Web Remote
SECURITY Web Remote must be enabled within Remote control tools.
SECURITY For Web Remote chat, you must have Chat permissions enabled. Refer to Remote control tools.
SECURITY For Web Remote PowerShell, you must have PowerShell permissions enabled. Refer to Remote control tools.
NAVIGATION Agent Browser > connect to a device > Web Remote. For more information, refer to Remote takeover tools.
NAVIGATION Sites > All Sites > click the name of a site > Web Remote (last column in table)
NAVIGATION Devices > All > Web Remote (last column in table)
NAVIGATION Device summary page > Web Remote. To view the various navigation paths you can use to access the device summary page, refer to Device summary.
NAVIGATION A targeted list of devices > Web Remote (last column in table). To view the navigation paths for the various targeted lists of devices, refer to Targeted lists of devices in Devices.
About
Web Remote is a browser-based HTML5 remote control, chat, and PowerShell technology featuring fast connection times and is available as a remote action for online servers, laptops, and desktops.
IMPORTANT Web Remote sessions can be initiated from Windows, macOS, Linux, iOS, or Android devices using a recent version of the Chrome, Firefox, Edge, or Safari browser; no installed Agent is required. However, only Windows and macOS devices with a Managed Agent installed can be controlled via a Web Remote session.
For Web Remote to function properly on macOS devices running Mojave or later, the following applications must be listed and selected for the following options in System Preferences > Security & Privacy > Privacy (or, for Ventura, System Settings > Privacy & Security > Privacy section):
• Accessibility: AEM Agent, Vine Server
• Full Disk Access: AEM Agent, Vine Server
• Screen Recording: AEM Agent, Vine Server
File Transfer requires the Agent Process to be running using .NET Core.
Up to four users can connect to a single Windows or macOS device using Web Remote at the same time. In cases where the remote device's resources are unable to support that many connections simultaneously, the number of active connections may be limited.
Web Remote can be accessed from the Agent Browser, the device summary page, and the Devices page. For navigation paths, refer to Security and navigation. Web Remote sessions and chats may also be initiated from webhook notifications. Refer to Webhooks.
NOTE Both Web Remote and Splashtop are not supported for remote takeover of headless devices (physical devices with no attached monitor) unless the device has an active virtual monitor. In these cases, third-party video adapters or other software can be used to generate a virtual display. RDP is an alternative remote takeover tool that functions for headless devices. Refer to RDP in Remote takeover tools.
Web Remote is an Agent module (process) that is managed by AEMAgent and runs alongside the Agent Process (AEMAgent.exe).
When a Web Remote session is established, a new Web Remote Process (RMM.WebRemote) is created for that session. Refer to Initiate a Web Remote session.
Location of the Web Remote Process by operating system:
Operating System | Location |
---|---|
Windows | %ProgramData%\CentraStage\AEMAgent\RMM.WebRemote\[version] |
macOS | /usr/local/share/CentraStage/AEMAgent/RMM.WebRemote/[version] |
On Windows, additional supporting Web Remote Processes are created, which run in different contexts. These are summarized below:
- Daemon: Runs in session 0 as SYSTEM at all times and controls all Web Remote sessions on a device.
- Interactive: Runs in an interactive session as SYSTEM and is responsible for screen capture and most of the desktop protocol handling.
- Graphics: Runs in an interactive session as the logged in user to access GUI elements, such the system tray icon and balloon notifications.
On macOS, the Interactive process is run in the same context as Daemon. The Graphics process is not run at all.
There are three auxiliary processes that support Web Remote sessions, a subset of which are run depending on the active protocol:
- RMM.RTO.Proxy: A proxy between AEMAgent and Ultra VNC on Windows or Vine VNC on macOS.
- RMM.RTC.Proxy: A proxy between AEMAgent and the WebRTC protocol.
- RMM.RTO.Quartz: A proxy between AEMAgent and the Quartz API on macOS.
Starting from Windows NT 6.2 (Windows 8/Windows Server 2012), a change in the Display Driver Model has permitted hardware acceleration when screen sharing. Using this technology in Web Remote where possible results in a marked improvement in the quality and responsiveness of the takeover session experience as compared to VNC.
NOTE As of the 13.5.0 release, if the device has both a Integrated GPU and a Guest GPU, Web Remote will automatically connect using the Integrated GPU.
Prerequisites:
- Windows NT 6.2 (Windows 8/Windows Server 2012) or above only. Windows NT 6.1 (Windows 7/Windows Server 2008 R2) or below must use VNC.
- The Datto RMM Agent Process must use .NET 6. Otherwise VNC must be used, even on Windows NT 6.2 and above. For more information, refer to Supported operating systems and Agent requirements.
