null=True, required=False
+    )
+
+    def validate_actions(self, value):
+
+        if not value:
+            raise serializers.ValidationError(
+                f"There must be at least one action configured"
+            )
+
+        for action in value:
+            if "type" not in action:
+                raise serializers.ValidationError(
+                    f"Each action must have a type field of either 'script' or 'cmd'"
+                )
+
+            if action["type"] == "script":
+                if "script" not in action:
+                    raise serializers.ValidationError(
+                        f"A script action type must have a 'script' field with primary key of script"
+                    )
+
+                if "script_args" not in action:
+                    raise serializers.ValidationError(
+                        f"A script action type must have a 'script_args' field with an array of arguments"
+                    )
+
+                if "timeout" not in action:
+                    raise serializers.ValidationError(
+                        f"A script action type must have a 'timeout' field"
+                    )
+
+            if action["type"] == "cmd":
+                if "command" not in action:
+                    raise serializers.ValidationError(
+                        f"A command action type must have a 'command' field"
+                    )
+
+                if "timeout" not in action:
+                    raise serializers.ValidationError(
+                        f"A command action type must have a 'timeout' field"
+                    )
+
+        return value
+
+    def validate(self, data):
+
+        # allow editing with task_type not specified
+        if self.instance and "task_type" not in data:
+
+            # remove schedule related fields from data
+            if "run_time_date" in data:
+                del data["run_time_date"]
+            if "expire_date" in data:
+                del data["expire_date"]
+            if "daily_interval" in data:
+                del data["daily_interval"]
+            if "weekly_interval" in data:
+                del data["weekly_interval"]
+            if "run_time_bit_weekdays" in data:
+                del data["run_time_bit_weekdays"]
+            if "monthly_months_of_year" in data:
+                del data["monthly_months_of_year"]
+            if "monthly_days_of_month" in data:
+                del data["monthly_days_of_month"]
+            if "monthly_weeks_of_month" in data:
+                del data["monthly_weeks_of_month"]
+            if "assigned_check" in data:
+                del data["assigned_check"]
+            return data
+
+        # run_time_date required
+        if (
+            data["task_type"] in ["runonce", "daily", "weekly", "monthly", "monthlydow"]
+            and not data["run_time_date"]
+        ):
+            raise serializers.ValidationError(
+                f"run_time_date is required for task_type '{data['task_type']}'"
+            )
+
+        # daily task type validation
+        if data["task_type"] == "daily":
+            if "daily_interval" not in data or not data["daily_interval"]:
+                raise serializers.ValidationError(
+                    f"daily_interval is required for task_type '{data['task_type']}'"
+                )
+
+        # weekly task type validation
+        elif data["task_type"] == "weekly":
+            if "weekly_interval" not in data or not data["weekly_interval"]:
+                raise serializers.ValidationError(
+                    f"weekly_interval is required for task_type '{data['task_type']}'"
+                )
+
+            if "run_time_bit_weekdays" not in data or not data["run_time_bit_weekdays"]:
+                raise serializers.ValidationError(
+                    f"run_time_bit_weekdays is required for task_type '{data['task_type']}'"
+                )
+
+        # monthly task type validation
+        elif data["task_type"] == "monthly":
+            if (
+                "monthly_months_of_year" not in data
+                or not data["monthly_months_of_year"]
+            ):
+                raise serializers.ValidationError(
+                    f"monthly_months_of_year is required for task_type '{data['task_type']}'"
+                )
+
+            if "monthly_days_of_month" not in data or not data["monthly_days_of_month"]:
+                raise serializers.ValidationError(
+                    f"monthly_days_of_month is required for task_type '{data['task_type']}'"
+                )
+
+        # monthly day of week task type validation
+        elif data["task_type"] == "monthlydow":
+            if (
+                "monthly_months_of_year" not in data
+                or not data["monthly_months_of_year"]
+            ):
+                raise serializers.ValidationError(
+                    f"monthly_months_of_year is required for task_type '{data['task_type']}'"
+                )
+
+            if (
+                "monthly_weeks_of_month" not in data
+                or not data["monthly_weeks_of_month"]
+            ):
+                raise serializers.ValidationError(
+                    f"monthly_weeks_of_month is required for task_type '{data['task_type']}'"
+                )
+
+            if "run_time_bit_weekdays" not in data or not data["run_time_bit_weekdays"]:
+                raise serializers.ValidationError(
+                    f"run_time_bit_weekdays is required for task_type '{data['task_type']}'"
+                )
+
+        # check failure task type validation
+        elif data["task_type"] == "checkfailure":
+            if "assigned_check" not in data or not data["assigned_check"]:
+                raise serializers.ValidationError(
+                    f"assigned_check is required for task_type '{data['task_type']}'"
+                )
+
+        return data

    def get_alert_template(self, obj):

@@ -37,50 +181,73 @@ class TaskSerializer(serializers.ModelSerializer):
        fields = "__all__"


-class AutoTaskSerializer(serializers.ModelSerializer):
-
-    autotasks = TaskSerializer(many=True, read_only=True)
-
-    class Meta:
-        model = Agent
-        fields = (
-            "pk",
-            "hostname",
-            "autotasks",
-        )
-
-
-# below is for the windows agent
-class TaskRunnerScriptField(serializers.ModelSerializer):
-    class Meta:
-        model = Script
-        fields = ["id", "filepath", "filename", "shell", "script_type"]
-
-
-class TaskRunnerGetSerializer(serializers.ModelSerializer):
-
-    script = TaskRunnerScriptField(read_only=True)
-
-    class Meta:
-        model = AutomatedTask
-        fields = ["id", "script", "timeout", "enabled", "script_args"]
-
-
 class TaskGOGetSerializer(serializers.ModelSerializer):
-    script = ScriptCheckSerializer(read_only=True)
-    script_args = serializers.SerializerMethodField()
+    task_actions = serializers.SerializerMethodField()

