"WANonly":{"type":"boolean","default":false,"description":"When enabled, only MeshCentral WAN features are enabled and agents will connect to the server using a well known DNS name."},
"LANonly":{"type":"boolean","default":false,"description":"When enabled, only MeshCentral LAN features are enabled and agents will find the server using multicast LAN packets."},
"maintenanceMode":{"type":"boolean","default":false,"description":"When enabled the server is in maintenance mode, only administrators can login. Use the maintenance command in server console to change."},
"certificatePrivateKeyPassword":{"type":"array","default":null,"description":"List of passwords used to decrypt PKCK#8 .key files that are in the meshcentral-data folder."},
"sessionTime":{"type":"integer","default":60,"description":"Duration of a session cookie in minutes. Changing this affects how often the session needs to be automatically refreshed."},
"sessionKey":{"type":"string","default":null,"description":"Password used to encrypt the MeshCentral web session cookies. If null, a random one is generated each time the server starts."},
"agentPort":{"type":"integer","minimum":1,"maximum":65535,"description":"When set, enabled a new HTTPS server port that only accepts agent connections."},
"agentPortBind":{"type":"string","description":"When set, binds the agent port to a specific network interface."},
"agentAliasPort":{"type":"integer","minimum":1,"maximum":65535,"description":"When set, indicates the actual publically visible agent-only port. If not set, the AgentPort value is used."},
"agentAliasDNS":{"type":"string","format":"hostname","description":"When set, specified the DNS name used by agents to connect to the agent-only port."},
"agentPortTls":{"type":"boolean","default":true,"description":"Indicates if the agent-only port must perform TLS, this should be set to false if TLS is performed in front of this server."},
"agentLogDump":{"type":"boolean","default":false,"description":"Automatically downloads all agent error logs into meshcentral-data/agenterrorlogs.txt."},
"agentCoreDump":{"type":"boolean","default":false,"description":"Automatically activates and transfers any agent crash dump files to the server in meshcentral-data/coredumps."},
"ignoreAgentHashCheck":{"type":["boolean","string"],"default":false,"description":"When true, the agent no longer checked the TLS certificate of the server. This should be used for debugging only. You can also set this to a comma seperated list of IP addresses to ignore, for example: \"192.168.2.100,192.168.1.0/24\"."},
"StrictTransportSecurity":{"type":["boolean","string"],"default":null,"description":"Controls the Strict-Transport-Security header, default is 1 year. Set to false to remove, true to force enable, or string to set a custom value. If set to null, MeshCentral will enable if a trusted certificate is set."},
"allowFraming":{"type":"boolean","default":false,"description":"When enabled, the MeshCentral web site can be embedded within another website's iframe."},
"cookieEncoding":{"type":"string","enum":["hex","base64"],"default":"base64","description":"Encoding format of cookies in the HTTP headers, this is typically Base64 but some reverse proxies will require HEX."},
"webRTC":{"type":"boolean","default":false,"description":"When enabled, allows use of WebRTC to allow direct network traffic between the agent and browser."},
"nice404":{"type":"boolean","default":true,"description":"By default, a nice looking 404 error page is displayed when needed. Set this to false to disable it."},
"selfUpdate":{"type":"boolean","default":false,"description":"When true, this server will attempt to self-update everyday after midnight."},
"browserPing":{"type":"integer","minimum":1,"description":"When specified, sends data to the browser at x seconds interval and expects a response from the browser."},
"browserPong":{"type":"integer","minimum":1,"description":"When specified, sends data to the browser at x seconds interval."},
"agentPing":{"type":"integer","minimum":1,"description":"When specified, sends data to the agent at x seconds interval and expects a response from the agent."},
"agentPong":{"type":"integer","minimum":1,"description":"When specified, sends data to the agent at x seconds interval."},
"orphanAgentUser":{"type":"string","default":null,"description":"If an agent attempts to connect to a unknown device group, automatically create a new device group and grant access to the specified user. Example: admin"},
"agentIdleTimeout":{"type":"integer","minimum":1,"default":150,"description":"How much time in seconds with no traffic from an agent before dropping the agent connection."},
"agentWsCompression":{"type":"boolean","default":true,"description":"Enables agent-side, websocket per-message deflate compression. wscompression must also be true for this to work."},
"noAgentUpdate":{"type":"integer","default":0,"description":"Set to 1 to present the server from updating any agent."},
"agentUpdateSystem":{"type":"integer","default":1,"description":"When set to 2, all agents that need to be updated will use the meshcore.js update system. With the default value of 1, the native update system is used."},
"amtScanner":{"type":"boolean","default":true,"description":"Set to false to disable Intel AMT scanning on the local network, this is already disabled in WAN mode."},
"meshScanner":{"type":"boolean","default":true,"description":"Set to false to disable agent multicast scanning on the local network, this is already disabled in WAN mode."},
"allowHighQualityDesktop":{"type":"boolean","default":true,"description":"When false, users will only be able to set remote desktop image quality to 60%, this can reduce server bandwidth usage."},
