MeshCentral is an open source web based remote computer management web site. MeshCentral offers web based remote desktop, terminal and file transfer allowing administrators to access and remotely manage computers on the local network or over the Internet. So far, we had to relay the traffic from the user’s browser thru the server to the mesh agent on the remote computer creating a lot of traffic on the server which slows down the connections and adds to server workload and hosting costs.

To go a long way to solving the traffic relay thru the server problem, last week the latest version of MeshCentral2 was published with WebRTC support turned on by default. This feature is in large part due to many longs days and late night coding sessions by Bryan Roe who worked on fixing and updating BCP’s WebRTC data stack for this usage. With this new version, the Browser and Mesh Agent will attempt to communicate directly to each other using WebRTC bypassing the server entirely. If successful, the remote desktop and terminal session are faster, lower-latency and make the server more scalable than ever before.

Some more technical details: The browser and mesh agent always start by communicating over web sockets thru the server. We use binary data on web socket to start the session going, but use text data to send WebRTC negotiation. So both session data and WebRTC setup flow over the same server relay with minimal overhead. If WebRTC is successful, we then send a set of control messages to cleanly switch over from the web socket to the WebRTC channel. All this happens in the blink of an eye and allows us to never have to use dreaded TURN servers (which are difficult to setup).

The result of all this is fully automatic traffic optimization, better session quality and improved server scaling. Users don’t needs to do anything new except update to the latest MeshCentral2 server. Everything is completely automatic. Our own WebRTC stack is built into all variants of Windows and Linux agents, works with Chrome and Firefox.

Enjoy!
Ylian
Blog: http://www.intel.com/software/ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2

We the latest MeshCentral2, browsers and agents can communicate both over web socket
relayed thru the server or when possible, using WebRTC directly – without server relay.

MeshCentral2 uses a unique connection setup. Starting up with Web Socket thru the server then
switching over to WebRTC when possible using Web Socket text data for WebRTC control & setup.
No need for a WebRTC TURN server, simplify server installation.

Hi,

I have deployed Mesh Central 2 at our server and try to login through our application. We got the following exception :

"Failed to load https://mesh.ersetrics.com/login: Redirect from 'https://mesh.ersetrics.com/login' to 'https://mesh.ersetrics.com/' 
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://access.ersetrics.com' is therefore not allowed access."

Both the server deployed on the same domain *.ersetrics.com. Please suggest what need to change to resolve the CORS policy error.

Thanks in advance.

Waiting for your response.

Regards

Deepak

MeshCentral is an open source web based remote computer management web site. We release new versions many times a week and this week we added a bunch of more interesting features & improvements:

• New MeshCentral installer for Windows. MeshCentral2 is pretty amazing in that you can install and run a new server easily and within minutes on both Windows and Linux. However, for Windows users we just made the process of getting your own MeshCentral2 server up and running even simpler with the all new MeshCentral2 installer for Windows. This installer will automatically detect, download and install NodeJS if needed along with installing the very latest version of MeshCentral. It can also be used for limited configuration of the server to get you started and to perform server updates. The new installer is fast, interactive and super simple. Anyone can launch a remote management service in minutes.
• Wide screen toggle. You can now toggle the web page to use the full width of your browser window. This is really useful as increasingly there are really wide monitors. As the number of computers you manage increases, being able to use the entire browser window is a big plus. All of the MeshCentral2 screens has been modified to support the new mode toggle. Since this is a new feature, the toggle button will be somewhat hidden for now.
• Server name and port aliasing. In some cases, you need to install the server in such a way that the internal private ports are not the same as the external ports. This is important where you are co-locating many services on a single server behind a firewall or have odd port mappings you have to deal with. When using port aliasing, the server will bind to ports on the local computer but assume that externally, the server is accessible on a different set of ports, so when getting a URL from the server, the external alias port is used. The server can also alias the name of the Intel® AMT MPS, making it possible to get HTTPS and CIRA connections on the same port using two different IP addresses.

In addition to these features, MeshCentral2 and the latest MeshAgent have gotten a lot more bug fixes and upgrades. A updated MeshCentral2 User’s Guide 0.1.5 was put online reflecting the latest changes and updates.

Enjoy!
Ylian
Blog: http://www.intel.com/software/ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2

The all new Windows installer for MeshCentral allow you to quickly get it up and running.
NodeJS is automatically installed if needed, just a few steps and the server is setup.