-    def get_script_args(self, obj):
-        return Script.parse_script_args(
-            agent=obj.agent, shell=obj.script.shell, args=obj.script_args
-        )
+    def get_task_actions(self, obj):
+        tmp = []
+        actions_to_remove = []
+        for action in obj.actions:
+            if action["type"] == "cmd":
+                tmp.append(
+                    {
+                        "type": "cmd",
+                        "command": Script.parse_script_args(
+                            agent=obj.agent,
+                            shell=action["shell"],
+                            args=[action["command"]],
+                        )[0],
+                        "shell": action["shell"],
+                        "timeout": action["timeout"],
+                    }
+                )
+            elif action["type"] == "script":
+                try:
+                    script = Script.objects.get(pk=action["script"])
+                except ObjectDoesNotExist:
+                    # script doesn't exist so remove it
+                    actions_to_remove.append(action["script"])
+                    continue
+                tmp.append(
+                    {
+                        "type": "script",
+                        "script_name": script.name,
+                        "code": script.code,
+                        "script_args": Script.parse_script_args(
+                            agent=obj.agent,
+                            shell=script.shell,
+                            args=action["script_args"],
+                        ),
+                        "shell": script.shell,
+                        "timeout": action["timeout"],
+                    }
+                )
+        if actions_to_remove:
+            task = AutomatedTask.objects.get(pk=obj.pk)
+            task.actions = [
+                action
+                for action in task.actions
+                if action["type"] == "cmd"
+                or (
+                    "script" in action.keys()
+                    and action["script"] not in actions_to_remove
+                )
+            ]
+            task.save(update_fields=["actions"])
+        return tmp

    class Meta:
        model = AutomatedTask
-        fields = ["id", "script", "timeout", "enabled", "script_args"]
+        fields = ["id", "continue_on_error", "enabled", "task_actions"]


 class TaskRunnerPatchSerializer(serializers.ModelSerializer):
    class Meta:
        model = AutomatedTask
        fields = "__all__"
+
+
+class TaskAuditSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = AutomatedTask
+        fields = "__all__"
--- a/api/tacticalrmm/autotasks/tasks.py
+++ b/api/tacticalrmm/autotasks/tasks.py
@@ -4,14 +4,11 @@ import random
 from time import sleep
 from typing import Union

-from django.conf import settings
-from django.utils import timezone as djangotime
-from loguru import logger
-
 from autotasks.models import AutomatedTask
-from tacticalrmm.celery import app
+from django.utils import timezone as djangotime
+from logs.models import DebugLog

-logger.configure(**settings.LOG_CONFIG)
+from tacticalrmm.celery import app


@app.task
@@ -24,7 +21,7 @@ def create_win_task_schedule(pk):


@app.task
-def enable_or_disable_win_task(pk):
+def modify_win_task(pk):
    task = AutomatedTask.objects.get(pk=pk)

    task.modify_task_on_agent()
@@ -53,12 +50,20 @@ def remove_orphaned_win_tasks(agentpk):

    agent = Agent.objects.get(pk=agentpk)

-    logger.info(f"Orphaned task cleanup initiated on {agent.hostname}.")
+    DebugLog.info(
+        agent=agent,
+        log_type="agent_issues",
+        message=f"Orphaned task cleanup initiated on {agent.hostname}.",
+    )

    r = asyncio.run(agent.nats_cmd({"func": "listschedtasks"}, timeout=10))

    if not isinstance(r, list) and not r:  # empty list
-        logger.error(f"Unable to clean up scheduled tasks on {agent.hostname}: {r}")
+        DebugLog.error(
+            agent=agent,
+            log_type="agent_issues",
+            message=f"Unable to clean up scheduled tasks on {agent.hostname}: {r}",
+        )
        return "notlist"

    agent_task_names = list(agent.autotasks.values_list("win_task_name", flat=True))
@@ -83,13 +88,23 @@ def remove_orphaned_win_tasks(agentpk):
            }
            ret = asyncio.run(agent.nats_cmd(nats_data, timeout=10))
            if ret != "ok":
-                logger.error(
-                    f"Unable to clean up orphaned task {task} on {agent.hostname}: {ret}"
+                DebugLog.error(
+                    agent=agent,
+                    log_type="agent_issues",
+                    message=f"Unable to clean up orphaned task {task} on {agent.hostname}: {ret}",
                )
            else:
-                logger.info(f"Removed orphaned task {task} from {agent.hostname}")
+                DebugLog.info(
+                    agent=agent,
+                    log_type="agent_issues",
+                    message=f"Removed orphaned task {task} from {agent.hostname}",
+                )

-    logger.info(f"Orphaned task cleanup finished on {agent.hostname}")
+    DebugLog.info(
+        agent=agent,
+        log_type="agent_issues",
+        message=f"Orphaned task cleanup finished on {agent.hostname}",
+    )


@app.task
--- a/api/tacticalrmm/autotasks/tests.py
+++ b/api/tacticalrmm/autotasks/tests.py
@@ -7,83 +7,244 @@ from model_bakery import baker
 from tacticalrmm.test import TacticalTestCase

 from .models import AutomatedTask
-from .serializers import AutoTaskSerializer
+from .serializers import TaskSerializer
 from .tasks import create_win_task_schedule, remove_orphaned_win_tasks, run_win_task

+base_url = "/tasks"
+

 class TestAutotaskViews(TacticalTestCase):
    def setUp(self):
        self.authenticate()
        self.setup_coresettings()

+    def test_get_autotasks(self):
+        # setup data
+        agent = baker.make_recipe("agents.agent")
+        baker.make("autotasks.AutomatedTask", agent=agent, _quantity=3)
+        policy = baker.make("automation.Policy")
+        baker.make("autotasks.AutomatedTask", policy=policy, _quantity=4)
+        baker.make("autotasks.AutomatedTask", _quantity=7)
+
+        # test returning all tasks
+        url = f"{base_url}/"
+        resp = self.client.get(url, format="json")
+        self.assertEqual(resp.status_code, 200)
+        self.assertEqual(len(resp.data), 14)
+
+        # test returning tasks for a specific agent
+        url = f"/agents/{agent.agent_id}/tasks/"
+        resp = self.client.get(url, format="json")
+        self.assertEqual(resp.status_code, 200)
+        self.assertEqual(len(resp.data), 3)
+
+        # test returning tasks for a specific policy
+        url = f"/automation/policies/{policy.id}/tasks/"
+        resp = self.client.get(url, format="json")
+        self.assertEqual(resp.status_code, 200)
+        self.assertEqual(len(resp.data), 4)
+
    @patch("automation.tasks.generate_agent_autotasks_task.delay")
    @patch("autotasks.tasks.create_win_task_schedule.delay")
    def test_add_autotask(
        self, create_win_task_schedule, generate_agent_autotasks_task
    ):
-        url = "/tasks/automatedtasks/"
+        url = f"{base_url}/"

        # setup data
        script = baker.make_recipe("scripts.script")
        agent = baker.make_recipe("agents.agent")
        policy = baker.make("automation.Policy")
        check = baker.make_recipe("checks.diskspace_check", agent=agent)
+        custom_field = baker.make("core.CustomField")

-        # test script set to invalid pk
-        data = {"autotask": {"script": 500}}
-
-        resp = self.client.post(url, data, format="json")
-        self.assertEqual(resp.status_code, 404)
-
-        # test invalid policy
-        data = {"autotask": {"script": script.id}, "policy": 500}
-
-        resp = self.client.post(url, data, format="json")
-        self.assertEqual(resp.status_code, 404)
+        actions = [
+            {"type": "cmd", "command": "command", "timeout": 30},
+            {"type": "script", "script": script.id, "script_args": [], "timeout": 90},
+        ]

