Agent encryption

Datto RMM applies a layered security model, which includes Agent encryption. A unique encryption key is generated for every Datto RMM Agent installation, which ensures that when an Agent is communicating with the platform, traffic is verified as coming from the device where the Agent was originally installed, and impersonation attempts are blocked.

How Agent to platform authentication works

When the Datto RMM Agent is deployed, a secret key is generated. That secret key is then shared with Datto RMM upon connection to the agent, and linked to that device. This mapping enables Datto RMM to sign and verify Datto RMM Agent data, and encrypt or reject communications accordingly.

Encryption key approval

Automatic approval occurs when:

A newly generated key is assigned to a device. This includes:
- Existing devices with no mapped encryption key
- Existing devices with a previously approved encryption key where the Agent was uninstalled and then re-installed
- New device records by newly installed Agents
A device submits a key change request from an IP address that has been approved at least four times in the last 60 days.
A device submits a key change request from the same IP address as its last manually approved request.
A device submits a key change request from its last known external IP address.

Manual approval is required when:

A device record's stored key mapping in Datto RMM is mismatched or missing on the linked Agent.

Manual approval can only be performed by an administrator, or a user with Device Approvals enabled in their security level, in the Agent Encryption Key Changed list on the Devices requiring approval page. Refer to Agent Encryption Key Changed.

It is recommended that all encryption key approvals are validated as an Agent should never change its key spontaneously. In the event of a mismatch, check the new device's audit records to see if they are as expected. If they are not or you are unsure, contact Datto RMM Support. Refer to Kaseya Helpdesk.

If a device is awaiting Agent encryption key change approval or is rejected, it will not receive any monitoring or Software Management data, and you will not be able to connect to it using Web Remote. Devices rejected from the Agent Encryption Key Changed list will be removed from the list and will be displayed in the list again an hour later; an Administrator can then approve or reject them. Alternatively, devices displayed in the list can be deleted from the account. Refer to Deleting a device.

Approved devices will receive monitoring and Software Management data an hour after approval. You will also be able to connect to them using Web Remote.

Important notes

The encryption key must be stored locally on a device for the value to persist across reboots. The key file is only accessible with system privileges, and it is essential for it to be present and correct for Agent to platform authentication to occur uninterrupted. If the key file is removed, for example by reinstalling the operating system, a manual approval will need to occur.
Devices should never share the same identifier, but it may happen on rare occasions.
- For example, if an image-based operating system deployment method is used without first removing the device identifier from the system, the identifier would be cloned. Following the first device, every device communicating with the platform using the cloned identifier would generate an approval request. In this case, the cloned identifiers should be removed and allowed to automatically re-generate. To learn how to avoid duplicate device identifiers when cloning devices, refer to Cloning or imaging devices that have Datto RMM installed.
If a Network Node is awaiting device approval due to an Agent encryption key change request, any associated network devices will appear offline until the Network Node is approved.

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.