MeshCentral2’s latest web page are not only all real time, you can
now toggle to use the full width of the browser window.
(During testing, the button is not highly visible)

MeshCentral2 now supports MPS server aliasing and port aliasing.
You can setup MeshCentral2 with different internal and external ports.

Just posted on the MeshCommander.com web site a new do-it-all command line tool for Intel® AMT that runs on both Windows and Linux. The new tool is called “MeshCmd” also called “MeshCommand”. It makes it easy to do all sorts of things with Intel AMT including: get Intel AMT state, perform basic activation, LMS services, configuration and remote management of other Intel AMT computers on the network and much more. If you are in the Intel AMT space, take a look at the new MeshCmd tutorial video on YouTube, it’s really worth a watch.

MeshCmd is a single executable file available for download on MeshCommander.com along with a full user’s guide (pdf). Here is a quick list of what MeshCmd can do in the context of Intel AMT:

• Get the local state of Intel AMT, including version, activation state and more.
• Show the Intel AMT audit log of your local computer (even without any credentials) or of a remote computer.
• Startup LMS services along with local hosting of MeshCommander for LMS, a special version of the console specially built for local Intel AMT management.
• Launch a locally hosted version of MeshCommander and start managing computers on your local network.
• Push or clear MeshCommander from Intel AMT 11.6+ firmware, replacing the default WebUI with a fully featured web console.
• Perform Intel AMT client control mode activation and deactivation.

MeshCmd is built on technology used to build MeshCentral2 and of course, MeshCmd integrates well with the MeshCentral2 server. Bryan Roe has been instrumental in making this tool possible, he has authored many components of it but especially of value is the lightweight JavaScript runtime engine this tool is built on top of. The scope of this tool is quite spectacular in that it has full MEI access, an Intel AMT LMS, a full WSMAN stack and no less than 3 versions of MeshCommander built-in. It will auto-detect if LMS is already running and use its own built-in LMS if one is not present and all this while running on both Windows and Linux.

Enjoy,
Ylian
Blog: http://www.intel.com/software/ylian
MeshCommander: http://www.meshcommander.com/meshcommander
MeshCentral2: http://www.meshcommander.com/meshcentral2

No less than 3 different versions of MeshCommander are built-into MeshCmd
supporting a wide array of Intel AMT configuration and usages.

Take a look at the demonstration & tutorial video on MeshCmd.

MeshCentral is an open source web based remote computer management web site. This week is spring break in Oregon and we are going to celebrate with a smaller and more fun MeshCentral2 update. We just released support for viewing multiple computers desktop at the same time. This is very useful for digital signage usages where you want to monitor the screens of many computers in real time. In MeshCentral2 v0.1.5-p, you can now select “Desktops” in the view drop-down on the top right of the devices view. You will see all your currently connected computers and you can click on the screens to toggle connection to that device.

On the multi-desktop screen, you click “Connect all” or “Disconnect all” to connect/disconnect all screens at once. Check “AutoConnect” to connect to all desktops and automatically connect to any new computer that comes online. Like all of the other screens on MeshCentral2, the multi-desktop screen is fully real time, with computer names, icons and status being updated on the web page without user interaction.

If you are looking at managing many unattended computers at once, this new feature will help a lot. As always, if you have a MeshCentral2 server, perform an update of the server, try it and feel free to send me feedback.

Enjoy!
Ylian
Blog: http://www.intel.com/software/ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2

MeshCentral is an open source web based remote computer management web site. This week, Bryan Roe significantly improved the MeshCmd tool that is included in MeshCentral2 and available as a standalone download. Bryan added the capability to run MicroLMS and MeshCommander in the background and this on both Linux and Windows. Starting today, you can download MeshCmd and run:

                meshcmd microlms install/start/stop/uninstall
                meshcmd meshcommander install/start/stop/uninstall

This will install and start in the background MicroLMS with LMS MeshCommander for local management, or MeshCommander for remote management. On Windows, it’s installed as a standard Windows Service. On Linux, the installation will work correctly on both newer systemd and older initd Linux computers, with the installation adapting correctly to each.

In addition, MeshCentral2 got many bug fixes, security hardening and a few new features this week. Notably, you can now switch between the multi-desktop view and taking control of a computer’s desktop without the connection having to be re-established. There is a new user notification feature shown below, improves access control and much more. In the last week alone, we released more than 10 different versions of MeshCentral2 on NPM as we keep improving this software at a very fast pace.