        # test invalid agent
        data = {
-            "autotask": {"script": script.id},
-            "agent": 500,
+            "agent": "13kfs89as9d89asd8f98df8df8dfhdf",
        }

        resp = self.client.post(url, data, format="json")
        self.assertEqual(resp.status_code, 404)

-        # test add task to agent
+        # test add task without actions
        data = {
-            "autotask": {
-                "name": "Test Task Scheduled with Assigned Check",
-                "run_time_days": ["Sunday", "Monday", "Friday"],
-                "run_time_minute": "10:00",
-                "timeout": 120,
-                "enabled": True,
-                "script": script.id,
-                "script_args": None,
-                "task_type": "scheduled",
-                "assigned_check": check.id,
-            },
-            "agent": agent.id,
+            "agent": agent.agent_id,
+            "name": "Test Task Scheduled with Assigned Check",
+            "run_time_days": 56,
+            "enabled": True,
+            "actions": [],
+            "task_type": "manual",
+        }
+
+        resp = self.client.post(url, data, format="json")
+        self.assertEqual(resp.status_code, 400)
+
+        # test add checkfailure task_type to agent without check
+        data = {
+            "agent": agent.agent_id,
+            "name": "Check Failure",
+            "enabled": True,
+            "actions": actions,
+            "task_type": "checkfailure",
+        }
+
+        resp = self.client.post(url, data, format="json")
+        self.assertEqual(resp.status_code, 400)
+
+        create_win_task_schedule.not_assert_called()
+
+        # test add manual task_type to agent
+        data = {
+            "agent": agent.agent_id,
+            "name": "Manual",
+            "enabled": True,
+            "actions": actions,
+            "task_type": "manual",
        }

        resp = self.client.post(url, data, format="json")
        self.assertEqual(resp.status_code, 200)

        create_win_task_schedule.assert_called()
+        create_win_task_schedule.reset_mock()
+
+        # test add daily task_type to agent
+        data = {
+            "agent": agent.agent_id,
+            "name": "Daily",
+            "enabled": True,
+            "actions": actions,
+            "task_type": "daily",
+            "daily_interval": 1,
+            "run_time_date": djangotime.now(),
+            "repetition_interval": "30M",
+            "repetition_duration": "1D",
+            "random_task_delay": "5M",
+        }
+
+        resp = self.client.post(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+
+        # test add weekly task_type to agent
+        data = {
+            "agent": agent.agent_id,
+            "name": "Weekly",
+            "enabled": True,
+            "actions": actions,
+            "task_type": "weekly",
+            "weekly_interval": 2,
+            "run_time_bit_weekdays": 26,
+            "run_time_date": djangotime.now(),
+            "expire_date": djangotime.now(),
+            "repetition_interval": "30S",
+            "repetition_duration": "1H",
+            "random_task_delay": "5M",
+            "task_instance_policy": 2,
+        }
+
+        resp = self.client.post(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+
+        create_win_task_schedule.assert_called()
+        create_win_task_schedule.reset_mock()
+
+        # test add monthly task_type to agent
+        data = {
+            "agent": agent.agent_id,
+            "name": "Monthly",
+            "enabled": True,
+            "actions": actions,
+            "task_type": "monthly",
+            "monthly_months_of_year": 56,
+            "monthly_days_of_month": 350,
+            "run_time_date": djangotime.now(),
+            "expire_date": djangotime.now(),
+            "repetition_interval": "30S",
+            "repetition_duration": "1H",
+            "random_task_delay": "5M",
+        }
+
+        resp = self.client.post(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+
+        create_win_task_schedule.assert_called()
+        create_win_task_schedule.reset_mock()
+
+        # test add monthly day-of-week task_type to agent
+        data = {
+            "agent": agent.agent_id,
+            "name": "Monthly",
+            "enabled": True,
+            "actions": actions,
+            "task_type": "monthlydow",
+            "monthly_months_of_year": 500,
+            "monthly_weeks_of_month": 4,
+            "run_time_bit_weekdays": 15,
+            "run_time_date": djangotime.now(),
+            "expire_date": djangotime.now(),
+            "repetition_interval": "30S",
+            "repetition_duration": "1H",
+            "random_task_delay": "5M",
+        }
+
+        resp = self.client.post(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+
+        create_win_task_schedule.assert_called()
+        create_win_task_schedule.reset_mock()
+
+        # test add monthly day-of-week task_type to agent with custom field
+        data = {
+            "agent": agent.agent_id,
+            "name": "Monthly",
+            "enabled": True,
+            "actions": actions,
+            "task_type": "monthlydow",
+            "monthly_months_of_year": 500,
+            "monthly_weeks_of_month": 4,
+            "run_time_bit_weekdays": 15,
+            "run_time_date": djangotime.now(),
+            "expire_date": djangotime.now(),
+            "repetition_interval": "30S",
+            "repetition_duration": "1H",
+            "random_task_delay": "5M",
+            "custom_field": custom_field.id,
+        }
+
+        resp = self.client.post(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+
+        create_win_task_schedule.assert_called()
+        create_win_task_schedule.reset_mock()
+
+        # test add checkfailure task_type to agent
+        data = {
+            "agent": agent.agent_id,
+            "name": "Check Failure",
+            "enabled": True,
+            "actions": actions,
+            "task_type": "checkfailure",
+            "assigned_check": check.id,
+        }
+
+        resp = self.client.post(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+
+        create_win_task_schedule.assert_called()
+        create_win_task_schedule.reset_mock()

        # test add task to policy
        data = {
-            "autotask": {
-                "name": "Test Task Manual",
-                "run_time_days": [],
-                "timeout": 120,
-                "enabled": True,
-                "script": script.id,
-                "script_args": None,
-                "task_type": "manual",
-                "assigned_check": None,
-            },
            "policy": policy.id,  # type: ignore
+            "name": "Test Task Manual",
+            "enabled": True,
+            "task_type": "manual",
+            "actions": actions,
        }

        resp = self.client.post(url, data, format="json")
@@ -97,54 +258,120 @@ class TestAutotaskViews(TacticalTestCase):

        # setup data
        agent = baker.make_recipe("agents.agent")
-        baker.make("autotasks.AutomatedTask", agent=agent, _quantity=3)
+        task = baker.make("autotasks.AutomatedTask", agent=agent)

-        url = f"/tasks/{agent.id}/automatedtasks/"
+        url = f"{base_url}/{task.id}/"

        resp = self.client.get(url, format="json")
-        serializer = AutoTaskSerializer(agent)
+        serializer = TaskSerializer(task)

        self.assertEqual(resp.status_code, 200)
        self.assertEqual(resp.data, serializer.data)  # type: ignore

        self.check_not_authenticated("get", url)

