v3.0.0.0
Astaroth
Latest
May 5, 2026We are working hard to become — over time — the best, most transparent, and fairest RMM out there. And yes, this is a massive upgrade. To be honest, the changelog only covers the main adjustments and highlights, but under the hood this has been a massive improvement in terms of performance and scalability. Thank you to everyone walking this journey with us and trusting us with their IT environment.
⚠️
If you are already running a NetLock RMM instance, this update requires you — after the server-side update completed — to go to /automations, open every automation and re-add the desired equal field. This was required to extend how the policy provisioning works. Otherwise upgrade as usual via the standard docker command (https://netlockrmm.com/docs/upgrade). Heads-up: to use the new features, operators have to grant themselves the corresponding permissions in the user management first.
✨ Patch Management for Windows, Linux, macOS & third-party apps (winget, Chocolatey, Flatpak)✨ Integrated AI assistant with OpenAI-compatible LLM connector and feature-scoped permissions✨ Full ticket system with multi-department IMAP/SMTP, time tracking, SLA & CRM✨ Report Manager with builder, 53 pre-built templates, brand customization, PDF export & scheduling✨ Custom Fields, Custom Dashboards & a console-wide audit log✨ Remote Control overhaul: H.264 streaming, registry editor, Wake on LAN, 2FA gate, run-as-user shell
Patch Management
- Patch management for Windows, Linux, macOS & Docker. Patch third-party applications through a winget, Chocolatey and Flatpak integration. Patching is no longer something you bolt on with sensors and scripts — it is now a first-class subsystem that knows about every device's OS, every pending update, and every reboot you owe your users. The goal was simple: turn 'I think we're patched' into 'I know we're patched, and here's the proof'.
- Native handling for Windows, Linux and macOS, each with its own update vocabulary and severity model. Linux understands Security / Bugfix / Enhancement / Newpackage / Other crossed with Critical / Important / Moderate / Low. macOS distinguishes Security / Recommended / Other crossed with RequiresRestart / Recommended / Optional. No more pretending Patch Tuesday semantics map onto every platform.
- Each operating system has its own switch and an 'informational only' mode that lets you collect a complete update inventory without installing anything — perfect for shadow-IT discovery before you flip the lights on.
- An approval workflow on every detected update. Approve, defer, or leave a patch in its default state per device or in bulk; nothing gets pushed unless you said it could.
- Deployment rings configurable per severity and per OS. Ship Critical patches to your pilot ring on day zero, Medium patches a week later, Informational once a month — your call, your cadence.
- Patch Tuesday-relative scheduling. Roll out updates 'Patch Tuesday + 2 days', 'Patch Tuesday + 7 days', or 'the first weekend after'. Stop building this calendar yourself.
- Allowed-weekday rules so you can blacklist days that matter to your customers (no patching on Thursdays for the accounting client, never on Fridays for the law firm).
- Smart maintenance windows that respect reality on the device: don't patch while a user is active, only patch on AC power, never during an active RDP session.
- A free-disk-space precheck so a patch run doesn't wedge a device on a full SSD.
- Catch-up installs for devices that were offline during their slot — they pick up where they left off the moment they come back.
- Separate policy lanes for OS patches and third-party application patches. The OS gets one schedule, winget / Chocolatey / Flatpak get another.
- Reboot handling that an actual user can live with: fully automatic, prompt-with-deferral (with a max-deferral cap so deferrals can't run forever), or never. The Tray Icon talks to the Comm Agent and surfaces escalating reminders before a reboot, plus a live 'installing updates for you' status banner whose text you can customize from policy.
- A pre-warning shown to the end user before a patch run starts at time X, so the workday doesn't get hijacked.
- Patch rollback automation: when the failure rate of a patch crosses a threshold (default 5%), the approval flips so it stops getting deployed. You see it, you fix it, you re-approve.
- Per-patch install duration tracking. Every install records how long it took, so you can spot the patch that turns a 5-minute reboot into a 45-minute coffee break.
- Configurable retry count and retry interval on failed installs.
- Toggle for installing patches over metered or cellular connections — off by default, because nobody wants a 700 MB cumulative update on tethered LTE.
- Wait-until-all-pending-patches-are-installed before requesting or forcing a single reboot. One reboot for the whole patch run, not one per patch.
- The reboot required state of a device is surfaced directly in the device list and on the device detail view, so the operator never has to dig.
- For Windows, the install date pulled from the WUA QueryHistory is recorded in the update history. Real timestamps, not the agent's best guess.