"description":"When set with a valid email address, enables the MeshCentral web push notification feature. Allows administrators to send browser notifications to users even if they are not looking at the MeshCentral web site.",
"additionalProperties":false,
"properties":{
"email":{"type":"string","description":"Server administrator email given to the FireFox and Chrome push notification services."}
"publicPushNotifications":{"type":"boolean","default":false,"description":"When true, this server uses MeshCentral.com a push notification relay for Android notifications. Push notifications work even if the Android app is not open."},
"desktopMultiplex":{"type":"boolean","default":false,"description":"When true, enabled a server modules that efficiently splits a remote desktop stream to multiple browsers. Also allows slow browsers to not slow down the session for fast ones, this comes at the cost of extra server memory and processing for all remote desktop sessions."},
"ipBlockedUserRedirect":{"type":"string","default":null,"description":"If set, a user from a banned IP address will be redirected to this URL."},
"userAllowedIP":{"type":["string","array"],"default":null,"description":"When set, only users from allowed IP address ranges can connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""},
"userBlockedIP":{"type":["string","array"],"default":null,"description":"When set, users from these denied IP address ranges will not be able to connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""},
"agentAllowedIP":{"type":["string","array"],"default":null,"description":"When set, only agents from allowed IP address ranges can connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""},
"agentBlockedIP":{"type":["string","array"],"default":null,"description":"When set, agents from these denied IP address ranges will not be able to connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""},
"authLog":{"type":"string","default":null,"description":"File path and name of the authentication log to be created. This log can be parsed by Fail2ban."},
"InterUserMessaging":{"type":"array","uniqueItems":true,"items":{"type":"string"},"description":"Users in this list are allowed to send and receive inter-user messages. This can be used to implement bots or other software where MeshCentral is used as data transport. See \"interuser\" websocket command in the code."},
"manageAllDeviceGroups":{"type":"array","uniqueItems":true,"items":{"type":"string"},"description":"Users in this list are allowed to see and manage all device groups within their domain."},
"manageCrossDomain":{"type":"array","uniqueItems":true,"items":{"type":"string"},"description":"Users in this list are allowed to manage all users in all domains."},
"description":"When this server is in LAN mode, you may discover this server using a multicast discovery tool. When discovery happens, the name and info fields are sent back to the discovery tool.",
"key":{"type":"string","description":"When set, encrypts all LAN discovery traffic to agents and tools using this key. This is only useful in LAN/Hybrid mode when agents and tools user multicast to find the server."}
"tlsOffload":{"type":["boolean","string"],"default":false,"description":"When true, indicates that a TLS offloader is in front of the MeshCentral server. More typically, set this to the IP address of the reverse proxy or TLS offloader so that IP forwarding headers will be trusted. For example: \"127.0.0.1,192.168.1.100\"."},
"syslogtcp":{"type":"string","default":null,"description":"Send syslog events over the network (RFC3164) to a target hostname:port. For example: localhost:514"},
"description":"Enabled automated upload of the server backups to a Google Drive account, once enabled you need to go in \"My Server\" tab as administrator to associate the account.",
"description":"This section described a policy for how many times an IP address is allowed to attempt to login incorrectly. By default it's 10 times in 10 minutes, but this can be changed here.",
"exclude":{"type":"string","default":null,"description":"Ranges of IP addresses that are not subject to invalid login limitations. For example: 192.168.1.0/24,172.16.0.1"},
"time":{"type":"integer","default":10,"description":"Time in minutes over which the a maximum number of invalid login attempts is allowed from an IP address."},
"count":{"type":"integer","default":10,"description":"Maximum number of invalid login attempts from an IP address in the time period."},
"coolofftime":{"type":"integer","default":null,"description":"Additional time in minute that login attempts will be denied once the invalid login limit is reached."}
"description":"This section described a policy for how many times an IP address is allowed to attempt to perform two-factor authenticaiton (2FA) incorrectly. By default it's 10 times in 10 minutes, but this can be changed here.",
"properties":{
"exclude":{"type":"string","default":null,"description":"Ranges of IP addresses that are not subject to invalid 2FA limitations. For example: 192.168.1.0/24,172.16.0.1"},
"time":{"type":"integer","default":10,"description":"Time in minutes over which the a maximum number of invalid 2FA attempts is allowed from an IP address."},
"count":{"type":"integer","default":10,"description":"Maximum number of invalid 2FA attempts from an IP address in the time period."},
"coolofftime":{"type":"integer","default":null,"description":"Additional time in minute that 2FA attempts will be denied once the invalid 2FA limit is reached."}
"description":"When present, this section will enable the Intel AMT provisioning server on the local network. This is used for Intel AMT bare-metal ACM activation.",
"properties":{
"port":{
"type":"number",
"default":9971,
"description":"Port number that provisioning server will listen to."