If VNC is disallowed on a target device, the VNC connection will fail. On Windows devices, you can control whether VNC is allowed globally. Refer to VNC Settings in the legacy UI and VNC Integration in the New UI.
When Guest GPU Acceleration is active, the following will be displayed under the Connection section. Refer to Connection.
WebRTC is an open framework that enables Real-Time Communication (RTC) capabilities in the browser. Web Remote leverages this technology to allow a fast peer-to-peer (P2P) connection to be established between devices if available. If a P2P route is not possible, WebRTC will fall back to a relay connection via the platform.
For additional reliability, a WebSocket connection is automatically attempted in parallel with a WebRTC connection, and WebSocket and WebRTC connections are retried on an interval basis. If WebRTC fails to connect but WebSocket succeeds, the WebSocket channel is used for communication, and if WebRTC succeeds but then disconnects in the middle of the session, an automatic failover to the WebSocket channel occurs without the user experiencing a disconnect. If WebSocket fails to connect and WebRTC succeeds, WebRTC is used. WebRTC is always preferred over WebSocket, whether the connection is P2P or Relay.
The following will be displayed under the Connection section. Refer to Connection.
The connection type can be one of the following:
- WebRTC (P2P)
- WebRTC (Relay)
- WebRTC (Relay, TLS)
- WebRTC
- WebSocket (Relay)
How to...
IMPORTANT Port 3478 (UDP) must be open in order to connect via Web Remote. Refer to Web Remote communication.
- Follow any of the navigation paths described in Security and navigation. Refer to Multi-session support for information about initiating a Web Remote session on multi-session devices.
- Observe that a new browser tab opens and the Connecting screen displays.
- Once connected to the device, select Control Screen for the user session you wish to connect to.
NOTE If only a console session is available (no end user is logged in) and the remote device does not support PowerShell sessions, the Control Screen action will be launched automatically. If the remote device supports PowerShell sessions, both the Control Screen and PowerShell actions will be available. Refer to Requirements in Initiate a Web Remote PowerShell session.
NOTE Technicians may view the chat history for offline devices, or for users who are not currently logged into the device. Refer to View chat history.
A padlock icon will be displayed next to the end user if they have locked their screen. In that case, you may still select Control Screen, but the user's screen will remain locked.
-
Observe the pop-up notification that appears as the session is being established. This notification will display for 30 seconds before disappearing.
NOTE Notifications must first be enabled under System > Notifications & actions (Windows devices only).
Refer to Privacy Mode considerations for information about connecting to an end user's device when they have Privacy Mode enabled.
- Once the connection has been established, the browser tab will display the name of the remote device you are connected to, and you will see the following areas on the screen:
- Remote device screen pane: The pane on the left displays the screen of the remote device you are connected to.
- Toolbar: The pane on the right displays information about the connected device as well as the remote actions available and is open by default. Clicking > at the bottom of the pane will hide the toolbar. Clicking < will re-open the toolbar.
NOTE In some cases for devices that support Desktop Duplication (Windows devices only), you may see a black screen after the connection is established. This may indicate the desktop of the remote device is locked. A message will appear prompting you to click Send CTRL-ALT-DEL from the Keyboard section of the toolbar to unlock the desktop. Refer to Keyboard.
- For more information, refer to View information about and perform actions on the connected device.
NOTE If the Show Connection Time toggle is turned on in the Preferences menu, you will see the amount of time it took to connect to the remote device. Refer to Preferences in View information about and perform actions on the connected device.
NOTE Connections will be halted and a message will be displayed in the following instances:
• A technician attempts to open a Web Remote connection by manually entering a URL to an offline device. A message will be displayed indicating that the device is offline.
• A technician attempts to connect to an inactive RDP session using Web Remote (Windows devices only). A message will be displayed indicating that the desktop is not active/not receiving input.
• A technician attempts to connect to a device that is missing the Agent's encryption key. For more information, refer to Agent encryption.
Web Remote allows technicians to support end users on multi-session devices such as Windows Virtual Desktops and servers running Remote Desktop Services (RDS). After initiating a Web Remote session on one of these devices, technicians can view a list of users who are logged into the device and then choose a user session from the Choose Session screen.
Once a user session is selected, the Web Remote session with that user will be initiated and the user's desktop wallpaper will be displayed. Only the selected user will see the pop-up notification that a session is being established.
If Privacy Mode is set on the remote device, the end user will be prompted to accept or decline a connection request via a dialog box that includes the requesting technician's name in order for the technician to connect to the device. Refer to Privacy Mode.
NOTE For Web Remote, if Privacy Mode is set on the remote device and Only require permission from the device when connecting with Restricted Tools is selected in an Agent policy targeting the device, end user permission will be required to initiate remote takeover sessions but will not be required to initiate PowerShell sessions. Refer to Privacy mode options in Agent policy.