AI & MCP
- A pluggable LLM connector now sits inside the web console. It speaks the OpenAI API dialect, so you can point it at OpenAI itself, at Claude, or at a self-hosted open-source model — your choice, your keys, your data path. There is no vendor lock-in here.
- The active LLM, its base URL, model name, and API key are configured in settings and changeable on the fly.
- Streaming responses are supported end to end, so longer answers render token-by-token rather than waiting for a full payload — feels like a real terminal, not a 30-second spinner.
- A persistent chat, scoped per operator account. Conversation history is stored in the database with proper retention controls — there is a configurable cleanup that purges old chats after N days.
- Per-feature permission toggles are wired up so you can decide exactly where the assistant is allowed to operate.
- Where the assistant actually plugs into the product:
- Scripts page. The assistant can read a script and propose edits, surfaced as a Monaco-style diff you accept or reject. No silent rewrites.
- Real-Time Remote Shell, classic Remote Shell, and bulk Remote Shell. Run a command, drop the output into the assistant, get back an analysis or a refined follow-up command.
- Ticket System. Three concrete actions: summarize a ticket as an internal note, polish your reply before you send it, and chat about the ticket with full access to its thread and any text or log file attached. The polish-the-reply path alone has saved me hours.
- Windows Event Log Viewer. Load up a log and ask your AI if it detects a specific issue or pattern.
- Auditing. Let the AI crawl through your audit logs.
- A short note on terminology: the section title says 'MCP' because that is what people are calling this category of feature this year, but to be precise — what shipped is a clean, OpenAI-compatible LLM connector with streaming, conversation persistence, and feature-scoped permissions. There is no separate Model Context Protocol server process. If you were expecting MCP-the-protocol, this is not that. If you were expecting 'AI assistant integrated into the parts of the product where it actually helps', this is that.
Ticket System
- There is now a full helpdesk built into NetLock RMM. Multi-department, IMAP-driven, time-tracked, AI-assisted. If you run an MSP, you can stop juggling a separate ticket tool — the same console that fixes the device opens the ticket about it.
- Multi-department ticketing. Each department is admin-assignable through the permission system, so the right operators see the right queues.
- Per-department IMAP and SMTP configuration.
- Email and ticket templates, scoped globally or per department, gated by permissions. Build your 'first response' template once, reuse it everywhere.
- Time tracking on every ticket. Automatic mode (open the ticket, the timer starts) or manual start/stop. Idle detection raises a browser notification with a grace window before the timer auto-stops, so you don't bill 3 hours because you got pulled into another fire.
- Billable time rounding rules — minute-accurate, or round up to N minutes — for clean invoicing.
- A prominent ticket-summary field that every operator sees on first open. The 'what is this ticket actually about' lives at the top, not buried.
- Auto-assign-on-first-open behavior, configurable globally. A warning banner shows when multiple operators have the same ticket open, so two people don't reply at once.
- A full audit trail of every ticket change — who, what, when. This piggybacks on the new audit log, so it's centrally searchable.
- Reminder-at-date-X. Park a ticket as 'Waiting for reply' with a reminder date and it flips back to 'Open' automatically when the date arrives.
- Ticket labels and ticket types (service request, incident, maintenance, ...) — global presets plus per-department additions.
- Outbound webhook notifications on ticket open / close / update for CRM integration. Fire your existing automations from ticket events.
- A NetLock-native customer / CRM database with tenant linkage and SLA definitions. When a known customer emails in, the ticket is auto-routed and an SLA timer starts. Tickets can be linked to both tenants and devices, so the device that opened the ticket is one click away.
- Customer-specific ticket prefixes and numbers. Real ticket IDs your customers can quote on the phone.
- Email notifications on ticket events to configurable recipients.
- Inline viewer for text and log attachments, with the AI assistant available right there to analyze them. Drop a 4 MB log file in, ask the assistant what stands out, get a summary.
- Per-user conversation view preference: chat-bubble or CRM-style list. Some operators want Slack, some want Outlook — pick yours.
- Per-user email signature, appended automatically to outbound replies.
- Per-department IMAP polling result log, surfaced in the department editor, so when polling silently breaks you can see why.
Report Manager
- Reports went from 'we have a couple of static dashboards' to a full report-building subsystem with templates, brand customization, scheduling, and export. If a customer ever asked you for a monthly compliance summary in PDF form, the answer used to involve screenshots — that's over.
- A Report Builder with live preview in the console. Lay out your sections, drop in widgets, see what it looks like before you ship.
