What is a patch cycle?
When are Application patches added to each cycle?
What happens when a patch is released mid cycle?
For any update, it will be added to the next patching cycle automatically.
All released Application updates mid cycle will be enforced at the END of the NEXT cycle.
What happens if there's a critical security patch released?
If a critical patch is released, e.g. a Day-0 Vulnerability. You can create a "Critical Patch Policy" to expedite the deployment of this to your mac's. Once configured, the patch will be enforced on all devices checking into Orchard within 24-hours.
Scenario
Qualys / Tenable has flagged a critical vulnerability with Google Chrome on the macOS Estate. All mac's need to update to version xxx
1 - InforSec flag the requirement to the IT team.
2 - IT check the expected enforcement date for the release of the Chrome update (which at most will be the completion date of the NEXT patching cycle)
3 - InfoSec confirm if this date is acceptable, if not an expedited "Critical patch" is required.
4 - IT team take the appropriate action, either leaving the patch to complete under its default configuration or create a "critical patch policy"
*Link to Critical patch policy KB article*