-    @patch("autotasks.tasks.enable_or_disable_win_task.delay")
+    @patch("autotasks.tasks.modify_win_task.delay")
    @patch("automation.tasks.update_policy_autotasks_fields_task.delay")
    def test_update_autotask(
-        self, update_policy_autotasks_fields_task, enable_or_disable_win_task
+        self, update_policy_autotasks_fields_task, modify_win_task
    ):
        # setup data
        agent = baker.make_recipe("agents.agent")
        agent_task = baker.make("autotasks.AutomatedTask", agent=agent)
        policy = baker.make("automation.Policy")
-        policy_task = baker.make("autotasks.AutomatedTask", policy=policy)
+        policy_task = baker.make("autotasks.AutomatedTask", enabled=True, policy=policy)
+        custom_field = baker.make("core.CustomField")
+        script = baker.make("scripts.Script")
+
+        actions = [
+            {"type": "cmd", "command": "command", "timeout": 30},
+            {"type": "script", "script": script.id, "script_args": [], "timeout": 90},
+        ]

        # test invalid url
-        resp = self.client.patch("/tasks/500/automatedtasks/", format="json")
+        resp = self.client.put(f"{base_url}/500/", format="json")
        self.assertEqual(resp.status_code, 404)

-        url = f"/tasks/{agent_task.id}/automatedtasks/"  # type: ignore
+        url = f"{base_url}/{agent_task.id}/"  # type: ignore

-        # test editing agent task
-        data = {"enableordisable": False}
+        # test editing agent task with no task update
+        data = {"name": "New Name"}

-        resp = self.client.patch(url, data, format="json")
+        resp = self.client.put(url, data, format="json")
        self.assertEqual(resp.status_code, 200)
-        enable_or_disable_win_task.assert_called_with(pk=agent_task.id)  # type: ignore
+        modify_win_task.not_called()  # type: ignore

-        url = f"/tasks/{policy_task.id}/automatedtasks/"  # type: ignore
+        # test editing agent task with agent task update
+        data = {"enabled": False}
+
+        resp = self.client.put(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+        modify_win_task.assert_called_with(pk=agent_task.id)  # type: ignore
+        modify_win_task.reset_mock()
+
+        # test editing agent task with task_type
+        data = {
+            "name": "Monthly",
+            "actions": actions,
+            "task_type": "monthlydow",
+            "monthly_months_of_year": 500,
+            "monthly_weeks_of_month": 4,
+            "run_time_bit_weekdays": 15,
+            "run_time_date": djangotime.now(),
+            "expire_date": djangotime.now(),
+            "repetition_interval": "30S",
+            "repetition_duration": "1H",
+            "random_task_delay": "5M",
+            "custom_field": custom_field.id,
+            "run_asap_afteR_missed": False,
+        }
+
+        resp = self.client.put(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+        modify_win_task.assert_called_with(pk=agent_task.id)  # type: ignore
+        modify_win_task.reset_mock()
+
+        # test trying to edit with empty actions
+        data = {
+            "name": "Monthly",
+            "actions": [],
+            "task_type": "monthlydow",
+            "monthly_months_of_year": 500,
+            "monthly_weeks_of_month": 4,
+            "run_time_bit_weekdays": 15,
+            "run_time_date": djangotime.now(),
+            "expire_date": djangotime.now(),
+            "repetition_interval": "30S",
+            "repetition_duration": "1H",
+            "random_task_delay": "5M",
+            "run_asap_afteR_missed": False,
+        }
+
+        resp = self.client.put(url, data, format="json")
+        self.assertEqual(resp.status_code, 400)
+        modify_win_task.assert_not_called  # type: ignore
+
+        # test editing policy tasks
+        url = f"{base_url}/{policy_task.id}/"  # type: ignore

        # test editing policy task
-        data = {"enableordisable": True}
+        data = {"enabled": False}

-        resp = self.client.patch(url, data, format="json")
+        resp = self.client.put(url, data, format="json")
        self.assertEqual(resp.status_code, 200)
        update_policy_autotasks_fields_task.assert_called_with(
            task=policy_task.id, update_agent=True  # type: ignore
        )
+        update_policy_autotasks_fields_task.reset_mock()

-        self.check_not_authenticated("patch", url)
+        # test editing policy task with no agent update
+        data = {"name": "New Name"}
+
+        resp = self.client.put(url, data, format="json")
+        self.assertEqual(resp.status_code, 200)
+        update_policy_autotasks_fields_task.assert_called_with(task=policy_task.id)
+
+        self.check_not_authenticated("put", url)

    @patch("autotasks.tasks.delete_win_task_schedule.delay")
    @patch("automation.tasks.delete_policy_autotasks_task.delay")
@@ -158,17 +385,17 @@ class TestAutotaskViews(TacticalTestCase):
        policy_task = baker.make("autotasks.AutomatedTask", policy=policy)

        # test invalid url
-        resp = self.client.delete("/tasks/500/automatedtasks/", format="json")
+        resp = self.client.delete(f"{base_url}/500/", format="json")
        self.assertEqual(resp.status_code, 404)

        # test delete agent task
-        url = f"/tasks/{agent_task.id}/automatedtasks/"  # type: ignore
+        url = f"{base_url}/{agent_task.id}/"  # type: ignore
        resp = self.client.delete(url, format="json")
        self.assertEqual(resp.status_code, 200)
        delete_win_task_schedule.assert_called_with(pk=agent_task.id)  # type: ignore

        # test delete policy task
-        url = f"/tasks/{policy_task.id}/automatedtasks/"  # type: ignore
+        url = f"{base_url}/{policy_task.id}/"  # type: ignore
        resp = self.client.delete(url, format="json")
        self.assertEqual(resp.status_code, 200)
        self.assertFalse(AutomatedTask.objects.filter(pk=policy_task.id))  # type: ignore
@@ -183,16 +410,16 @@ class TestAutotaskViews(TacticalTestCase):
        task = baker.make("autotasks.AutomatedTask", agent=agent)

        # test invalid url
-        resp = self.client.get("/tasks/runwintask/500/", format="json")
+        resp = self.client.post(f"{base_url}/500/run/", format="json")
        self.assertEqual(resp.status_code, 404)

        # test run agent task
-        url = f"/tasks/runwintask/{task.id}/"  # type: ignore
-        resp = self.client.get(url, format="json")
+        url = f"{base_url}/{task.id}/run/"  # type: ignore
+        resp = self.client.post(url, format="json")
        self.assertEqual(resp.status_code, 200)
        run_win_task.assert_called()

-        self.check_not_authenticated("get", url)
+        self.check_not_authenticated("post", url)


 class TestAutoTaskCeleryTasks(TacticalTestCase):
@@ -269,144 +496,368 @@ class TestAutoTaskCeleryTasks(TacticalTestCase):
        ret = run_win_task.s(self.task1.pk).apply()
        self.assertEqual(ret.status, "SUCCESS")