- Template-driven: every report is a template that defines sections and the widgets within them.
- A widget library covering sortable / paginated tables, metric tiles (Total Devices, Online Devices, Patch Compliance, and many more), pie / bar / line / trend charts, and free-text blocks for narrative copy.
- Brand templates apply your logo (with positioning), name, address, contact details, and custom fields to every page of a generated PDF. White-label your reports to match your customer.
- The Report Manager uses the same SQL Query Builder shared with Custom Fields and Custom Dashboards, so any source you can query for a dashboard you can put in a report.
- Exports to PDF (rendered with QuestPDF), HTML, CSV, and JSON.
- Scheduling covers Hourly, Daily, Weekly, Monthly, Quarterly, and Annually.
- Distribution per scheduled report: download, email (with per-report subject, body and the report attached), or webhook for tooling integration.
- 53 pre-built report templates ship in the box — patch compliance, security posture, ticket throughput, asset inventories, license overviews, and more. Open them, run them, edit them, or use them as a starting point.
- Per-template visibility: keep a report private to its author, share it to specific users, or publish it to everyone in the console.
- Report templates can be exported and imported as files for backup or sharing.
- Server-side generation runs through the NetLock RMM Server itself — no extra API surface, no headless browser. Generated reports land in a per-report folder under the File Server.
Community Reports & Branding
- The Community Scripts pattern that worked for shared scripts now extends to reporting and branding.
- Share and import Report Templates through the Members Portal API. Anonymous or attributed, your choice.
- Share and import full Whitelabel themes — console title, effects, color palette, logo, background image — packaged with up to three preview screenshots and stored as signed JSON. Pick a theme that another MSP built, apply it, done.
Custom Fields & Custom Dashboards
- The console is no longer a fixed UI — it's a UI you build for your team. Custom Fields lets you extend the device view with whatever data and actions matter to you. Custom Dashboards lets you stop staring at the same three charts.
- A Custom Fields builder for the Devices page. Drop in tabs, panels, text blocks, tables — laid out with a live preview as you build.
- Two data sources per field: a SELECT-only SQL query you define, or the latest result of a Job (parsed automatically from event data). Run a Job that returns a CPU spec sheet once a day, render it as a Custom Field, never look at the script's raw output again.
- Action buttons that fire SQL queries or browser URL handlers (e.g. rustdesk://..., ssh://...) using values from the row as parameters. One click on the device, you're connected.
- A 'Hidden Job' flag for jobs that should run quietly. Their results don't pollute /events or the per-device event view — they exist only to feed Custom Fields.
- Custom Dashboards on /dashboard with a dropdown selector. Build one dashboard for the helpdesk, one for management, one for yourself; switch with one click.
- The legacy three charts on /dashboard have been replaced with a fresh widget set. Roughly twenty chart templates ship as starting points so you have somewhere to begin.
- The chart catalog includes bar, line, pie, doughnut, multi-series pie, radar, area, and scaled charts.
- Tables and charts live inside drag-and-resize panels. Lay out a dashboard the way you want it, your layout persists.
- A shared SQL Query Builder class powers Custom Fields, Custom Dashboards, and the Report Manager — learn it once, use it everywhere.
- New per-section settings tabs for Dashboards and Custom Fields with a 'godmode' flag and an allowed-tables config, so you can tune how powerful the builders are in your environment.
Auditing
- Every meaningful action an operator takes in the console is now recorded in a tamper-evident audit log. This was the single biggest gap when talking to compliance-minded customers and it's now closed.
- A new /audit page under the System navigation.
- Captures CRUD operations, login and logout, failed logins, executes (running scripts, jobs, sensors), exports, authorize / deauthorize actions, permission changes, and view actions.
- Standardized vocabularies for actions and entity types. The same verbs and nouns everywhere — 'create user', 'execute script', 'delete policy', 'authorize device' — so log search actually works.
- Three severity levels (Info / Warning / Critical) with sensible default rules: deletes and permission changes raise Warning, failed logins raise Critical.
- Tenant-scoped logging on every entry, so multi-tenant deployments can slice the log per customer.
- Filters for date range, severity, action, entity type, user, and free-text search.
- Export to JSON and CSV — and the export is itself audited. You can audit the auditor.
- Auto-cleanup with configurable retention (default 365 days). Set it to whatever your compliance regime says.
Remote Control Suite
- A whole cluster of remote-control upgrades landed this cycle. Some are brand-new tools, some are deep rebuilds of existing ones. The common thread: do more from the console, do it faster, do it safer.
