There is no one 'best' way. McAfee does a significant amount of testing on DAT releases to ensure there isn't a problem with the DAT, but every environment is unique. Some organisations will test the DATs with their proprietary internal systems before deployment, and some organisations deploy DATs as soon as possible to ensure they are getting the latest signatures out as quickly as possible. Typically I would not suggest a delay in deploying new DATs for more than maybe half a day unless there is a compelling reason (testing, regulations, etc.) The longer you wait, the longer you are unprotected from the new and updated signatures in that DAT release.
As to a branch, that would depend on what your goal is. If you plan on doing pre-deployment testing, that is a good place to stage. If you are simply adding a delay in deployment, you could always simply modify your DAT pull task to run until just before you want to deploy. Obviously there is timing involved here (time to download, time to replicate to repositories, etc.)
Hope that helps.
i am planning to dealy the update of 50% of our computers including servers one day behind, what do you think?