},
"deviceGroup":{
"type":"string",
"description":"The agent-less device group to add Intel AMT devices to once they are activated. Must be of format: mesh/domain/id"
},
"newMebxPassword":{
"type":"string",
"description":"The MEBX password to set during activation. This password must be at least 8 characters long and have 1 lower, 1 upper, 1 alpha-numeric and 1 non-alpha numeric character."
},
"trustedFqdn":{
"type":"string",
"description":"The trusted FQDN or provisioning server value the remote device will have. This can be set in MEBx or using the DHCP server option 15 on the local network."
},
"ip":{
"type":"string",
"description":"The IP address of this server. This address will be used when creating the USB setup.bin file to indicate what IP address to send the hello data to."
"title":{"type":"string","default":"MeshCentral","description":"The title of this web site. All web pages will have this title."},
"title2":{"type":"string","default":null,"description":"Secondary title text that is placed on the upper right on the title on many web pages."},
"titlePicture":{"type":"string","default":null,"description":"Web site .png logo file that is 450x66 in size placed in meshcentral-data that is used on the top of many pages."},
"loginPicture":{"type":"string","default":null,"description":"Web site .png logo file placed in meshcentral-data that used on the login page when sitestyle is 2."},
"rootRedirect":{"type":"string","default":null,"description":"Redirects HTTP root requests to this URL. When in use, direct users to /login to see the normal login page."},
"unknownUserRootRedirect":{"type":"string","default":null,"description":"Redirects HTTP root requests to this URL only where user is not already logged in. When in use, direct users to /login to see the normal login page."},
"loginKey":{"type":["string","array"],"items":{"type":"string"},"default":null,"description":"Requires that users add the value ?key=xxx in the URL in order to see the web site."},
"agentKey":{"type":["string","array"],"items":{"type":"string"},"default":null,"description":"Requires that agents add the value ?key=xxx in the URL in order to connect. This is not automatic and needs to be manually added in the meshagent.msh file."},
"userNameIsEmail":{"type":"boolean","default":false,"description":"When enabled, the username of each account is also the email address of the account."},
"welcomePicture":{"type":"string","description":"Name of the PNG or JPEG file that will be shown on the login screen. Put this file in the meshcentral-data folder and place the file name here."},
"welcomePictureFullScreen":{"type":"boolean","default":false,"description":"When enabled, the welcomePicture will show as a fullscreen background on the login screen."},
"meshMessengerTitle":{"type":"string","default":"MeshMessenger","description":"Text that will be displayed on the top of the messenger window when no username or device name is displayed."},
"meshMessengerPicture":{"type":"string","default":null,"description":"Name of a .png image file that is placed in meshcentral-data that is displayed on the top of the messenger web page. When null, the default image is displayed."},
"loginfooter":{"type":"string","default":null,"description":"This is a HTML string displayed at the bottom of the web page when a user is not logged in."},
"autoRemoveInactiveDevices":{"type":"integer","default":0,"minimum":0,"maximum":2000,"description":"Number of days a device can be inactive before it's removed. 0 disables this feature. Device group setting will override this value."},
"deviceSearchBarServerAndClientName":{"type":"boolean","default":false,"description":"When set to true, the devices search box will match on both the server name and client name of a device."},
"url":{"type":"string","description":"URL to the alternative messaging services, for example: \"https://meet.jit.si/myserver-{0}\""},
"localurl":{"type":"string","description":"If specified, this is the URL that is used on the administrator side, for example: \"https://meet.jit.si/myserver-{0}\""}
"description":"Array of node/<domain>/<id> or mesh/<domain>/<id> or tag:<tag> strings. When set, the link will only show up for the specified devices, device groups or device tag.",
"description":"https url when to get the TLS certificate that MeshAgent's will see when connecting to this server. This setting is used when a reverse proxy like NGINX is used in front of MeshCentral."