- Remote Registry Editor (Windows): a real registry editor in your browser. Browse the keys, view values or edit them. No more 'open a remote shell, run reg query, parse the output, hope for the best'.
- File Browser overhaul: rebuilt visually. Navigation is faster and the UI is consistent with the rest of the new web console design.
- Relay App & Web Console with H.264 video streaming: the upgrade I'm most proud of in the remote-control area. The Relay App now streams remote-control video using H.264 with FFmpeg-backed decoding and an adaptive bitrate controller that scales quality to the available bandwidth. The legacy image-frame protocol is still there as a fallback, but the new path is dramatically smoother and dramatically smaller on the wire.
- The Relay App ships as a standalone client for your operators — Remote Control without going through the web console.
- Tenant-scoped device list with search, so a multi-tenant operator only sees what they're cleared for.
- Uninstall Application from the device view: right-click an installed application on /devices → Applications → Installed and hit Uninstall. The agent handles the rest.
- Windows: dispatches uninstall executables, MsiExec /X, or vendor-specific uninstallers as appropriate.
- Linux: apt remove and the equivalents.
- macOS: removes the .app bundle.
- Status comes back over SignalR with a waiting-dialog UX so you actually see what's happening.
- Wake on LAN via the Remote Agent: WoL that works, finally. A WoL button sits next to Reboot and Shell on /devices. The console picks an already-online device on the same LAN as the target — automatically, uses it as the jumphost, sends the magic packet, then pings the target until it answers.
- Jumphost selection is automatic. The first authorized online device on the same internal subnet is used; the operator does not have to pick.
- A status dialog shows the whole flow: jumphost found, packet sent, target responding.
- A clean error path when no online jumphost exists on that subnet, so you're never left wondering.
- 2FA gate on remote actions: a new optional setting on the operator account requires a TOTP code before any remote-control action can run.
- Real-Time Remote Shell + Run-As-User: Remote Shell got both an interactive mode and a context mode this release.
- A real-time terminal mode runs alongside the existing fire-and-forget classic mode. Full VT100 / ANSI emulation. It feels like a real shell because it is one.
- A mode selector at the top of the Remote Shell dialog lets you pick Classic or Real-Time before each session.
- The mode is recorded on every shell history entry so you can audit which mode was used.
- 'Run as User' lands in classic Remote Shell. Pick a logged-in user session (from the same enumeration the Remote Control dialog uses) and the command runs through the User Process — Windows PowerShell, Linux Bash, macOS Zsh — in that user's context. Per-user environment variables, per-user paths, per-user permissions. Finally.
- The chosen run_as_user is recorded on the history entry too, so it's clear at audit time which session executed which command.
Application Control & USB Device Control
- Two features I had been working on around 2021 for a NetLock SaaS prototype, migrated from the old prototype and brought to the new version.
- Application Control (Windows): a new ruleset management page under Collections → Application Control. Build allowlists once, apply them with policy.
- Per-policy filter behavior under /policy_settings.
- Comm Agent enforcement migrated from the legacy agent and hardened against the failure modes of the old implementation. If a ruleset payload is missing or corrupt, the agent logs a warning and skips enforcement instead of going nuclear and blocking everything. No more 'empty ruleset bricks the customer's PC' calls.
- USB Device Control (Windows): per-policy enforcement, plus a new Hardware → USB Devices tab on /devices for visibility and per-device intervention.
- Whitelisting can be scoped per device, per tenant, per location, or per group.
- An aggregate overview shows, across the estate, which USB devices are whitelisted where, with drill-down to the specific devices.
- Both features are Windows-only by design — same as the legacy implementations they replaced.
Linux UFW Firewall Manager
- Linux fleets get a proper firewall management surface, driven from policy.
- Enable / disable UFW on a device through policy. Basic and advanced rules, all expressed as policy data.
- The agent enforces the policy ruleset over any locally-set rules. If somebody opens a port by hand, the policy puts it back.
- Two non-removable default rules are always preserved to keep agent connectivity to the Comm and Remote backends alive — you cannot accidentally lock the agent out of the server.
- An encrypted hash of the enforced ruleset is stored on the agent. On every cycle the agent compares current rules to the hash; drift triggers a re-apply. No more 'I don't know who changed the firewall, but it's wrong now'.
- The Comm Agent reports current UFW status back to the console, surfaced as a new tab on the Linux device view.
SNMP Monitoring
- Full SNMP monitoring is now part of the platform. It is integrated into the Sensors / Collections world rather than living as a separate top-level item, which means SNMP data flows through the same alerting and history pipeline as every other sensor result.