-    @patch("agents.models.Agent.nats_cmd")
-    def test_create_win_task_schedule(self, nats_cmd):
-        self.agent = baker.make_recipe("agents.agent")
+    # @patch("agents.models.Agent.nats_cmd")
+    # def test_create_win_task_schedule(self, nats_cmd):
+    #     self.agent = baker.make_recipe("agents.agent")

-        task_name = AutomatedTask.generate_task_name()
-        # test scheduled task
-        self.task1 = AutomatedTask.objects.create(
-            agent=self.agent,
-            name="test task 1",
-            win_task_name=task_name,
-            task_type="scheduled",
-            run_time_bit_weekdays=127,
-            run_time_minute="21:55",
-        )
-        self.assertEqual(self.task1.sync_status, "initial")
-        nats_cmd.return_value = "ok"
-        ret = create_win_task_schedule.s(pk=self.task1.pk).apply()
-        self.assertEqual(nats_cmd.call_count, 1)
-        nats_cmd.assert_called_with(
-            {
-                "func": "schedtask",
-                "schedtaskpayload": {
-                    "type": "rmm",
-                    "trigger": "weekly",
-                    "weekdays": 127,
-                    "pk": self.task1.pk,
-                    "name": task_name,
-                    "hour": 21,
-                    "min": 55,
-                },
-            },
-            timeout=5,
-        )
-        self.task1 = AutomatedTask.objects.get(pk=self.task1.pk)
-        self.assertEqual(self.task1.sync_status, "synced")
+    #     task_name = AutomatedTask.generate_task_name()
+    #     # test scheduled task
+    #     self.task1 = AutomatedTask.objects.create(
+    #         agent=self.agent,
+    #         name="test task 1",
+    #         win_task_name=task_name,
+    #         task_type="scheduled",
+    #         run_time_bit_weekdays=127,
+    #         run_time_minute="21:55",
+    #     )
+    #     self.assertEqual(self.task1.sync_status, "initial")
+    #     nats_cmd.return_value = "ok"
+    #     ret = create_win_task_schedule.s(pk=self.task1.pk).apply()
+    #     self.assertEqual(nats_cmd.call_count, 1)
+    #     nats_cmd.assert_called_with(
+    #         {
+    #             "func": "schedtask",
+    #             "schedtaskpayload": {
+    #                 "type": "rmm",
+    #                 "trigger": "weekly",
+    #                 "weekdays": 127,
+    #                 "pk": self.task1.pk,
+    #                 "name": task_name,
+    #                 "hour": 21,
+    #                 "min": 55,
+    #             },
+    #         },
+    #         timeout=5,
+    #     )
+    #     self.task1 = AutomatedTask.objects.get(pk=self.task1.pk)
+    #     self.assertEqual(self.task1.sync_status, "synced")

-        nats_cmd.return_value = "timeout"
-        ret = create_win_task_schedule.s(pk=self.task1.pk).apply()
-        self.assertEqual(ret.status, "SUCCESS")
-        self.task1 = AutomatedTask.objects.get(pk=self.task1.pk)
-        self.assertEqual(self.task1.sync_status, "initial")
+    #     nats_cmd.return_value = "timeout"
+    #     ret = create_win_task_schedule.s(pk=self.task1.pk).apply()
+    #     self.assertEqual(ret.status, "SUCCESS")
+    #     self.task1 = AutomatedTask.objects.get(pk=self.task1.pk)
+    #     self.assertEqual(self.task1.sync_status, "initial")

-        # test runonce with future date
-        nats_cmd.reset_mock()
-        task_name = AutomatedTask.generate_task_name()
-        run_time_date = djangotime.now() + djangotime.timedelta(hours=22)
-        self.task2 = AutomatedTask.objects.create(
-            agent=self.agent,
-            name="test task 2",
-            win_task_name=task_name,
-            task_type="runonce",
-            run_time_date=run_time_date,
-        )
-        nats_cmd.return_value = "ok"
-        ret = create_win_task_schedule.s(pk=self.task2.pk).apply()
-        nats_cmd.assert_called_with(
-            {
-                "func": "schedtask",
-                "schedtaskpayload": {
-                    "type": "rmm",
-                    "trigger": "once",
-                    "pk": self.task2.pk,
-                    "name": task_name,
-                    "year": int(dt.datetime.strftime(self.task2.run_time_date, "%Y")),
-                    "month": dt.datetime.strftime(self.task2.run_time_date, "%B"),
-                    "day": int(dt.datetime.strftime(self.task2.run_time_date, "%d")),
-                    "hour": int(dt.datetime.strftime(self.task2.run_time_date, "%H")),
-                    "min": int(dt.datetime.strftime(self.task2.run_time_date, "%M")),
-                },
-            },
-            timeout=5,
-        )
-        self.assertEqual(ret.status, "SUCCESS")
+    #     # test runonce with future date
+    #     nats_cmd.reset_mock()
+    #     task_name = AutomatedTask.generate_task_name()
+    #     run_time_date = djangotime.now() + djangotime.timedelta(hours=22)
+    #     self.task2 = AutomatedTask.objects.create(
+    #         agent=self.agent,
+    #         name="test task 2",
+    #         win_task_name=task_name,
+    #         task_type="runonce",
+    #         run_time_date=run_time_date,
+    #     )
+    #     nats_cmd.return_value = "ok"
+    #     ret = create_win_task_schedule.s(pk=self.task2.pk).apply()
+    #     nats_cmd.assert_called_with(
+    #         {
+    #             "func": "schedtask",
+    #             "schedtaskpayload": {
+    #                 "type": "rmm",
+    #                 "trigger": "once",
+    #                 "pk": self.task2.pk,
+    #                 "name": task_name,
+    #                 "year": int(dt.datetime.strftime(self.task2.run_time_date, "%Y")),
+    #                 "month": dt.datetime.strftime(self.task2.run_time_date, "%B"),
+    #                 "day": int(dt.datetime.strftime(self.task2.run_time_date, "%d")),
+    #                 "hour": int(dt.datetime.strftime(self.task2.run_time_date, "%H")),
+    #                 "min": int(dt.datetime.strftime(self.task2.run_time_date, "%M")),
+    #             },
+    #         },
+    #         timeout=5,
+    #     )
+    #     self.assertEqual(ret.status, "SUCCESS")