Enjoy!
Ylian
Blog: http://www.intel.com/software/ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2

MeshCentral is an open source web based remote computer management web site. The pace of releases is accelerating as the core components of MeshCentral2 are maturing and it’s getting easier to build new features. The “all JavaScript” nature of MeshCentral2 with the browser, server, database and agent all being JavaScript makes things easy for developers. This week, we have 3 major new features to announce:

• New process control panel. When in the “Desktop” tab, you can now hit the “Tools” button to toggle the new tools view. In that panel, you will see the list of processes the remote computer is running both on Linux and Windows. In addition, you can sort the processes by ID or names and terminate a process remotely using the small garbage icon. One more way MeshCentral2 makes remote management of computers easy.
• Temporary Agent support. The MeshCentral server supports having the agent running in temporary mode. You can now download the agent executable and run it directly from the dialog box. The agent will keep running as long as the dialog box is open. In addition, the server will clean up this device when it disconnects. This mode is great for remote assistance scenarios when you want to run the mesh agent only for the duration of a support session.
• Remote desktop frame rate. You can now control the frame rate of the remote desktop using the “Settings” dialog. This has been a requested feature to lower the bandwidth of sessions where you are passively monitoring a device. In addition, we fixed the JPEG quality selector on Linux, enabling much more flexibility in how you configure the remote desktop feature. The frame rate and other settings can be set differently between the full screen desktop and the multi-desktop modes, so you can lower bandwidth further when monitoring many computers at once.

In addition to this, many more bug fixes have been implemented making this a much-have update if you run a MeshCentral2 server. Updating a server is easy, just login with a server administrator account and in “My Account” click on “Check server version”. Once approved, the update will generally take seconds and at most a minute. Many thanks to Bryan Roe who is coding long nights on MeshAgent improvements.

Enjoy!
Ylian
Blog: http://www.intel.com/software/ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

MeshCentral is an open source web based remote computer management web site. This week is the last feature release for a little while because of traveling and vacations coming up and a bit more focus on bug fixes. This said, we have a bunch of really good features released this week that improve MeshCentral2. The focus was on making administration of a MeshCentral2 server and users a lot better. New this week:

• Improved user management. For server administrators, the “My Users” tab is much better. Administrators will immediately see the difference. Users are now listed with online users on the top, improved indications of validated emails and for each user, there is now a full sub-section with user information and configuration and events for each user. You can how edit the email address, validation status, server rights and update the password in a single screen. The user management look and feel as also been improved. The user login timeline is not yet implemented, a placeholder is currently displayed.
• Account locking. Administrators can now lock out users. In the server permissions dialog for each user, you now find a new “Lock Account” option. When set, active sessions from the user are dropped in real time and the user is locked out immediately.
• Notes. We now added server notes for devices, meshes and users. This allows administrators of these various entities to write down details about these objects in the web site. The notes are global for each object, so other administrators will see the same notes for a given user, device or mesh. This feature has been requested as a way to help with device and user support.

The latest release is MeshCentral2 v0.1.6-r, and is available now for update. Lots more bug fixing has occurred in addition to more ground work for new features coming out in the coming months.

Enjoy!
Ylian
Blog: http://www.intel.com/software/ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

I have confirmed that the problem with entering new wireless profile where SSID is 32 characters long (this is maximum allowed length) is not working still with MeshCommander 0.6.0.

I have tested this with NUC7i5DNH with latest BIOS DNKBLi5v.86A.0039.2018.0222.1752 dated 2/22/2018.

Chris.

As people following the Mesh work would know, there are currently three open source tools for remote management of computers being worked on: MeshCentral, MeshCommander and MeshCmd. MeshCentral is a remote management web site, MeshCommander is a web based Intel® AMT management console and MeshCmd is a Linux & Windows command line tool that performs many Intel® AMT tasks. This week, I released new versions of all three tools. Let’s take a look at the improvements made to each of them:

• MeshCentral². We keep fixing bugs in the web site and improving performance, most changes will not be noticed by users except for the new toast button that is now available on the “Desktop” tab when remoting a Windows computer. The toast button allows the administrator to send a short text message that will be displayed on the remote computer. It’s a nice and quick way to make a message show up on remote computers.
• MeshCommander. In addition to many bug fixed and improved input validation on dialog boxes, we finally enabled computer grouping. When adding or changing a computer’s profile, you can type in a group name. All computers with the same group name will be displayed together under the same header. Makes it easy to organize your managed computers in a way that makes sense to you. This and other features are part of the v0.6.2 release.
• MeshCmd. MeshCmd is a very useful command line tool that works both on Linux and Windows and perform many management operations on Intel AMT computers. In the new release, agent presence heartbeat was added. You can now create a new Intel AMT watchdog using MeshCommander, and use MeshCmd to assert presence to the watchdog.