Once the connection is in progress, a message will be displayed to the end user that a remote takeover is currently in progress. This message will only appear once the end user has accepted the connection request.
NOTE Notifications must first be enabled under System > Notifications & actions (Windows devices only).
Web Remote will reconnect with the same session should a brief interruption in Internet connectivity occur; a second Privacy Mode prompt will not appear as the end user has already accepted the connection.
If the end user's screen is locked (indicated by the padlock icon), selecting Control Screen will not establish a Web Remote session; instead a message will be displayed stating that the screen is locked.
If the end user logs out, selecting Control Screen will not establish a Web Remote session; instead a message will be displayed stating that there is no end user currently logged in.
Once you are connected to a device, you can view information about and perform a variety of actions on it using the toolbar. The Display section is initially open by default, but your preferences for which sections are open or closed will be saved for future sessions.
For more details about each of the toolbar sections, refer to the table below.
Section | Description |
---|---|
Full screen | Click the full screen icon at the top of the toolbar to enter full screen mode for this session. Entering full screen mode will hide the toolbar. Press the Esc key to exit full screen mode, or click the < icon at the bottom of the pane to open the toolbar while in full screen mode. Select the exit full screen icon to return the screen to normal. |
Display | • Fit Screen: Fits the remote device screen to the screen of your device. Windows devices that have multiple monitors are supported. • Original Size: View the actual size of the remote device screen. NOTE Both horizontal and vertical (landscape and portrait, respectively) display orientations are supported. The following options appear if the device you are connecting to has multiple monitors/multiple graphic adapters (Windows devices only): • All Monitors: Select to navigate across all monitors within the display area. |
Chat | Click to load and review the chat history. You may also export the chat history by selecting an option from the Export drop-down menu or invite the end user to chat by clicking Chat Invite. Once the end user accepts the chat invitation, you can continue the chat from within the toolbar. For more information, refer to Initiate a Web Remote chat. |
Keyboard | • On-Screen: Opens the on-screen keyboard on the end user's remote device. The end user's native keyboard layout will be respected. NOTE If you are connected to a macOS device from a Windows device and opt to not use the on-screen keyboard, the ALT key on your device will act as the command key on the remote macOS device (for example, you can copy items with ALT+C and paste them with ALT+V). • Send clipboard as keystrokes: Allows you to send text copied from your device to the remote device. A visual indication will appear when you copy something on the remote device, or when you copy something on your device and then click the Web Remote browser tab. IMPORTANT The text must be ASCII-only and less than or equal to 256 characters, and your browser must support the Clipboard API in order for this command to become available. If the button is unavailable, one of the following tooltip messages will be displayed, depending on your browser: For Google Chrome (recommended): For Firefox: For Safari: NOTE This action is not available when Safari is being used on a secondary display. • For devices that support Desktop Duplication (Windows devices only), Windows ALT key codes for Norwegian, Finnish, Danish, Swedish, Dutch, German, and French language keyboards are also supported. |
IT Glue Passwords |
Refer to IT Glue passwords in Web Remote. |
Autotask Ticket | Refer to Autotask companion in Web Remote. |
Quick Launch | Launch the following applications on the remote device (Windows devices only): • Command Prompt • Computer Management • Control Panel • Event Viewer • PowerShell • Problem History (Reliability Monitor) • Registry Editor • Services • System Information • System Restore (not available for Windows Servers) • Task Manager Launch the following applications on the remote device (macOS devices only): |
File Transfer |
IMPORTANT You must have File Manager permissions enabled in Remote control tools to view and access this option. The File Manager tool requires SYSTEM permissions to any file or folder you wish to take actions against. Refer to How do I enable SYSTEM access to files or folders?. Allows you to download files from the remote device and upload files to the remote device (Windows admin, Windows non-admin, and macOS sessions). NOTE For devices that support Desktop Duplication (Windows devices only), if the remote user is not logged in (the desktop is locked), a tooltip will appear stating that the Windows desktop is locked and the download and upload file actions will be disabled. Choose where to download the file to your device. Uploaded files appear on the Desktop of the domain user currently logged in on the remote device or within C:\Users\<username>\Desktop on Windows devices. Any operations under Quick Launch, File Transfer, and Reboot are temporarily disabled when a file upload or download is being performed. |
Reboot | Allows you to reboot the remote device and reconnect to the device once the reboot is complete. Select Reboot (macOS devices) or Normal Reboot (Windows devices) to reboot in normal mode, or Safe Reboot to reboot in Safe Mode (Windows devices only). |
Performance | The following performance graphs are displayed: • CPU (Used %) • Memory (Used %) • Disk: Write and read values measured in megabytes per second • Network: Receive and send values measured in megabits per second |
Connection | The following connection quality graphs are displayed: • Client FPS: Measured in frames per second • Lag: Measured in milliseconds • Latency: Measured in milliseconds • Inbound Traffic Instructions: Measured in instructions per second • Inbound Traffic Data: Measured in kilobytes per second |
Preferences | Turn on the toggles to enable the following options: View Only Mode Block Remote Input Blank Desktop NOTE Upon initial connection, the wallpaper will be blanked by default; that is, it will be changed to a solid black color (existing solid-colored backgrounds will not change). The user's original wallpaper will be restored once the session is terminated. For multi-session support, the wallpaper will only change for the active session. Refer to Multi-session support. Lock After Disconnect Show Connection Time Sync Clipboard NOTE When switching to another Web Remote session within the same account, this selection will persist. Clear Clipboard On Close For Windows key use (Windows devices only)
Image Quality (Windows devices only)
When switching to another Web Remote session within the same account, this selection will persist. |
Rate Session | Select a rating for the quality of the Web Remote session from 1-5 stars. Once you have entered your rating, add a comment (optional), select the Use my location toggle button if you wish to include your geolocation data, and then click the Rate Current Session button. A confirmation message will be displayed once you have submitted your rating, and this section will disappear from the toolbar. |
IMPORTANT You must have Chat permissions enabled in Remote control tools to view and access this feature.
