Security best practices

Datto RMM offers multiple features that can be used to keep your Datto RMM account safe. We recommend that you also get familiar with the following topics: Infrastructure and security andSecurity Q&A.

Device/Agent security

Device approval, also known as sandboxing

Enable device approval to ensure only authorized devices connect to your account.

With this setting enabled, new devices added to a Datto RMM site will not be able to run jobs, download components, or accept policies unless explicitly approved by an account administrator. Refer to Device approval.

Agent encryption

Keep a close eye on devices requiring approval (New UI > Devices > Approval required) and scrutinize any devices with key mismatches.

In the New UI, in the same area where Agent approvals are managed, Agents with an incorrect or missing encryption key are also displayed. For each Agent installation, Datto RMM generates an encryption key and exchanges it with the platform. In cases where an Agent's submitted key differs from the key the platform expects to receive or is missing, a mismatch will occur. A key change may indicate a legitimate reinstallation of the Agent or an attempt by an attacker to masquerade one device as another. It is recommended that all encryption key approvals are validated as an Agent should never change its key spontaneously. In the event of a mismatch, check the new device's audit records to see if they are as expected. If they are not or you are unsure, contact Datto RMM Support. Refer to Kaseya Helpdesk. Refer to Agent Encryption Key Changed and Agent encryption.

Agent IP address restriction

Consider locking down your account to only provide login access to approved IP addresses for the Agent Browser.

You can restrict access to the Agent Browser to certain IP addresses. Refer to Access Control.

Malware protection

Ensure all devices have a form of malware protection active and use filters and monitors to detect devices with problematic malware protection states.

Datto RMM works with many antivirus solutions out of the box to provide at-a-glance views of malware protection status. In addition to communicating natively with a selection of antivirus suites, Datto RMM (on a Windows device) will attempt to work with the operating system to gather data where this is not possible. The data points gathered are “is the product running” and “is the product up to date”, which can be used to draw an accurate diagram of device antivirus health. Refer to Antivirus products.

Ransomware Detection

Leverage Datto RMM Ransomware Detection for additional protection.

Datto RMM Ransomware Detection monitors for the existence of crypto-ransomware on endpoints using proprietary behavioral analysis of files and alerts you when a device is infected. Once ransomware is detected, Datto RMM can isolate the device and attempt to stop suspected ransomware processes to prevent the ransomware from spreading. Refer to Ransomware Detection.

Windows Update status (Patch Management)

Utilize Datto RMM Patch Management to push updates to systems and use filters to surface devices requiring additional assistance in staying up to date.

Datto RMM works with Windows to report issues with the Windows Update service immediately. Furthermore, Datto RMM's robust Patch Management core is fully compatible with Windows 10 and will report back any issues installing updates using the same interface. Data gathered via Datto RMM is easily parsed and understood. Datto RMM's component engine can also be used to push Windows 10 Quality Updates. Refer to Patch Management.

Software updates

Utilize Software Management to ensure critical internet-connected apps installed on endpoints are kept up to date seamlessly.

Datto RMM's Software Management feature can be used to push a selection of programs to Windows and macOS endpoints as soon as updates to them are made available by the manufacturer. With Datto RMM, endpoints can be assured to always be running the latest version of the software. Refer to Software Management.

Security Audit

Run the Security Audit component on Windows systems to ascertain their security health.

Datto RMM offers a Security Audit component in the ComStore for Windows systems that can be run to provide an easily digested checklist showing security issues. Refer to Best practices for Security Audit.

Agent policies

Configure Agent policies on your devices to establish boundaries for the Agent.

Agent policies can be used to configure how much control Datto RMM users are given over endpoints. Unlike security levels, which are applied at the user level, Agent policies operate at the policy level, meaning they operate independently of user security and guaranteeing a device will respond in a certain manner.

Use an Agent policy to configure how much control users remoting into a device receive, whether devices can receive jobs, and other features. This can be useful for devices that should never run automated jobs or receive remote support. Refer to Agent policy.

Admin/logon security

Two-factor authentication (2FA)

Datto RMM enforces 2FA on all accounts.

2FA is implemented to provide a second level of time-based passcode security. The use of 2FA is mandated for all users to guarantee no weak links in the chain. Refer to Two-factor authentication.

IP address restriction

Consider locking down the web interface, as with the Agent Browser, only to allow logins from IP addresses within an accepted range.

You can restrict access to the web interface to certain IP addresses or domains. Refer to Access Control.

Security levels

Configure security levels to only give staff the permissions they need.

Security levels allow you to specify and limit the access users have when logged in to the web interface and Agent Browser. Refer to Security Levels.

User activity logging

Make regular use of user activity logging to audit actions undertaken by staff.

Use this to view a complete list of a user’s activities in any given date range. This can be especially useful when working out the source of a configuration change. Deleting a user does not remove their activity data from the database. Refer to Activity Log.