- Tactical RMM: Open Source remote monitoring and management for Windows - Thu, Jan 27 2022
- Use OpenSSL-based software XCA as offline root certificate authority for AD Certificate Services - Wed, Jan 27 2021
- Deploy software with WPKG and Active Directory - Tue, Dec 8 2020
During the pandemic, remote work became the norm, and system administrators needed remote management tools more than ever. Products that were once mainly designed for the MSP space are now required for traditional sysadmins.
So, I was looking for a simple RMM tool to manage my small fleet of workstations and laptops (approx. 100 hosts), and I noticed that a new, Open Source software tool had cropped up and was competing with commercial RMMs in terms of performance and feature lists. Its name is Tactical RMM.
Tactical RMM features
Currently, the Tactical RMM agent supports only Windows operating systems (from Windows 7 to Windows Server 2019). Linux and macOS agents are in the planning stage.
The feature list, which grows with every release, comprises the following:
- Remote desktop control, leveraged by MeshCentral
- Real-time remote background (shell, file browser with download/upload)
- Remote command and script execution (batch, PowerShell, and Python scripts)
- Event log viewer
- Service management
- Windows patch management
- Automated checks with alerting (CPU, disk, memory, services, scripts, event logs)
- Automated task runner (run scripts on a schedule)
- Remote software installation via Chocolatey
- Software and hardware inventory
Installation requires some Linux skills. It is recommended to install Tactical RMM on a dedicated server. The process is straightforward. Updating the server is also as easy as downloading and launching a bash script.
To keep the installation and upgrade process easy, it is recommended that a public IP address be assigned to the Tactical RMM installation.
The user interface is clean, modern, and fast. Under a single pane of glass, you can manage the entire life cycle of your client machines.
Once you have defined your client and site structure, you can create a deployment. Select the agent type, expiration date, whether you want to enable agent ping and RDP support, and the OS architecture.
When your deployment is created, you can download the installer using the link provided:
Now, you can install the agent on your client machines using your method of choice: GPO, PowerShell, or manually. A minute after your agent is installed, it will magically appear in your managed client section. Agent updates are automatically managed by the Tactical RMM Server.
From a management perspective, you can do everything you need to perform periodical maintenance routines and provide remote support to users:
- Check machine and asset information.
- Check installed software and install new software, pulled directly from the Chocolatey library.
- Run scripts, pulled from the Tactical RMM script library.
- Schedule checks and receive alerts (by email or SMS).
- Schedule tasks, which are basically scripts (PowerShell or batch files). You can also execute a task in "Collector Mode," in which the output can be used to update a field on the host inventory. Tasks can also be triggered by a scheduled check failure.
Scheduled checks and scheduled tasks can be assigned at the client/site level using the Automation Manager. In the Automation Manager, you can also define patch management policies. You can decide by patch severity (critical, important, moderate, low, or other) if the patch will be automatically installed, manually installed, or ignored. You can also select which schedule to apply. If automatically applied, you can reboot machines when required by updates.
When it comes to endpoint management, Tactical RMM reveals its full power. When you right-click on an endpoint item, a very rich context menu appears:
My favorite feature is the "Take Control" action, which instantly opens a MeshCentral window and instantiates a blazing fast remote desktop connection.
Another interesting feature is the Remote Background action, which can be used for troubleshooting a machine without interrupting user activity. You can open a command prompt, manage files, and check services, processes, and Windows events.
Tactical RMM provides a simple yet effective way to manage users and permissions, using a granular permission scheme. Every significant action is logged and can be further audited. Currently, only local authentication is supported with 2FA enforced, but it looks like a SAML/LDAP integration is planned.
From a software security perspective, Tactical RMM developers ensure that API endpoints used for agent management are decoupled from user interface endpoints.
At the time of writing this article, the Open Source RMM Agent executable is not digitally signed. However, the developers offer a subscription service in the form of a GitHub sponsorship to provide digitally signed agent files if a user needs them. This means that if you want to use the Open Source agent, you need to add the agent folder/executables to the exclusion list of your endpoint protection software.
Tactical RMM is developed in Django, so under the hood almost every function provided is callable via the API. Thus, integration with other products (for example, your favorite ticketing system) is fairly easy.
Subscribe to 4sysops newsletter!
Although Tactical RMM is a young product, the energy and community orientation that the developers demonstrate gives me hope that the project will continue to grow in the right direction. We now have an RMM that is fast, stable, and functional. In the future, I expect an even more reliable multiplatform product enriched with even more enterprise features.
Want to write for 4sysops? We are looking for new authors.
Great review of TRMM. I am using TRMM in a closed environment and want to bring it to production. Do you know of any companies using this in production?
Hi Daren! My company is using it and we’re pretty satisfied.
quick question, can you use this safely over the internet, with the client being anywhere (behind NAT, firewall).
The only requirement would be to have a public IP on the RMM server and agents connect over HTTPS?
Yes, at the time I wrote the article you needed to open outbound 443 and 4222 (nats) from agent to RMM to work. In latest releases only 443 is needed.
Agents need also to communicate with https://icanhazip.tacticalrmm.io/ to get public IP info. Unsigned agents need to access https://github.com/amidaware/rmmagent/releases/*.
Signed agents need to access https://agents.tacticalrmm.com.
Thanks, already installed and testing. Looks promising!
quick question, Can this is suitable for Approx. 500 Hosts?
500 or 5000, it can handle it as long as you give it the hardware needed to process what tasks you want. More concurrent tasks, give it more hardware.