"autofido2fa":{"type":"boolean","default":false,"description":"If true and user account has FIDO key setup, 2FA login screen will automatically request FIDO 2FA."},
"maxfidokeys":{"type":"integer","default":null,"description":"Maximum number of FIDO/YubikeyOTP hardware 2FA keys that can be setup in a user account."}
"twoFactorCookieDurationDays":{"type":"integer","default":30,"description":"Number of days that a user is allowed to remember this device for when completing 2FA. Set this to 0 to remove this option."},
"auth":{"type":"string","default":null,"enum":[null,"sspi","ldap"],"description":"Type of user authentication to use, this can be SSPI on Windows or LDAP. If not set, username/password is used."},
"ldapUserKey":{"type":"string"},
"ldapUserName":{"type":"string"},
"ldapUserEmail":{"type":"string"},
"ldapUserRealName":{"type":"string"},
"ldapUserPhoneNumber":{"type":"string"},
"ldapOptions":{"type":"object","description":"LDAP options passed to ldapauth-fork"},
"agentInviteCodes":{"type":"boolean","default":false,"description":"Enabled a feature where you can set one or more invitation codes in a device group. You can then give a invitation link to users who can use it to download the agent."},
"agentNoProxy":{"type":"boolean","default":false,"description":"When enabled, all newly installed MeshAgents will be instructed to no use a HTTP/HTTPS proxy even if one is configured on the remote system"},
"description":"This section is used to indicate if parts of the meshagent.tag file should be used to set server-side device properties.",
"additionalProperties":false,
"properties":{
"ServerName":{"type":"integer","default":0,"description":"Action taken if one of the lines in meshagent.tag contains ~ServerName:name. 0=Ignore, 1=Set."},
"ServerDesc":{"type":"integer","default":0,"description":"Action taken if one of the lines in meshagent.tag contains ~ServerDesc:desc. 0=Ignore, 1=Set, 2=SetIfEmpty."},
"ServerTags":{"type":"integer","default":0,"description":"Action taken if one of the lines in meshagent.tag contains ~ServerTags:tag1,tag2,tag3. 0=Ignore, 1=Set, 2=SetIfEmpty, 3=Append."}
"geoLocation":{"type":"boolean","default":false,"description":"Enables the geo-location feature and device location map in the user interface, this feature is not being worked on."},
"description":"Use this section to customize the agent branding.",
"properties":{
"displayName":{"type":"string","default":"MeshCentral Agent","description":"The name of the agent as displayed to the user."},
"description":{"type":"string","default":"Mesh Agent background service","description":"The description of the agent as displayed to the user."},
"companyName":{"type":"string","default":"Mesh Agent","description":"This will be used as the path to install the agent, by default this is 'Mesh Agent' in Windows and 'meshagent' in other OS's."},
"serviceName":{"type":"string","default":"Mesh Agent","description":"The name of the background service, by default this is 'Mesh Agent' in Windows and 'meshagent' in other OS's but should be set to an all lower case, no space string."},
"image":{"type":"string","default":null,"description":"The filename of a image file in .png format located in meshcentral-data to display in the MeshCentral Agent installation dialog, image should be square and from 64x64 to 200x200."},
"image":{"type":"string","default":null,"description":"The filename of a image file in .png format located in meshcentral-data to display in MeshCentral Assistant, image should be square and from 64x64 to 128x128."},
"image":{"type":"string","default":null,"description":"The filename of a image file in .png format located in meshcentral-data to display in MeshCentral Agent for Android, image should be square and from 64x64 to 128x128."}
"ipBlockedUserRedirect":{"type":"string","default":null,"description":"If set, a user from a banned IP address will be redirected to this URL."},
"userAllowedIP":{"type":["string","array"],"default":null,"description":"When set, only users from allowed IP address ranges can connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""},
"userBlockedIP":{"type":["string","array"],"default":null,"description":"When set, users from these denied IP address ranges will not be able to connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""},
"agentAllowedIP":{"type":["string","array"],"default":null,"description":"When set, only agents from allowed IP address ranges can connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""},
"agentBlockedIP":{"type":["string","array"],"default":null,"description":"When set, agents from these denied IP address ranges will not be able to connect to the server. Example: \"192.168.2.100,192.168.1.0/24\""},
"urlSwitching":{"type":"boolean","default":true,"description":"When users navigate thru the web interface, the URL on top will change to point to the current screen. This allows a user to refresh or bookmark the URL and come back to the correct screen. Setting false here will disable this feature."},
"desktopPrivacyBarText":{"type":"string","description":"This is the text that will be shown in the remote desktop privacy bar. You can use {0} to display the account realname or {1} to display the account identifier in the string."},