It may be a bit confusing, but these three tools are combined into each other. MeshCommander is part of MeshCmd and MeshCentral. MeshCommander and MeshCmd are included in MeshCentral. The result is a combination of software that is really good at unlocking the value of Intel® AMT. Many thanks to Bryan Roe for excellent work on MeshAgent and the toast feature, and Joko Sastriawan for additional features and bug fixes on MeshCentral. There tools are continuing to get record number of downloads.

Enjoy!
Ylian
Blog: http://www.intel.com/software/ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

Hi,

Starting with MeshCommander 0.6.2 it is no longer possible to load meshcommander-large into amt local storage. Meshcommander-large is 110k and AMT documentation states that maximum size of file loaded is about 170k.

Is this normal?

Tested against NUC7i5DNH with latest BIOS (BIOS Version 0040 - DNKBLi30.86A.0040.2018.0315.1529) which includes ME Firmware: 11.8.50.3425

Chris

It’s been a while since the last announcement but I have been hard at work on MeshCentral, the web-based open source remote management software. This week we got a big new feature with release of MeshCentral v0.1.8-c on NPM, we now have a new web application for mobile devices. When you install your own MeshCentral server and access it using a mobile device (like a phone or tablet), you will see a new web page tailored for small devices. This is the first version of it, but already it offers many of the main usages that are offered on the main web site in a more compact form. Some of the features offered in the mobile application:

• New card stack UI. Unlike the main web site, the mobile site uses a card stack UI model, where you can select screens and hit “back” at any time to return. This is quite a different model from the tabs on the main site, but allows the UI to be significantly more compact.
• Real time user interface. Like the main web site, the mobile site is fully real time. You never need to hit “refresh” to get the latest state of a device. The state of all devices and groups will be updated in real time on the screen.
• Login and account management. Like the main web site, you can use the mobile web site to create a new account, login, logout, recover a lost password or perform various account management functions. All important things to get started.
• Mesh Management. You can create or remove groups of computers, assign and remote permissions to various users.
• Computer management. In addition to monitoring the real time state of all your computers, you can remotely see the desktop of any computer you have access to and access and manage files remotely.
• Intel® AMT support. You can update the Intel AMT credentials, see Intel AMT state and perform a hardware KVM session directly from your phone. Because MeshCentral2 support Intel® AMT Client Initiated Remote Access (CIRA) you can be anywhere in the world and perform a hardware remote session to any computer over the Internet.

This is the first version of the mobile application, many more bug fixes and features still need to be added. However, the application should be quite usable and feedback is appreciated. The latest release is MeshCentral v0.1.8-c and is available now for update. Much more to come in the coming months.

Enjoy!
Ylian
Blog: http://www.intel.com/software/ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

MeshCentral is an open source web based remote computer management web site. In the last few weeks we got the code a lot more stable and started working on testing installation of MeshCentral in many more environments. The current version is MeshCentral is v0.1.9-f. One of the interesting design decision was to build the entire server in NodeJS, this allows MeshCentral to quickly be installed and run on many different platforms including Windows and Linux. Last week, in addition to the existing MeshCentral User’s Guide, we published an all new MeshCentral Installer’s Guide that allows administrators to install MeshCentral on many different operating systems, on your own computers or major cloud providers. In other news, we added support for the MeshAgent on Windows7 which is probably one of the leading requests. Here is a look at everything in detail:

• Published MeshCentral Installer’s Guide. In this new guide, we walk thru how to install MeshCentral on Ubuntu Linux, the Raspberry Pi and on Amazon AWS, Microsoft Azure and Google Cloud. Many Linux administrators will not need this guide at all, but for people less familiar with Linux, it’s very useful. For Ubuntu and Raspberry Pi, we walk thru how to install NodeJS and get the full server instance installed. We also included installation instructions for MongoDB so that you can scale the server. Once installed, use the User’s Guide for server configuration.
  • During testing of MeshCentral on each cloud provider, the smallest possible server instance size was used. For example the T1.Micro on AWS and a shared CPU with 0.6G of RAM for Google Cloud. In all cases, the server worked well and was perfectly usable. So the cost of hosting a small instance is very low or free in some cases.
  • The Raspberry Pi installation of MeshCentral is perfect for LAN management of computers. Plug it on any LAN and manage computers even if the server has no fixed IP address.
• Windows7 Support. One of the biggest feature requests for MeshCentral2 was MeshAgent support on Windows7. We got that done and it works great. We will not be supporting any earlier Windows operating system (notably WindowsXP) since the agent does use operating system services that are only available on Windows7 and beyond.
• Intel AMT Scanner fix. In this latest version of MeshCentral, the local network Intel AMT RMCP scanner has been fixed. When managing Intel AMT computers on a local network, MeshCentral will periodically poll Intel AMT computers to see if they are still present on the network. If so, it will show up on real time on the web page and you can manage them.
• Latest MeshCommander. MeshCentral has built-in support for MeshCommander so that you can manage Intel AMT systems ether on your local network on over the Internet. The latest version of MeshCentral includes the latest version of MeshCommander with many more fixes.

You can install your own instance of MeshCentral2 by using the guides, tutorial videos and source code at: http://www.meshcommander.com/meshcentral2. Many thanks for Bryan Roe for the improved MeshAgent² and Windows7 support. Feedback very much appreciated.

Enjoy!
Ylian
Blog: http://www.intel.com/software/ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

The new MeshCentral Installer’s Guide describes in detail how to install on:
Ubuntu, Raspberry Pi, Amazon AWS, Microsoft Azure and Google Cloud.

Hello!

My usage scenario is as follows: I have vPro machine NUC7i5DNH on the internal network. Via router port forwarding the 16993 port is exposed on the internet (IPv4). Now, connecting to the external ip:16993 with MeshCommander v 0.6.8.

All seems to work except for Remote Desktop and SOL. First click to open Remote Desktop Connection gives the following in debug (yes, i am running MeshCommander.exe -debug)

1. commander.htm:18 - Uncaught TypeError: Cannot read property 'getPeerCertificate' of null
2. commander.htm:18 - g.getPeerCertificateFingerprint
3. commander.htm:1251 - connectDesktop
4. commander.htm:1 - onclick

The result is that connection is not possible.

Can you re-create the issue? Can this be fixed in MeshCommander?

This holiday break was no break for MeshCentral as it continued to progress. Big thanks to the people that post issues on GitHub. Because of the community, MeshCentral is getting a lot better and issues that would be difficult to find are being fixed. Over the past month a lot of things have changed and here is a small rundown of some of them:

• Published the first version of the Design and Architecture document. This new document comes on top of the existing Install Guide and User’s Guide documents. It covers the internal workings of MeshCentral including the programming languages used, the dependencies, certificate generation, connection authentication, security and much more. The goal here for anyone to be able to get a good grasp as to how MeshCentral2 was designs, the trade-offs and how the security works. This is the first published version. Obviously, this document will grow in size as times permits. One possible use of this document is so that anyone can conduct a security review of MeshCentral.
• Windows Mesh Agent now supports TPM modules for extra security. Each mesh agent connecting to the server uses a self-generated certificate to uniquely authenticate to the server. The hash of the public key of the agent certificate becomes the device identifier and this is not a identifier that can be easily spoofed by other agents on the network. In order to improve security and harden the agent certificate, the Windows Mesh Agent will now automatically detect that a TPM module is present on the platform and make use of it by generating it’s certificate using the TPM backed cryptographic provider. This means that the device identifier on the server is now backed by hardware on the agent if available. Also, if you delete the “meshagent.db” file and start the agent again, it will come back to the server with the same device identifier, which is pretty cool.
• Mesh Agent setup and start speed improvement. On smaller, less capable IoT devices the mesh agent was very slow to start. Especially the first time you ran it. This is because the agent was generating no less than 5 certificates the first time it ran and generating 2 certificates each time after that. This was very inefficient, caused CPU and power waste and very slow starts. The new agent on Linux/OSX as of 2 weeks ago only generates 1 certificate on first run and no certificates after that making it super-fast. On Windows, the agent will generate 2 certificates on first run (with one possibly in TPM) and no certificate generation on subsequent runs.
• Improved MeshCentral IoT testing. As the picture shows below, the MeshCentral lab has gotten a bunch of small IoT devices permanently connected for ongoing testing. The 4 devices (2 Raspberry Pi, 1 Tinker Board, 1 LattePanda) are used to run both the MeshAgent and the MeshCentral server. It’s pretty amazing that the entire server can run on such small devices and manage quite a large network of computers. As time goes on, more will likely be added to the test bench.

