NS8-MeshCentral and TacticalRMM Module

Based on these Discussions Here for Tactical RMM

1)Tact- Howto install Tactical RMM including MeshCentral on Nethserver with docker - Howto - NethServer Community

  1. MEsh- Howto install MeshCentral on NethServer - Howto - NethServer Community

Considering the 2 tools Come in Handy and Help me alot, I Have been looking into Implementing an NS8 Module for Both TacticalRMM as well as Meshcentral, and Boy have i gotten myself into a Rabbit Hole, I need your Help

Anyone with the time to Join on the bandwagon of building the Module, you’re welcome to do so.
At the Moment, i require community Suggestions and Inputs on this Subject Matter

We Currently Have a meshcentral Module for Ns7, and Since its been discussed a number of times already, i wont Dwell into what it is and what it does.

The current MeshCentral Module by @mrmarkuz Currently Makes use of MongoDB for its Database.

We currently Have the Installation Instruction for NS7

TActicalRMM makes Use of Mescentral to Achieve 3 Functionalities,

  1. TAke Remote Control
  2. Remote File Browser
  3. RealTime Shell

While a previous Deployment and Discussions for TacticalRMM pointed at it being Windows Only, the current Version Supports even Mac.

Looking at the Docker Compose File of Tactical RMM Here you will notice that the Meshcentral Integration makes use of PostreSQL as the datbase instead of MongoDB wit the followig ENV

Where the Challenge Arises
Tactical RMM has a full permission module, but because of how Tactical RMM integrates with MeshCentral currently there is a permissions bypass atm

This is How TActicalRMM integrates with MeshCentral

With that understanding, when you trigger any function in Tactical RMM that uses a MeshCentral function (Remote Control, or Remote background) the user gets the full admin login Auth token for logging into MeshCentral. If they then goto https://mesh.example.com they will see all agents and have full administrative permissions for everything in MeshCentral.

If you have multiple techs, and need to restrict their computer access permissions, right now you will need to disable auto login and manually manage your meshcentral users and computers. First you will need to:

  1. Check the Disable Auto Login for Remote Control and Remote background: option.
  2. Manually login to MeshCentral, and manually create users and set their permissions/restrictions.
  3. All techs will then have to manually login to https://mesh.example.com daily so they can use Remote Control and the MeshCentral Remote Background features.

So Basically, for the TacticalRMM to Work, the SuperADMIn user created, that needs to be there, to work with Meshcentral, has all devices Permissions.

This is IF we are using the Intergated TActicalRMM with MeshCentral integrated Deployment
the Alternative would be, Running your own Seprate Instance:

Installation instructions for using your own MeshCentral server:

  1. Run standard installation.
  2. When asked for Mesh URL specify your existing Mesh server URL.
  3. After installation, you will need to run thru manually uploading installers and connecting token with this:
  4. Make sure DNS is pointing to your existing server (you must also remove mesh.yourdomain.com from /etc/hosts on the trmm server).

Similarly, Reading at these Notes from Meshcentral Module for ns7 here:

MeshCentral uses internal authentication by default, you can enable AD/LDAP authentication but there’s no way to use both auth methods so you have to decide. It’s possible to create an internal user, enable AD/LDAP, login with AD/LDAP users, disable AD/LDAP and login with the created internal user. This way you always have an untouched backup admin.

config setprop meshcentral ldap enabled

Meshcentral checks if the used cert on the DC is valid. To use AD you need to either disable strong auth in smb.conf or add the nsdc host to the letsencrypt cert and copy it to the DC.

So Going By this, i am Not sure, its possible, Using the Integrated Deployment, We can Have Meshcentral Have a pre-configured super admin, and attach the Ldap USer, that way, TacticalRMM would continue to USe the Defined SuperAdmin it has, while the Normal User can login to Meshcentral Using the AD user Credentials, Maybe @mrmarkuz you can give more input and detail regarding this subject matter, or anyone who has had some experience with the Matter.

My Module Vision(s)/Plan - What would be best

  1. Build a Single Integrated TacticalRM and Meshcentral Module, and the Users can chose to Make use of Meshcentral, and Ignore TacticalRMM if they Don’t need it. as is the DOckr install of the Original Meshcentral

The First option Assumes the default TacticalRMM installation, which has Meshcentral with it, I am not sure if we could Modify that one and Implement Ldap

  1. Build a Separate Meshcentral Module Just Dedicated, then Build a Tactical RMM Module, without Meshcentral, then During Configure, a User can Chose the Meshcentral Installation to be used for TacticalRMM, similar to how LDap Selection Works.

The Second Option Looks like the Most Sane option, but if we need to Have Ldap and SSO, then there is need to figure out, if its possible to have both Ldap available, as wel as the Hidden SuperAdmin Credentials for TacticalRMM

IF we are unable to for whatever reason integrate Meshcentral and TacticalRMM for this Second Option, then the Integration will not be Automatic, and Good news, Ldap will be present since Meshcentral is Independent but, We might have to make use of the Manual Agnets Uploading to TActicalRMM, as was being done with the Initial Deployments, Before it became Automatically Integrated.

  1. Build a Seprate Meshcentral Module, Full Featured (w MongoDB & Ldap), and a Separate Full Featured TActicalRMM Module (w PgSQL)

the third Option for me, if Used by the Same Organization seems Wasteful, this is because,
youll Have a meshcentral Instance RUnning, that only Serves TacticalRMM, while it can do alot more. SImilalrly, the need for dedicated Meshcentral login, if you have Staff and COnsulting SSH login, would be better than giving Access to TacticalRMM with has alot of details they may not need to interact with

For MEshcentral with PgSQL
So far, All the Docker compose as well as ENV variables for Deploying Meshcentral with Docker, only Have MongoDB, and not one for PgSQL is available, if someone has come accross one, or has notes on how to implement Meshcentral with/for MongoDB, please let me know.

