diff --git a/attributes/default.rb b/attributes/default.rb
index 0120756..6c3addd 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -8,12 +8,21 @@
 default['unattended-upgrades']['automatic_reboot']           = false
 default['unattended-upgrades']['download_limit']             = nil   # Set to Integer representing kb/sec limit
 
-default['unattended-upgrades']['allowed_origins'] = {
-  'security'  => true,
-  'updates'   => false,
-  'proposed'  => false,
-  'backports' => false
-}
+case node['platform']
+when 'ubuntu'
+  default['unattended-upgrades']['allowed_origins'] = {
+    'security'  => true,
+    'updates'   => false,
+    'proposed'  => false,
+    'backports' => false
+  }
+  default['unattended-upgrades']['origin_patterns'] = {}
+when 'debian'
+  default['unattended-upgrades']['allowed_origins'] = {}
+  default['unattended-upgrades']['origin_patterns'] = {
+    'origin=Debian,archive=stable,label=Debian-Security' => true
+  }
+end
 
 default['unattended-upgrades']['apt_recipe'] = 'default'
 
diff --git a/metadata.rb b/metadata.rb
index 064ce32..5e361ee 100644
--- a/metadata.rb
+++ b/metadata.rb
@@ -4,9 +4,9 @@
 license          "Apache 2.0"
 description      "Installs/Configures unattended-upgrades"
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          "0.1.2"
+version          "0.2.0"
 
-# supports "debian" # Untested
+supports "debian"
 supports "ubuntu"
 
 depends "apt"
diff --git a/recipes/default.rb b/recipes/default.rb
index daa551a..74c6c88 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -37,6 +37,7 @@
   mode  '0644'
   variables(
     :allowed_origins            => node['unattended-upgrades']['allowed_origins'],
+    :origin_patterns            => node['unattended-upgrades']['origin_patterns'],
     :package_blacklist          => node['unattended-upgrades']['package_blacklist'],
     :autofix_dpkg               => node['unattended-upgrades']['autofix_dpkg'],
     :minimal_steps              => node['unattended-upgrades']['minimal_steps'],
diff --git a/spec/default_spec.rb b/spec/default_spec.rb
index ba51453..a57208c 100644
--- a/spec/default_spec.rb
+++ b/spec/default_spec.rb
@@ -16,8 +16,16 @@
       end
 
       it 'should write the config files' do
-        expect(chef_run).to render_file('/etc/apt/apt.conf.d/50unattended-upgrades').with_content('Unattended-Upgrade::Mail "root@localhost"')
-        expect(chef_run).to render_file('/etc/apt/apt.conf.d/20auto-upgrades').with_content('APT::Periodic::Unattended-Upgrade "1"')
+        expect(chef_run).to render_file('/etc/apt/apt.conf.d/50unattended-upgrades')
+          .with_content('Unattended-Upgrade::Mail "root@localhost"')
+        expect(chef_run).to render_file('/etc/apt/apt.conf.d/50unattended-upgrades')
+          .with_content('Unattended-Upgrade::Allowed-Origins')
+        expect(chef_run).to_not render_file('/etc/apt/apt.conf.d/50unattended-upgrades')
+          .with_content('Unattended-Upgrade::Origins-Pattern')
+        expect(chef_run).to render_file('/etc/apt/apt.conf.d/50unattended-upgrades')
+          .with_content('"${distro_id}:${distro_codename}-security"')
+        expect(chef_run).to render_file('/etc/apt/apt.conf.d/20auto-upgrades')
+          .with_content('APT::Periodic::Unattended-Upgrade "1"')
       end
 
       it 'should not warn about missing mail package' do
@@ -41,8 +49,16 @@
     end
 
     it 'should write the config files' do
-      expect(chef_run).to render_file('/etc/apt/apt.conf.d/50unattended-upgrades').with_content('Unattended-Upgrade::Mail')
-      expect(chef_run).to render_file('/etc/apt/apt.conf.d/20auto-upgrades').with_content('APT::Periodic::Unattended-Upgrade "1"')
+      expect(chef_run).to render_file('/etc/apt/apt.conf.d/50unattended-upgrades').
+        with_content('Unattended-Upgrade::Mail')
+      expect(chef_run).to_not render_file('/etc/apt/apt.conf.d/50unattended-upgrades')
+        .with_content('Unattended-Upgrade::Allowed-Origins')
+      expect(chef_run).to render_file('/etc/apt/apt.conf.d/50unattended-upgrades')
+        .with_content('Unattended-Upgrade::Origins-Pattern')
+      expect(chef_run).to render_file('/etc/apt/apt.conf.d/50unattended-upgrades')
+        .with_content('origin=Debian,archive=stable,label=Debian-Security')
+      expect(chef_run).to render_file('/etc/apt/apt.conf.d/20auto-upgrades')
+        .with_content('APT::Periodic::Unattended-Upgrade "1"')
     end
   end
 
diff --git a/templates/default/unattended-upgrades.conf.erb b/templates/default/unattended-upgrades.conf.erb
index 09ff914..78075b8 100644
--- a/templates/default/unattended-upgrades.conf.erb
+++ b/templates/default/unattended-upgrades.conf.erb
@@ -1,11 +1,24 @@
 // File configured by chef - don't edit manually
 
+<% unless @allowed_origins.empty? %>
 // Automatically upgrade packages from these (origin:archive) pairs
 Unattended-Upgrade::Allowed-Origins {
 <% @allowed_origins.each do |origin, enabled| %>
-<%= '//' unless enabled %>  "${distro_id}:${distro_codename}-<%= origin %>";
+  <%= "\"${distro_id}:${distro_codename}-#{origin}\";" if enabled -%>
 <% end %>
+
 };
+<% end %>
+
+<% unless @origin_patterns.empty? %>
+// Automatically upgrade packages from these origin patterns
+Unattended-Upgrade::Origins-Pattern {
+<% @origin_patterns.each do |pattern, enabled| %>
+  <%= "\"#{pattern}\";" if enabled -%>
+<% end %>
+
+};
+<% end %>
 
 // List of packages to not update
 Unattended-Upgrade::Package-Blacklist {