This is just a few of the changes, you can see a list of the MeshCentral commits on GitHub here. Many thanks for Bryan Roe who tirelessly keeps improving the MeshAgent. Many of this new features have not made it into the server yet, so that is a backlog in fun things to come.

Enjoy!
Ylian
Blog: https://meshcentral2.blogspot.com/
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

Published the new MeshCentral2 Design & Architecture Guide
http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2DesignArchitecture.pdf

The MeshCentral2 agent on Windows now supports TPM modules for improved security.
It will automatically use the Windows TPM cryptographic provider when available.

There is a set of small computers being used for MeshCentral2 testing.
These computers run both the agent and the entire server.

MeshCentral is an open source web based remote computer management web site. MeshCentral is being deployed at an ever increasing rate with more computers being managed it’s important that it be done as securely as possible. Last week, the MeshAgent got TPM support for hardening of device identity, this week it’s the user’s turn to have improved authentication with support for Google Authenticator and compatible applications.

When logging into a web site, users are normally prompted for a username and password. This however can be a weak form of authentication. Especially for sites like MeshCentral that manage many computers, it’s important to authenticate users in the most secure way possible. One solution is RFC4226 and RFC6238 that standardize a way to transfer a pre-shared key to a user and compute a time limited token than is a second login factor. Google has a quick guide on 2 step authentication here which can be helpful.

Starting with MeshCentral v0.2.6-j there is now full support for 2-step login. This is an optional process and to get it setup, users will get a link or QR code that they scan into Google Authenticator. They then enter the current login token to make sure everything is ok and the account will have double protection. Each time a user logs into the web site after that, they are prompted for the username, password and login token. A new token is generated every 30 seconds, so it can’t be used for a long time.

Improving user authentication is an essential part of building and operating a security web site on the Internet. Enabling 2 step login should be an essential requirement of all Internet facing web sites and obviously, all users and system administrators should make use of it.

Enjoy!
Ylian
Blog: https://meshcentral2.blogspot.com
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

MeshCentral is an open source web based remote computer management web site. The last 2 weeks have been packed with an average of more than two releases a day. This rapid rate has been necessary in order to support the online feedback from everyone installing MeshCentral and giving it a try.

This week, Bryan Roe really shined has he installed more Linux distributions on a Virtual Machines than I have ever seen before. Bryan is testing the MeshAgent on as many Linux variants as he can get his hands on. The remote desktop feature is especially difficult to implement correctly on different Linux distros. We now got the remote desktop working on Windows, MacOS, Ubuntu, PepperMint, Zoran, SUSE, Linaro, Fedora, CentOS and Raspbian. A very impressive task. More debugging is being done on all these operating systems, but it’s looking good so far, screenshots below.

In addition this week:

• You can now Shift-Click on a device in MeshCentral to open it in a different tab. This has been an often requested feature in order to manage many computers at once.
• MeshCentral now records the last IP address used by the agent when connecting to it. It’s displayed in the “Interfaces” link in the device page. If the IP address is not a private LAN address, it will link to the “iplocation.com” site to get a quick approximatively location of the device.
• Started looking into database encryption with the goal to support “encrypted at rest” for all data in MeshCentral. This week the “DbEncryptKey” setting was added to the config.json file to encrypt the MeshCentral.db file using AES256-CBC when NeDB is used. For MongoDB, one can use MongoDB Enterprise that supports full DB encryption.
• Also added this week in the config.json file is the ability to filter both users and agents by IP address. This is useful if you want to only allow users or agents from some IP addresses, or block some IP address ranges.
• The MeshCentral web application user interface was fixes to support scaling to many more devices. The browser will now “redraw” the page much less frequently when changes occur improving usability and lowering power use on the browser.
• The MeshCentral server now has a tasks queue and task limiter. This smooths out the server task flow. Before implementing this, the server would try to update 100’s on mesh agents at the same time. Now, it will only update 20 at a time, continuing to the next one each time one is done. This makes the server a lot more responsive even in an agent “connection storm”.

This is just some of the updates made this week. Thanks to everyone that sent bug reports and feedback. Keeping up with them as quickly as possible, please keep sending them in.

