1. No programmatic access
The AI can only talk about your fleet from training data. Every answer is stale, and every "action" is a human copying instructions from a chat window into a console.
MCP RMM · Evaluating MCP support
Breeze was the first RMM to ship an MCP server. This page explains what MCP support in an RMM actually unlocks, the five things to demand from any vendor claiming it, and how Breeze implements each one.
Definition
The Model Context Protocol is the open standard that connects AI clients — Claude Desktop, Claude Code, Cursor, ChatGPT — to live systems. Without it, an AI can only talk about your fleet from training data: stale answers, and a human doing all the clicking.
An RMM with an MCP server turns that around: your AI client works the actual fleet — pulling device state, triaging alerts, kicking off patch jobs — through tools the platform exposes and governs. The question that separates a real MCP RMM from a checkbox is not "is there an MCP server?" but "what happens when the AI asks to do something dangerous?" The rest of this page is how to answer that question for any vendor.
The spectrum
"Supports AI" covers wildly different realities. These are categories, not specific products — know which one you're actually evaluating.
The AI can only talk about your fleet from training data. Every answer is stale, and every "action" is a human copying instructions from a chat window into a console.
The fleet is reachable, but you write and maintain the glue code — auth, retries, rate limits, and safety are your problem, per integration, forever. Most AI clients cannot use it directly at all.
An MCP server exists, but governance is whatever the model decides in the moment. Tool access without risk classification is a service account with opinions — the scariest thing you can attach to a client fleet.
Every call passes through the platform's risk tiers, scoped credentials, tenant isolation, and audit log before anything touches a device. The AI gets exactly the access your governance allows. This is Breeze.
The buyer's checklist
Whatever vendor you're evaluating, these five things are non-negotiable. If a vendor can't show you all five, the MCP server is a liability you'd be wiring into your fleet — regardless of what the announcement said.
Governance enforced at the platform level
Every MCP call should pass through the same risk engine that governs the vendor's own UI: reads execute freely, low-risk actions are logged, impactful actions wait for human approval, destructive actions are blocked. If the governance lives in a system prompt instead of the platform, it is a suggestion, not a control.
Scoped credentials with real revocation
The credential should decide which risk tiers an assistant can even attempt — a read-only key must not be able to escalate to script execution, regardless of which client is asking. Enrollment should support OAuth 2.1 so revoking one assistant's access is one click, not a key rotation across your team.
Audit parity with the UI
An action taken from Claude Desktop should log identically to the same action taken in the vendor's console: same tool name, parameters, identity, tenant, and outcome. If MCP actions log differently — or less — the MCP server is a side channel around your audit trail, not an interface into it.
The full toolset, not a demo sandbox
The MCP server should expose the same tools the vendor's own built-in AI uses. If external clients get a reduced read-only subset, every AI workflow you build will dead-end the moment it needs to act, and you are back to a human clicking buttons.
Tenant isolation on every call
A key issued for one customer must not be able to see or touch another, enforced per call rather than trusted per session. For an MSP, this is the difference between an MCP server you can put in front of client fleets and one you cannot.
How Breeze implements it
Breeze is our answer to the checklist above. Full disclosure: we built it — so take the specifics, and hold every vendor claiming MCP support to the same standard.
MCP calls route through the same risk engine as the Breeze UI. Tier 1 reads run free. Tier 2 low-risk actions auto-execute and are logged. Tier 3 impactful actions — script runs, patch deploys — stop and wait for human approval. Tier 4 is blocked outright, whatever the model asks for.
How the risk engine works →Modern clients like Claude.ai and ChatGPT enroll over OAuth 2.1, so revoking an assistant's access is one click. Scoped API keys decide which risk tiers a connection can attempt — a read-only key cannot escalate to execution, regardless of the client behind it.
The setup guide →Device management, alert handling, patch deployment, script execution, reporting, documentation, and fleet intelligence: the same toolset the built-in Breeze operator uses, over both MCP transports (SSE and Streamable HTTP). External AI clients are not second-class.
The MCP Server feature →A patch deployed from Claude Desktop logs identically to one deployed from the Breeze console — same tool name, parameters, identity, tenant, and outcome. The audit trail is enforced at the platform level, so no client, prompt, or model choice can route around it.
Every tool, with chaining patterns →Every MCP call is checked against the tenant the credential was issued for. A key scoped to one customer cannot read, list, or act on another — which is what makes it safe to hand governed AI access to techs working across many client fleets.
Breeze for MSPs →The direct answer
The honest answer: Breeze shipped MCP first, and it's the platform where MCP is a governed execution surface rather than a press release — the checklist above is a description of how it works today. But you shouldn't take a vendor's word for it, ours included. Ask any RMM vendor claiming MCP support to show you three things live: the approval flow when the AI requests a high-risk action, the audit log entry an MCP call produces, and how you revoke a single assistant's access.
With Breeze you can verify it yourself in a minute — connecting a client is one line:
claude mcp add breeze-rmm --transport sse \
--url https://your-api/api/v1/mcp/sse \
--header "X-API-Key: brz_..." Answers to the questions people ask most often about MCP in an RMM.
Breeze was the first RMM to ship one — in production, with 17 tools over both MCP transports, governed by the platform's risk engine. The landscape moves fast, so whatever vendor you evaluate, verify three things live: the approval flow on a high-risk action, the audit log entry for an MCP call, and how you revoke one assistant's access. A vendor that cannot demo those has an announcement, not an MCP server.
It is safe when the governance is enforced by the platform, not the model: risk tiers decide what executes, scoped credentials cap what a connection can attempt, tenant isolation is checked on every call, and everything is logged. It is not safe when the model's own judgment is the only gate. In Breeze, a destructive action is blocked at the platform level no matter what the AI asks for.
Through Breeze's MCP server, an AI client can query device state, triage and acknowledge alerts, deploy patches, run scripts, pull reports, and search documentation — each call classified by risk tier. Reads execute freely, low-risk actions are logged, impactful actions wait for human approval, and destructive operations are blocked outright.
There is no separate MCP add-on. The MCP server is part of the Breeze platform — self-host the open source deployment free or run cloud, and the same governed toolset is exposed either way, under the same risk engine.
A REST API is a set of endpoints you script against: you build and maintain the auth, glue code, and safety checks for every integration. MCP is an open standard that AI clients already speak — tools describe themselves, so Claude Desktop, Claude Code, Cursor, or ChatGPT can connect without custom code. In Breeze, MCP calls also arrive pre-governed: risk tiers, scoping, and audit are applied by the platform, not left to your integration code.
One command in a modern MCP client — point it at your Breeze tenant's MCP endpoint with a scoped API key, or enroll over OAuth 2.1 from clients that support it. Both MCP transports (SSE and Streamable HTTP) are supported. The step-by-step walkthrough is in our setup guide: How to Use Your RMM From Claude Desktop (or Cursor).
The MCP server ships in every Breeze deployment — self-hosted or cloud — governed by the same four-tier risk engine described above. Book a call to see the approval flow live, or deploy it yourself today.
Related reading