The PgSQL version used In TActicalRMM Docker, i am not sure what mods were made to work it wil PgSQL isntead of MongoDB, I also guess they chose that route because TacticalRMM uses PgSQL

As for the Versions where TacticalRMM would be integrated, the credentials for super suer could be system generated, then stored and retrived by the env, Making sure no one can have access to them.

Finally, since we have a grafana Module on NS8, we can have this grafana integration for TacticalRMM: dinger1986/TRMM-Grafana: Grafana Dashboards setup and preconfigured to work with Tactical RMM (github.com)

After Sharing, and again for me, Consolidating All the things i have been researching in the past few days on the best possible way to have this Module inplemented into NS8, i would like your feedback and suggestions, as well as Links and Notes to what i am missing and couldnt Find on my Own.

I am Sorry this Became a Long Post



Sad to hear, but MeshCentral is more or less sidetracked, since the developer is now no more employed by Intel. Intel has removed it’s support for it too, which means the dev won’t have access to inside info about Intel’s AMT.

I like MeshCentral, and so far it has worked extremly well.

But MS probably waved so much paper - wads and wads of it - in front of his nose that he couldn’t resist… :frowning:
Ylian Saint-Hilaire, the creator of MeshCentral, works for Microsoft…

More or less another good, usable OpenSource Project “bought” off the market.

It’s still mostly there - on a different hosting, but a lot of dead links now… :frowning:

Sure the existing code can be forked, but will it be developed any further?
Can any forker be trusted?
(The name and employer were in this case a very good “trust” feature / endorsement of the project!).

Intel endorsed MeshCentral formally, Microsoft does not.
Now, there is no well known endorsement for MeshCentral.

My 2 cents

the good thing is that, TacticalRMM, which is a huge benefactor of MEshcentral, has promised to Maintain their own Fork if, for whatever reasons MEshcentrals stops being Maintained

MeshCentral Integration - Tactical RMM Documentation

Also, the development will not stop as seen here: MeshCentral - Windows ARM64, NodeJS v11, NPM Packages (meshcentral2.blogspot.com)

And its a widely used proejct, so other maintainers might take up the mantle

A LOT of wishful thinking.
This guy had so specific knowhow, that MS paid MUCH more than Intel.
→ These shoes are probably far too big for any average good coder and systems freak.

I doubt Tactical has the know how to continue further the MeshCentral project, let alone enough to keep it alive!

I like MeshCentral, but that’s reality.
It will work now, maybe for a while under Win11, but Win12?
Maybe same similiar fates for Mac / Linux as they move on.

I may be wrong, maybe my crystal ball needs a BIOS Upgrade or whatever…


My 2 cents

@Andy_Wismer Release 1.1.20 · Ylianst/MeshCentral (github.com)

Hi @oneitonitram

I don’t need you to act as a Parrot for releases…
And Ylan had a lot of bugs to fix in this release.

However, the question is, will he continue to commit? 6 Months? 1 Year? More?
And what, just cosmetics or also some meat on the bone?

Remember Sysinternals, eg BGInfo?
Good tools, at the time. Still works, still updated.
But no more new stuff directly… :frowning:
Mark Russinovich, the creator, was hired by MS a few years ago, still works there…

My 2 cents

@Andy_Wismer I understand what you are saying and I definitely have seen my share of the big techs quickly and quietly taking down these great programs/apps/projects. At the same time, I think there is always a health portion to allow for idea’s, goals, visions and review of programs,apps, and projects. I don’t think that @oneitonitram is out of place by still keeping and eye on MeshCentral and having a plan to still keep MeshCentral available and usable till we know for sure what the true direction of MeshCentral is. Tommorrow is the great unknown to most people. Very few have most or all the pieces to the puzzle of what happens next even though most people would say they know for sure what’s next. Until then, we need to keep a level head and stable steering on the ship as Nethserver moves forward.

@oneitonitram I believe it is always a good thing to keep goals and visions on what is possible. So there is nothing wrong with your planning and watching Meshcentral and trying to make sure it is available in Nethserver, until it is not supported.

Have a good evening -

1 Like

One of the biggest challenges for me in figuring out the best possible implementation of TacticalRMM App for NS8 was in relation with permisions. this for me was a abit of a security nigtmare.

Basically, Any TacticalRMM user would be able to access the meshcentral UI, and would be able to see All the agents as well as all machines and permisions of the super User.

this is part of the reason why i was looking at a different implementation on the same.
Have had abit of chat with the core developer since this post was originally posted, and he worked on prioritising the intergration.

I am Happy to report that with the New TActicalRMM Update
Release Release v0.18.0 · amidaware/tacticalrmm (github.com)

this video below explains the permissions better.

Tactical RMM Integration with MeshCentral (youtube.com)

The permissions issue has been resolved, and now TacticalRMM supports Sync of Permissions with meshcentral

I can now proceed to implement an Integrated TacticalRMM App for Nethserver without too much worries on my side and DOing mathemagics.

Its going to be a complex App, am hopping to have it completed over the weekend. Wish me luck.

Aynone willing to join in the dev, if available on weekend, can ping me.

1 Like