Enjoy!
Ylian
Blog: https://meshcentral2.blogspot.com
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

MeshCentral support a wide array of operating systems. The remote desktop
feature is the most difficult to get right across operating systems.

You can now shift-click a device to open it in a new browser tab.

Click a device “interfaces” link and the “Last agent address” to get an idea of the location of this device.
The IP address must not be a private LAN address.

New NeDB encryption and IP address filtering now added

MeshCentral is an open source web based remote computer management web site. Because administrators can use MeshCentral to manage hundreds to thousands of computers remotely, the server is a security target. It’s important to support the best industry practices to try to minimize security risk. This week, we added three new security features into MeshCentral.

• Support for hardware authentication keys. A few weeks back, work got started on adding 2-factor authentication to MeshCentral. First, with support for Google Authenticator. This week, we improve on this with support for hardware keys. You can get a YubiKey starting at 15$ that acts as a hardware based second authentication factor. Users first have to register their key with the web site. Then when logging in and after entering the username and password, user’s will be prompted for a login token. At this point, press the button on the USB key and your automatically logged in. It’s super simple and can be used alongside Google Authenticator. Two hardware keys modes are supported:
  • U2F mode. In mode requires browser support. Chrome supports it fully and FireFox can support it when the option is enabled. In this mode, the hardware key perform a signature of a challenge request. Details here.
  • OTP mode. In this mode, the key acts as a USB keyboard and enters a long one-time string when activated by the user. This mode will work on any browser but MeshCentral needs setup and will query the YubiKey server for validation. Details here.
• Support for one-time written down keys. To complete the 2-factor authentication offerings of MeshCentral. If you don’t have your phone or hardware key, there is now an alternative that is often used as a backup. MeshCentral can generate a set of one-time-only numbers that can be used as a second authentication factor. Users generally print and keep these numbers in a safe place. When presented with the 2^nd factor login screen, users can enter a one of the single use 8 digit token.
• Running the server stateless. MeshCentral got a new set of features to allow administrators to load the configuration files of the server into the database. When doing so, an encryption key is mandatory and AES256-CBC is used to encrypt the configuration files before adding them to the database. Once done, a MeshCentral server can launch and with only the connection string to the database and decryption key, the server can launch correctly. Why would this be interesting? With increased security regulations that requires “encryption at rest” the server can store everything in a security compliant database. Also, there is an expectation that Docker containers run stateless. This new mode makes the server run perfectly in this model and MeshCentral containers can be started and stopped without having to worry about container state.

This is just some of the changes and improvements done to MeshCentral this week. There are more items like performance improvements on remote desktop and agent stability fixes. As usual, feedback is appreciated. As of writing this, MeshCentral version is v0.2.7-p.

Enjoy!
Ylian
Blog: https://meshcentral2.blogspot.com
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

MeshCentral now supports U2F and OTP Hardware Authentication Keys.
OTP works on all browsers, U2F on select browsers that support it.

In addition to supporting time limited tokens with Google Authenticator and hardware keys,
MeshCentral now support written down, one-time login tokens.

MeshCentral can now run “stateless”. That is, all of the server configuration is located in the database.
This improves deployments of MeshCentral in Docker containers and improves security.

This week, we got a bunch more interesting updates to the code base. Along with many more bug fixes, one feature request that was made on GitHub was to allow devices to be switched between device groups. In addition, MeshCentral is getting deployed a bunch more and so, work has been put in to optimize the MongoDB queries and indexes. Starting testing many 1000’s of connections to MeshCentral on relatively small cloud instances. So far, it seems an instance at 30$/month plus traffic costs will host a MeshCentral instance that will handle 10000+ agents. Lastly, started writing MeshCentral install scripts for various cloud provider instances so you can install MeshCentral easily in a few minutes. In details:

• Move devices between groups. Device groups are built to apply the same policy to set of user permissions to a group of devices. In the past a device would join a group at install time and this group could not be changed. This caused issues because administrators did not have the flexibility to grant or remote user access to various devices or to move a device to a different group if the role of this device changes. This is now solved. Administrators can switch a device to a different group, one at a time or by selecting many and doing a batch move.
• MongoDB performance tuning. At the start of last week, MeshCentral was very poorly tuned for MongoDB. No scale testing had been done and so, as the database grow in size, the query response time would give worst very rapidly. After 3 new improvements, new collections and indexes have been created and use of expiration indexes and query changes have been made to insure high server performance on even small server instances.
• MeshCentral instance cost. In the last few weeks MeshCentral has been tested on a few Amazon AWS EC2 instance. As it happens, even very modest 30$/month + traffic code Amazon Linux 2 instances using MongoDB can handle 10000+ connected devices easily. The MongoDB performance improvements have done a lot to make this happen. As a result, MeshCentral instance installation cost is really low. You can even start as low as 3.75$/mo and manage 100 devices. This makes it very affordable.
• MeshCentral quick install scripts. To get started with MeshCentral, there is a installer’s guide and a user’s guide. In the latest version of the installer’s guide v0.0.6 there is now a quick start section where you can download an install script, run it and have a MeshCentral instance running in a few minutes in the cloud. The scripts will install NodeJS, MongoDB (optionally), MeshCentral and setup permissions and configuration files. Right now, there is three scripts: Amazon Linux 2 with MongoDB (100+ devices), Amazon Linux 2 with NeDB (for less than 100 devices) and Microsoft Azure B1s instance (100+ devices).

This is just some of the changes and improvements done to MeshCentral this week. As usual, feedback is appreciated.

Enjoy,
Ylian
Blog: https://meshcentral2.blogspot.com/
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

You can now move devices between device groups. Most one at a time or select a bunch and do a batch move. Allows administrator to arrange devices as they see fit. This may also change what device each of the web site user’s will see.

 
A lot has been done to improve MongoDB performance. Last week, MeshCentral had terrible indexes and response performance. After 3 updates, performance is many orders of magnitude better. MongoDB 4.x has a free website for performance tracking that helped a lot.

 
MeshCentral is being tested on Amazon AWS t3.nano to t3.medium instances. These range from 3.75$/mo to 30$/mo + traffic cost. So far, the server can handle between 100 and over 10000 agent connections on these instances.

It’s been a white since the last report and lots of progress has been made. Probably most notably is the increase in GitHub traffic where more people than are submitting bug reports and feature requests. Only a month ago there was about 20 open issues, now it’s up to 36 open issues with 93 having been closed so far. Many thanks to everyone that takes the time to write up reports on Github, it’s much appreciated. This week, we got a bunch more improvements with notable thanks to Bryan Roe who is working nights, days and on his vacations to get issues closed. This last few week’s highlights:

• Clipboard management support on Windows and Linux. One of the frequently asked feature request on GitHub was for the addition of remote clipboard support. With the latest version of MeshCentral, you can now transfer text to and from a remote device’s clipboard on Windows and Linux. This is amazingly useful feature, but a very difficult one to implement as the agent needs to figure out what user context to use to get and set the clipboard into. Linux is especially difficult. Again big appreciation to Bryan Roe how did the work on this.
• Improved list view and filtering. When selecting the device list view on MeshCentral, the latest version displays more information on this screen including the current logged in user or users, the IP address of the device as seen by the server and the type of connectivity the server has to the remote device. All this information is in real time, no need to refresh the web page. In addition, there is improved search filtering. So you can just start typing a device name, or type “ip:192.168.” to filter for devices with a given IP address or “user:bob” to search for devices that have a given user logged in. Makes managing lots of device a lot easier.
• New memory monitoring support. When running a big server with 1000’s of connected devices for a long time, it’s important to track server memory use and make sure the code does not leak any memory. In this latest version of MeshCentral, there is a new memory tracking system that logs the server’s memory use at regular intervals. This feature can be turned on during testing or in production to make sure everything is going well. In the graph below we can see how a server with 11 thousand connected devices performs after the latest updates. New server versions has improved memory management considerably.
• Youtube video on 2 factor authentication. MeshCentral has great two-factor authentication support. To show it off, I recorded a YouTube video demonstrating how it works. The combination of the Google Authenticator application, one time codes and U2F hardware keys make user authentication a lot more robust. Check it out.

This is just some of the changes and improvements done to MeshCentral since the last update, I am skipping over a lot of bug fixes and new features. As usual, feedback is appreciated.

Enjoy,
Ylian
Blog: https://meshcentral2.blogspot.com/
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral

All new MeshCentral remote clipboard support. An amazing feature that was often requested.

New MeshCentral device list view and improved device filtering.

New MeshCentral memory tracking. Useful for debug and production servers.

YouTube video on MeshCentral’s 2 factor authentication support.