-        # test runonce with date in the past
-        nats_cmd.reset_mock()
-        task_name = AutomatedTask.generate_task_name()
-        run_time_date = djangotime.now() - djangotime.timedelta(days=13)
-        self.task3 = AutomatedTask.objects.create(
-            agent=self.agent,
-            name="test task 3",
-            win_task_name=task_name,
-            task_type="runonce",
-            run_time_date=run_time_date,
-        )
-        nats_cmd.return_value = "ok"
-        ret = create_win_task_schedule.s(pk=self.task3.pk).apply()
-        self.task3 = AutomatedTask.objects.get(pk=self.task3.pk)
-        self.assertEqual(ret.status, "SUCCESS")
+    #     # test runonce with date in the past
+    #     nats_cmd.reset_mock()
+    #     task_name = AutomatedTask.generate_task_name()
+    #     run_time_date = djangotime.now() - djangotime.timedelta(days=13)
+    #     self.task3 = AutomatedTask.objects.create(
+    #         agent=self.agent,
+    #         name="test task 3",
+    #         win_task_name=task_name,
+    #         task_type="runonce",
+    #         run_time_date=run_time_date,
+    #     )
+    #     nats_cmd.return_value = "ok"
+    #     ret = create_win_task_schedule.s(pk=self.task3.pk).apply()
+    #     self.task3 = AutomatedTask.objects.get(pk=self.task3.pk)
+    #     self.assertEqual(ret.status, "SUCCESS")

-        # test checkfailure
-        nats_cmd.reset_mock()
-        self.check = baker.make_recipe("checks.diskspace_check", agent=self.agent)
-        task_name = AutomatedTask.generate_task_name()
-        self.task4 = AutomatedTask.objects.create(
-            agent=self.agent,
-            name="test task 4",
-            win_task_name=task_name,
-            task_type="checkfailure",
-            assigned_check=self.check,
-        )
-        nats_cmd.return_value = "ok"
-        ret = create_win_task_schedule.s(pk=self.task4.pk).apply()
-        nats_cmd.assert_called_with(
-            {
-                "func": "schedtask",
-                "schedtaskpayload": {
-                    "type": "rmm",
-                    "trigger": "manual",
-                    "pk": self.task4.pk,
-                    "name": task_name,
-                },
-            },
-            timeout=5,
-        )
-        self.assertEqual(ret.status, "SUCCESS")
+    #     # test checkfailure
+    #     nats_cmd.reset_mock()
+    #     self.check = baker.make_recipe("checks.diskspace_check", agent=self.agent)
+    #     task_name = AutomatedTask.generate_task_name()
+    #     self.task4 = AutomatedTask.objects.create(
+    #         agent=self.agent,
+    #         name="test task 4",
+    #         win_task_name=task_name,
+    #         task_type="checkfailure",
+    #         assigned_check=self.check,
+    #     )
+    #     nats_cmd.return_value = "ok"
+    #     ret = create_win_task_schedule.s(pk=self.task4.pk).apply()
+    #     nats_cmd.assert_called_with(
+    #         {
+    #             "func": "schedtask",
+    #             "schedtaskpayload": {
+    #                 "type": "rmm",
+    #                 "trigger": "manual",
+    #                 "pk": self.task4.pk,
+    #                 "name": task_name,
+    #             },
+    #         },
+    #         timeout=5,
+    #     )
+    #     self.assertEqual(ret.status, "SUCCESS")