- SNMP v1, v2c, and v3 — including v3 auth (MD5 / SHA) and priv (DES / AES).
- SNMP devices are managed under Collections / Sensors with tenant and location scoping for parity with /devices filtering.
- Each SNMP target is polled by an assigned NetLock agent. This gives you distributed polling for free — your branch-office switch is polled by the branch-office agent, not from the central console.
- Sensor results record both a status (ok / warning / critical / error / timeout) and a value type (Integer / String / Counter / Gauge / TimeTicks) for clean dashboards.
- A per-device SNMP Tools dialog gives operators a quick way to test a target without building a full sensor first.
Software Deployment & App Hub
- A real software-deployment lane, with a curated catalog behind it.
- App Hub: a curated software catalog with publisher, license, icon, tags, target OS, and a 'requires elevation' flag — the metadata you actually need to make deployment decisions.
- Three source types: winget, Flatpak / Flathub, and custom scripts. Chocolatey was added on top of these.
- Background sync services for the winget and Flathub catalogs keep the catalog fresh without manual intervention. Manual triggers exist for when you want it now.
- Apps in the catalog carry an available_for_deployment flag, so you can curate which entries your operators are actually allowed to push.
- App Hub is wired into /policy_settings → app hub for policy-side configuration.
- Software Deployment: a Collections page for deployment jobs.
- Deployment jobs are created and tracked in the web console, then pulled by the Agent on its normal sync cycle.
- The Comm Agent installs as SYSTEM by default. For installers that need to run in the user context, the work is handed off to the Tray Icon's user-process path — no more 'this MSI silently fails because it wanted HKCU'.
- Per-target result tracking on every deployment job so a single failed device doesn't hide inside an '85% successful' rollup.
Port Scanner
- The legacy port scanner from the NetLock prototype did automatic scanning of agent devices' external IPs, which turned out to be a compliance hand grenade for home-office and BYOD scenarios. The recode strips that behavior out and replaces it with the right model: operators define the targets, the scanner scans those.
- Operator-curated targets only. Nothing scanned without an explicit entry.
- Per-port enabled flag, so admins can disable a port without losing its history or having to delete and re-add it.
- The legacy UI shape was preserved; the underlying scanning code was optimized and modernized. Results emit events through the standard sender pipeline so they land alongside everything else in /events.
Website Uptime Monitoring
- A proper external monitoring product, built into the same console you already log into. HTTP / HTTPS, SSL, DNS, content, the works.
- HTTP and HTTPS checks: status code, timeout, redirect handling, SSL validity.
- Retry logic before alerting, so you don't get paged because somebody sneezed on a load balancer.
- Response-time monitoring with average, peak, and trend, broken down into TTFB, full load time, and DNS lookup time.
- Performance alerts on configurable thresholds. Get paged when the site is slow, not just when it's down.
- Performance history at 24h / 7d / 30d resolution.
- Content monitoring: keyword check, missing-string alert, CSS-selector check, and defacement detection via HTML hash comparison.
- SSL monitoring with configurable expiry thresholds (30 / 14 / 7 / 3 days). Certificate-change alerts catch issuer or cert swaps as a security signal — somebody re-issued the cert, you should know.
- DNS monitoring: A, CNAME, MX, and TXT record checks with change and failure alerts.
- An incident system that tracks the full timeline (down → retry → confirmed → notified → up) and computes MTTR and SLA metrics.
- Smart Root Cause Detection: when a monitor goes down, the system automatically runs a layered diagnostic — DNS resolution, then TCP reachability, then HTTP, then content / SSL — and surfaces the failing layer in the incident. You don't have to start from scratch on every alert.
- SSL alert deduplication so a single ongoing certificate-expiry doesn't spam your events table every cycle until the renewal lands.
- Cleanup retention controls for uptime check results, DNS snapshots, and incidents so the database doesn't grow forever.
Maintenance Mode
- The 'server reboot fired 3,000 disconnect alerts' problem is solved. There is now a proper maintenance mode in /settings → Maintenance.
- Manual on / off toggle for ad-hoc maintenance windows.
- Scheduled weekly windows: define a name, weekdays, time-from, and time-to, and the schedule is honored automatically.
- Notifications are suppressed while a window is active. Note that events themselves are still written to the database — the suppression is at the notification layer only, so your audit and history stay intact.
Automations Overhaul
- The matching engine for automations has been rewritten. The old engine compared on string fields, which broke the moment a tenant got renamed or a group got shuffled. The new engine matches on IDs.