"MaxDevices":{"type":"integer","default":null,"description":"Maximum number of devices in this domain."},
"MaxUserAccounts":{"type":"integer","default":null,"description":"Maximum number of devices in this domain."},
"MaxUserSessions":{"type":"integer","default":null,"description":"Maximum number of user sessions that can connect to this server for this domain."},
"MaxAgentSessions":{"type":"integer","default":null,"description":"Maximum number of agents that can connect to this server for this domain."},
"MaxSingleUserSessions":{"type":"integer","default":null,"description":"Maximum number of sessions a single user can have. Each time a user opens a new browser tab or opens a new browser on a different computer, a new user session is created."}
"description":"List of local network Intel AMT scanning options offered in the user interface. For example [\"LabNetwork 192.168.15.0/23\", \"SalesNetwork 192.168.8.0/24\"].",
"TlsConnections":{"type":"boolean","default":true,"description":"When set to false, MeshCentral will use TLS to connect to Intel AMT, this is not recommanded."},
"TlsAcmActivation":{"type":"boolean","default":false,"description":"When set to false, MeshCentral will not attempt a TLS ACM activation on Intel AMT v14+"},
"description":"Specifies a certificate and private key to use to issue Intel AMT TLS certificates. By default the MeshCentral self-signed root certificate is used.",
"type":"object",
"properties":{
"certpfx":{
"description":"Name of the certificate file that is in .p12 or .pfx format in meshcentral-data, use this with certpfxpass.",
"type":"string"
},
"certpfxpass":{
"description":"Password for the file specified in certpfx.",
"type":"string"
},
"certfile":{
"description":"Name of the certificate file in PEM format located in meshcentral-data. Using this with keyfile.",
"type":"string"
},
"keyfile":{
"description":"Name of the private key file in PEM format located in meshcentral-data. Using this with certfile.",
"description":"This is used to create HTTP redirections. For example setting \"redirects\": { \"example\":\"https://example.com\" } will make it so that anyone accessing /example on the server will get redirected to the specified URL."
"agentConfig":{"type":"array","uniqueItems":true,"items":{"type":"string"},"default":null,"description":"Key and values to add to the MeshAgent .msh file"},
"assistantConfig":{"type":"array","uniqueItems":true,"items":{"type":"string"},"default":null,"description":"Key and values to add to the MeshCentral Assistant .msh file"},
"onlySelectedUsers":{"type":"boolean","default":false,"description":"When enabled, only device users with the session recording feature turned on will be recorded. When false, all users are recorded."},
"onlySelectedUserGroups":{"type":"boolean","default":false,"description":"When enabled, only device user groups with the session recording feature turned on will be recorded. When false, all users are recorded."},
"onlySelectedDeviceGroups":{"type":"boolean","default":false,"description":"When enabled, only device groups with the session recording feature turned on will be recorded. When false, all devices are recorded."},
"filepath":{"type":"string","description":"The file path where recording files are kept."},
"index":{"type":"boolean","default":false,"description":"If true, automatically index remote desktop recordings so that the plays can skip to any place in the file."},
"maxRecordings":{"type":"integer","default":null,"description":"Maximum number of recording files to keep."},
"maxRecordingDays":{"type":"integer","default":null,"description":"Maximum number of days to keep a recording."},
"maxRecordingSizeMegabytes":{"type":"integer","default":null,"description":"Maximum number of recordings in megabytes. Once exceed, remove the oldest recordings."},
"description":"Makes MeshCentral send emails using the Unix sendmail command. Allows MeshCentral to send email messages for 2FA or user notification.",
"type":"object",
"properties":{
"newline":{"type":"string","default":"unix","description":"Possible values are unix or windows"},
"path":{"type":"string","default":"sendmail","description":"Path to the sendmail command"},
"args":{"type":"array","items":{"type":"string"},"default":null,"description":"Array or arguments to pass to sendmail"}
"description":"If your server has a proper DNS name and it public facing on the Internet with a public facing HTTP server on port 80, you can get a free TLS certificate.",
"email":{"type":"string","format":"email","description":"Email address of the administrator of this server. Make sure this is a valid email address otherwise the certificate request will fail."},
"skipChallengeVerification":{"type":"boolean","default":false,"description":"By default, MeshCentral will perform a self-test to make sure HTTP port 80 can respond correctly before making a request to Let's Encrypt. In some cases, this self-test can't work and must be skipped."},
"production":{"type":"boolean","default":false,"description":"By default a test certificate will be obtained from Let's Encrypt. Always start by getting a test certificate and make sure that works before setting this to true and obtaining a production certificaite. Making too many bad requests for a production certificate will get you banned for a long period of time."}