-        # test manual
-        nats_cmd.reset_mock()
-        task_name = AutomatedTask.generate_task_name()
-        self.task5 = AutomatedTask.objects.create(
-            agent=self.agent,
-            name="test task 5",
-            win_task_name=task_name,
-            task_type="manual",
+    #     # test manual
+    #     nats_cmd.reset_mock()
+    #     task_name = AutomatedTask.generate_task_name()
+    #     self.task5 = AutomatedTask.objects.create(
+    #         agent=self.agent,
+    #         name="test task 5",
+    #         win_task_name=task_name,
+    #         task_type="manual",
+    #     )
+    #     nats_cmd.return_value = "ok"
+    #     ret = create_win_task_schedule.s(pk=self.task5.pk).apply()
+    #     nats_cmd.assert_called_with(
+    #         {
+    #             "func": "schedtask",
+    #             "schedtaskpayload": {
+    #                 "type": "rmm",
+    #                 "trigger": "manual",
+    #                 "pk": self.task5.pk,
+    #                 "name": task_name,
+    #             },
+    #         },
+    #         timeout=5,
+    #     )
+    #     self.assertEqual(ret.status, "SUCCESS")
+
+
+class TestTaskPermissions(TacticalTestCase):
+    def setUp(self):
+        self.setup_coresettings()
+        self.client_setup()
+
+    def test_get_tasks_permissions(self):
+        agent = baker.make_recipe("agents.agent")
+        policy = baker.make("automation.Policy")
+        unauthorized_agent = baker.make_recipe("agents.agent")
+        task = baker.make("autotasks.AutomatedTask", agent=agent, _quantity=5)
+        unauthorized_task = baker.make(
+            "autotasks.AutomatedTask", agent=unauthorized_agent, _quantity=7
        )
-        nats_cmd.return_value = "ok"
-        ret = create_win_task_schedule.s(pk=self.task5.pk).apply()
-        nats_cmd.assert_called_with(
-            {
-                "func": "schedtask",
-                "schedtaskpayload": {
-                    "type": "rmm",
-                    "trigger": "manual",
-                    "pk": self.task5.pk,
-                    "name": task_name,
-                },
-            },
-            timeout=5,
+
+        policy_tasks = baker.make("autotasks.AutomatedTask", policy=policy, _quantity=2)
+
+        # test super user access
+        self.check_authorized_superuser("get", f"{base_url}/")
+        self.check_authorized_superuser("get", f"/agents/{agent.agent_id}/tasks/")
+        self.check_authorized_superuser(
+            "get", f"/agents/{unauthorized_agent.agent_id}/tasks/"
        )
-        self.assertEqual(ret.status, "SUCCESS")
+        self.check_authorized_superuser(
+            "get", f"/automation/policies/{policy.id}/tasks/"
+        )
+
+        user = self.create_user_with_roles([])
+        self.client.force_authenticate(user=user)
+
+        self.check_not_authorized("get", f"{base_url}/")
+        self.check_not_authorized("get", f"/agents/{agent.agent_id}/tasks/")
+        self.check_not_authorized(
+            "get", f"/agents/{unauthorized_agent.agent_id}/tasks/"
+        )
+        self.check_not_authorized("get", f"/automation/policies/{policy.id}/tasks/")
+
+        # add list software role to user
+        user.role.can_list_autotasks = True
+        user.role.save()
+
+        r = self.check_authorized("get", f"{base_url}/")
+        self.assertEqual(len(r.data), 14)
+        r = self.check_authorized("get", f"/agents/{agent.agent_id}/tasks/")
+        self.assertEqual(len(r.data), 5)
+        r = self.check_authorized(
+            "get", f"/agents/{unauthorized_agent.agent_id}/tasks/"
+        )
+        self.assertEqual(len(r.data), 7)
+        r = self.check_authorized("get", f"/automation/policies/{policy.id}/tasks/")
+        self.assertEqual(len(r.data), 2)
+
+        # test limiting to client
+        user.role.can_view_clients.set([agent.client])
+        self.check_not_authorized(
+            "get", f"/agents/{unauthorized_agent.agent_id}/tasks/"
+        )
+        self.check_authorized("get", f"/agents/{agent.agent_id}/tasks/")
+        self.check_authorized("get", f"/automation/policies/{policy.id}/tasks/")
+
+        # make sure queryset is limited too
+        r = self.client.get(f"{base_url}/")
+        self.assertEqual(len(r.data), 7)
+
+    def test_add_task_permissions(self):
+        agent = baker.make_recipe("agents.agent")
+        unauthorized_agent = baker.make_recipe("agents.agent")
+        policy = baker.make("automation.Policy")
+        script = baker.make("scripts.Script")
+
+        policy_data = {
+            "policy": policy.id,  # type: ignore
+            "name": "Test Task Manual",
+            "run_time_days": [],
+            "timeout": 120,
+            "enabled": True,
+            "script": script.id,
+            "script_args": [],
+            "task_type": "manual",
+            "assigned_check": None,
+        }
+
+        agent_data = {
+            "agent": agent.agent_id,
+            "name": "Test Task Manual",
+            "run_time_days": [],
+            "timeout": 120,
+            "enabled": True,
+            "script": script.id,
+            "script_args": [],
+            "task_type": "manual",
+            "assigned_check": None,
+        }
+
+        unauthorized_agent_data = {
+            "agent": unauthorized_agent.agent_id,
+            "name": "Test Task Manual",
+            "run_time_days": [],
+            "timeout": 120,
+            "enabled": True,
+            "script": script.id,
+            "script_args": [],
+            "task_type": "manual",
+            "assigned_check": None,
+        }
+
+        url = f"{base_url}/"
+
+        for data in [policy_data, agent_data]:
+            # test superuser access
+            self.check_authorized_superuser("post", url, data)
+
+            user = self.create_user_with_roles([])
+            self.client.force_authenticate(user=user)
+
+            # test user without role
+            self.check_not_authorized("post", url, data)
+
+            # add user to role and test
+            setattr(user.role, "can_manage_autotasks", True)
+            user.role.save()
+
+            self.check_authorized("post", url, data)
+
+            # limit user to client
+            user.role.can_view_clients.set([agent.client])
+            if "agent" in data.keys():
+                self.check_authorized("post", url, data)
+                self.check_not_authorized("post", url, unauthorized_agent_data)
+            else:
+                self.check_authorized("post", url, data)
+
+    # mock the task delete method so it actually isn't deleted
+    @patch("autotasks.models.AutomatedTask.delete")
+    def test_task_get_edit_delete_permissions(self, delete_task):
+        agent = baker.make_recipe("agents.agent")
+        unauthorized_agent = baker.make_recipe("agents.agent")
+        policy = baker.make("automation.Policy")
+        task = baker.make("autotasks.AutomatedTask", agent=agent)
+        unauthorized_task = baker.make(
+            "autotasks.AutomatedTask", agent=unauthorized_agent
+        )
+        policy_task = baker.make("autotasks.AutomatedTask", policy=policy)
+
+        for method in ["get", "put", "delete"]:
+
+            url = f"{base_url}/{task.id}/"
+            unauthorized_url = f"{base_url}/{unauthorized_task.id}/"
+            policy_url = f"{base_url}/{policy_task.id}/"
+
+            # test superuser access
+            self.check_authorized_superuser(method, url)
+            self.check_authorized_superuser(method, unauthorized_url)
+            self.check_authorized_superuser(method, policy_url)
+
+            user = self.create_user_with_roles([])
+            self.client.force_authenticate(user=user)
+
+            # test user without role
+            self.check_not_authorized(method, url)
+            self.check_not_authorized(method, unauthorized_url)
+            self.check_not_authorized(method, policy_url)
+
+            # add user to role and test
+            setattr(
+                user.role,
+                "can_list_autotasks" if method == "get" else "can_manage_autotasks",
+                True,
+            )
+            user.role.save()
+
+            self.check_authorized(method, url)
+            self.check_authorized(method, unauthorized_url)
+            self.check_authorized(method, policy_url)
+
+            # limit user to client if agent task
+            user.role.can_view_clients.set([agent.client])
+
+            self.check_authorized(method, url)
+            self.check_not_authorized(method, unauthorized_url)
+            self.check_authorized(method, policy_url)
+
+    def test_task_action_permissions(self):
+
+        agent = baker.make_recipe("agents.agent")
+        unauthorized_agent = baker.make_recipe("agents.agent")
+        task = baker.make("autotasks.AutomatedTask", agent=agent)
+        unauthorized_task = baker.make(
+            "autotasks.AutomatedTask", agent=unauthorized_agent
+        )
+
+        url = f"{base_url}/{task.id}/run/"
+        unauthorized_url = f"{base_url}/{unauthorized_task.id}/run/"
+
+        # test superuser access
+        self.check_authorized_superuser("post", url)
+        self.check_authorized_superuser("post", unauthorized_url)
+
+        user = self.create_user_with_roles([])
+        self.client.force_authenticate(user=user)
+
+        # test user without role
+        self.check_not_authorized("post", url)
+        self.check_not_authorized("post", unauthorized_url)
+
+        # add user to role and test
+        user.role.can_run_autotasks = True
+        user.role.save()
+
+        self.check_authorized("post", url)
+        self.check_authorized("post", unauthorized_url)
+
+        # limit user to client if agent task
+        user.role.can_view_sites.set([agent.site])
+
+        self.check_authorized("post", url)
+        self.check_not_authorized("post", unauthorized_url)
+
+    def test_policy_fields_to_copy_exists(self):
+        fields = [i.name for i in AutomatedTask._meta.get_fields()]
+        task = baker.make("autotasks.AutomatedTask")
+        for i in task.policy_fields_to_copy:  # type: ignore
+            self.assertIn(i, fields)
--- a/api/tacticalrmm/autotasks/urls.py
+++ b/api/tacticalrmm/autotasks/urls.py
@@ -3,7 +3,7 @@ from django.urls import path
 from . import views

 urlpatterns = [
-    path("<int:pk>/automatedtasks/", views.AutoTask.as_view()),
-    path("automatedtasks/", views.AddAutoTask.as_view()),
-    path("runwintask/<int:pk>/", views.run_task),
+    path("", views.GetAddAutoTasks.as_view()),
+    path("<int:pk>/", views.GetEditDeleteAutoTask.as_view()),
+    path("<int:pk>/run/", views.RunAutoTask.as_view()),
 ]
--- a/api/tacticalrmm/autotasks/views.py
+++ b/api/tacticalrmm/autotasks/views.py
@@ -1,56 +1,52 @@
+from agents.models import Agent
+from automation.models import Policy
 from django.shortcuts import get_object_or_404
-from rest_framework.decorators import api_view, permission_classes
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView

-from agents.models import Agent
-from checks.models import Check
-from scripts.models import Script
-from tacticalrmm.utils import get_bit_days, get_default_timezone, notify_error
+from tacticalrmm.permissions import _has_perm_on_agent

 from .models import AutomatedTask
-from .permissions import ManageAutoTaskPerms, RunAutoTaskPerms
-from .serializers import AutoTaskSerializer, TaskSerializer
+from .permissions import AutoTaskPerms, RunAutoTaskPerms
+from .serializers import TaskSerializer


-class AddAutoTask(APIView):
-    permission_classes = [IsAuthenticated, ManageAutoTaskPerms]
+class GetAddAutoTasks(APIView):
+    permission_classes = [IsAuthenticated, AutoTaskPerms]
+
+    def get(self, request, agent_id=None, policy=None):
+
+        if agent_id:
+            agent = get_object_or_404(Agent, agent_id=agent_id)
+            tasks = AutomatedTask.objects.filter(agent=agent)
+        elif policy:
+            policy = get_object_or_404(Policy, id=policy)
+            tasks = AutomatedTask.objects.filter(policy=policy)
+        else:
+            tasks = AutomatedTask.objects.filter_by_role(request.user)
+        return Response(TaskSerializer(tasks, many=True).data)

    def post(self, request):
-        from automation.models import Policy
        from automation.tasks import generate_agent_autotasks_task
        from autotasks.tasks import create_win_task_schedule

-        data = request.data
-        script = get_object_or_404(Script, pk=data["autotask"]["script"])
+        data = request.data.copy()

-        # Determine if adding check to Policy or Agent
-        if "policy" in data:
-            policy = get_object_or_404(Policy, id=data["policy"])
-            # Object used for filter and save
-            parent = {"policy": policy}
-        else:
-            agent = get_object_or_404(Agent, pk=data["agent"])
-            parent = {"agent": agent}
+        # Determine if adding to an agent and replace agent_id with pk
+        if "agent" in data.keys():
+            agent = get_object_or_404(Agent, agent_id=data["agent"])

-        check = None
-        if data["autotask"]["assigned_check"]:
-            check = get_object_or_404(Check, pk=data["autotask"]["assigned_check"])
+            if not _has_perm_on_agent(request.user, agent.agent_id):
+                raise PermissionDenied()

-        bit_weekdays = None
-        if data["autotask"]["run_time_days"]:
-            bit_weekdays = get_bit_days(data["autotask"]["run_time_days"])
+            data["agent"] = agent.pk

-        del data["autotask"]["run_time_days"]
-        serializer = TaskSerializer(data=data["autotask"], partial=True, context=parent)
+        serializer = TaskSerializer(data=data)
        serializer.is_valid(raise_exception=True)
        task = serializer.save(
-            **parent,
-            script=script,
            win_task_name=AutomatedTask.generate_task_name(),
-            assigned_check=check,
-            run_time_bit_weekdays=bit_weekdays,
        )

        if task.agent:
@@ -59,58 +55,35 @@ class AddAutoTask(APIView):
        elif task.policy:
            generate_agent_autotasks_task.delay(policy=task.policy.pk)

-        return Response("Task will be created shortly!")
+        return Response(
+            "The task has been created. It will show up on the agent on next checkin"
+        )


-class AutoTask(APIView):
-    permission_classes = [IsAuthenticated, ManageAutoTaskPerms]
+class GetEditDeleteAutoTask(APIView):
+    permission_classes = [IsAuthenticated, AutoTaskPerms]

    def get(self, request, pk):

-        agent = get_object_or_404(Agent, pk=pk)
-        ctx = {
-            "default_tz": get_default_timezone(),
-            "agent_tz": agent.time_zone,
-        }
-        return Response(AutoTaskSerializer(agent, context=ctx).data)
+        task = get_object_or_404(AutomatedTask, pk=pk)
+
+        if task.agent and not _has_perm_on_agent(request.user, task.agent.agent_id):
+            raise PermissionDenied()
+
+        return Response(TaskSerializer(task).data)

    def put(self, request, pk):
-        from automation.tasks import update_policy_autotasks_fields_task

        task = get_object_or_404(AutomatedTask, pk=pk)

+        if task.agent and not _has_perm_on_agent(request.user, task.agent.agent_id):
+            raise PermissionDenied()
+
        serializer = TaskSerializer(instance=task, data=request.data, partial=True)
        serializer.is_valid(raise_exception=True)
        serializer.save()

-        if task.policy:
-            update_policy_autotasks_fields_task.delay(task=task.pk)
-
-        return Response("ok")
-
-    def patch(self, request, pk):
-        from automation.tasks import update_policy_autotasks_fields_task
-        from autotasks.tasks import enable_or_disable_win_task
-
-        task = get_object_or_404(AutomatedTask, pk=pk)
-
-        if "enableordisable" in request.data:
-            action = request.data["enableordisable"]
-            task.enabled = action
-            task.save(update_fields=["enabled"])
-            action = "enabled" if action else "disabled"
-
-            if task.policy:
-                update_policy_autotasks_fields_task.delay(
-                    task=task.pk, update_agent=True
-                )
-            elif task.agent:
-                enable_or_disable_win_task.delay(pk=task.pk)
-
-            return Response(f"Task will be {action} shortly")
-
-        else:
-            return notify_error("The request was invalid")
+        return Response("The task was updated")

    def delete(self, request, pk):
        from automation.tasks import delete_policy_autotasks_task
@@ -118,6 +91,9 @@ class AutoTask(APIView):

        task = get_object_or_404(AutomatedTask, pk=pk)

+        if task.agent and not _has_perm_on_agent(request.user, task.agent.agent_id):
+            raise PermissionDenied()
+
        if task.agent:
            delete_win_task_schedule.delay(pk=task.pk)
        elif task.policy:
@@ -127,11 +103,16 @@ class AutoTask(APIView):
        return Response(f"{task.name} will be deleted shortly")


-@api_view()
-@permission_classes([IsAuthenticated, RunAutoTaskPerms])
-def run_task(request, pk):
-    from autotasks.tasks import run_win_task
+class RunAutoTask(APIView):
+    permission_classes = [IsAuthenticated, RunAutoTaskPerms]

-    task = get_object_or_404(AutomatedTask, pk=pk)
-    run_win_task.delay(pk=pk)
-    return Response(f"{task.name} will now be run on {task.agent.hostname}")
+    def post(self, request, pk):
+        from autotasks.tasks import run_win_task
+
+        task = get_object_or_404(AutomatedTask, pk=pk)
+
+        if task.agent and not _has_perm_on_agent(request.user, task.agent.agent_id):
+            raise PermissionDenied()
+
+        run_win_task.delay(pk=pk)
+        return Response(f"{task.name} will now be run on {task.agent.hostname}")
--- a/Show More
+++ b/Show More