- Tenant, Location, Group, and Device matching are now ID-based. Rename your tenant, the automation still matches.
- IP and Domain conditions stay on a strict string match — those are the cases where strings are actually the right primary key.
- Priority weighting was reordered so the most specific match wins: Device → Internal IP → External IP → Domain → Group → Location → Tenant.
- A new picker UI in the policy / automation editor mirrors the picker layout you already know from the Relay configuration. One vocabulary across the console.
- Database indexes were added so policy resolution stays fast even with large automation counts.
- This is also why there is a one-time required customer action after the upgrade — open every automation and re-pick the equal field — flagged at the top of this document. The backfill script does its best on existing automations (matching on the old name strings, with the lowest ID winning ties) but a manual re-save is the only guaranteed-correct migration. After you do it, you do not have to do it again.
Onboarding, GUI Installer, Code-Signed Installers
- The first hour with a new NetLock RMM install was the part of the product I thought can be hard for some. It is now the part I like most.
- First-run onboarding wizard: on a fresh install, /dashboard runs a setup wizard.
- A backend reachability check kicks things off, with a friendly note that on a fresh install this can take a few minutes — so you don't think it's broken.
- Steps cover date / time format, update settings, optional 2FA setup, contact info (first name, last name, email, phone), and an agent-download CTA.
- A watchdog waits for the first device to actually appear in /devices and offers to redirect you there, so the first-device-online moment is a real moment.
- Graphical agent installer for Windows: a clean install experience for end users with a real progress UI.
- Per-deployment branding — window title, welcome description, completed description, error description — is configured per agent package, so the installer your customer sees can be themed to match the customer.
- Code-signed installers (paid): a Members Portal API endpoint builds Windows x64 and Windows ARM64 installers just for you, signs them and ships them to you. No more SmartScreen warnings for your end users (hopefully, in most cases — depends on Microsoft's metrics).
- ARM64 is fully supported alongside x64 — agent, installer, and GUI installer all ship signed for both architectures.
Device World Map
- The new device world map renders every device on a real map, using GeoIP data.
- The GeoIP database is shipped bundled with the console — no runtime download, no third-party API call per device. Resolution is local, fast, and offline-friendly.
- Filters and detail views let you slice by tenant, location, status, and so on, and click through to a specific device from the map.
Quality of Life & Platform Improvements
- A long tail of smaller upgrades that, taken together, make a noticeable difference to the day-to-day feel of the console.
- Real-time CPU and RAM: a new live mode on the device view streams CPU and RAM directly from the Remote Agent over SignalR instead of stitching together the Comm Agent's history. Toggle a checkbox to switch between Live and History.
- RAM percentage is now actually plotted in the history view — a long-standing bug where the field was being collected but not charted is fixed.
- Visual refresh: a console-wide pass on button styling and color usage to align with modern standards. Less noise, more hierarchy.
- A new 'Active Design' selector — Classic vs. New — with full backwards compatibility. Existing installs that have a custom theme_palette stay on Classic on upgrade so nothing surprises you the day after the update.
- Login page polish: the login background can now be an image or video (WEBP, PNG, JPEG, GIF, MP4). White-label your sign-in screen properly.
- A particles.js effect with presets and an advanced editor for the people who want to get fancy.
- An optional particles effect on the appbar too, if you want it everywhere.
- A new login_layout_style setting for layout variants.
- AppBar settings cover icon visibility and seasonal effects (turn the snow on or off, your call).
- A global date / time format setting (yyyy-MM-dd HH:mm:ss by default) so the console renders timestamps the way your team reads them.
- Per-user navmenu ordering: each operator can now reorder their own nav menu. Tickets-first for the helpdesk team, devices-first for the on-call engineer.
- Settings section overhaul: the single old settings_system_enabled permission has been split into a row of granular per-section flags: overview, licensing, updates, database, remote screen, IP whitelist, SSO, whitelabeling, custom fields, dashboards, AI / LLM. RBAC actually works at the settings level now.
- Python3 support, end to end: Python3 is a first-class shell for scripts, jobs, and sensors. Write a sensor in Python3 on Windows, Linux, or macOS — there are dedicated sensor categories for each.
- The agent reports python_version and python_path during preflight, so the console knows which devices have Python ready to go and which don't, before you try to run a Python sensor on them.
- Relay Server reliability: the connection-establishment path the Relay App uses to reach the Remote Agent has been stabilized. Fewer flaky first-connections, faster retries when something does go wrong.