NOTE Branding for Web Remote chat is configured using the header logo and header background color within Setup > Branding. Refer to Branding.
- Follow any of the navigation paths described in Security and navigation.
- Observe that a new browser tab opens and the Connecting screen displays.
- Once connected to the device, select Chat for the user session you wish to connect to. The end user must be logged in for this action to be available.
A padlock icon will be displayed next to the end user if they have locked their screen. In that case, you may still select Chat to review the chat history, but you will not be able to invite the user to the chat. - Review the chat history. A message will be displayed indicating the beginning of the chat if no history is yet available. If multiple technicians have initiated a chat on this device, all technicians can review the chat history before the end user is invited.
- Click Chat Invite to invite the end user to the chat. If multiple technicians have initiated a chat on this device, only the primary (first) technician will be able to invite the end user to the chat. The primary technician will be dynamically assigned to a new technician if the original primary technician leaves the chat.
NOTE Chatting with an end user can only be initiated by a technician. This action will be logged in the Activity Log. Refer to Activity Log.
NOTE If you are not assigned as the primary technician, the Chat Invite button will be disabled, and hovering over the button will display a message indicating that only the primary technician can invite the end user to the chat.
- Observe the message indicating that the end user is being prompted to join the chat.
- The end user will be prompted to approve or reject the invitation, and if approved, the chat will open in their default browser. The end user will then be able to view the chat history.
- After the end user accepts the invitation, a message will indicate that they are joining the chat. Once connected, the Chat Invite button will disappear, and you can begin chatting with the end user. Refer to Chat with an end user.
If the end user rejects the invitation or is unable to connect, a message will indicate that the end user has declined the invitation or is unable to connect to the chat, and the Chat Invite button will become available again.
NOTE If the Show Connection Time toggle is turned on in the Preferences menu, you will see the amount of time it took to connect to the remote device. Refer to Preferences in View information about and perform actions on the connected device.
NOTE Technicians can view the chat history for offline devices, or for devices that are online but with no user currently logged into the device. Refer to View chat history.
NOTE Any technician with access to the device can view the entire chat history.
NOTE There is no limit on the amount of technicians that can initiate a chat on the same device.
NOTE If a device is deleted from Datto RMM, the Web Remote chat history for that device will be permanently deleted.
NOTE To initiate a Web Remote session at any time independently of the chat, click Control Screen. Refer to Initiate a Web Remote session.
Messages
Chat messages have a limit of 2048 characters and cannot be empty. The following is supported:
- Unicode characters
- Line breaks (Shift+Enter)
- Inserting emojis using copy/paste
- URLs (will be converted to a hyperlink when sent)
NOTE Web Remote chat for browsers configured to use German, Spanish, Italian, or French are supported for end users only.
The chat window will automatically scroll to the latest message when a new message arrives. If you have scrolled away as new messages are arriving, a new message indicator is shown. Click the indicator to scroll to the bottom and view the new messages.
Status indicators
The participants counter at the top of the chat shows the total number of participants, including the end user. This number reflects the participants active in the current Web Remote chat session (not throughout the entire chat history).
Visual indicators for chat participants will appear as a green circle when participants are online, and a transparent circle when offline or reconnecting.
If participants are idle for 30 minutes, the connection will be closed, and a message will be displayed indicating that the session has been disconnected. In addition, if a connection is closed, the message text box will no longer be available.
To export a chat, select one of the following options from the drop-down menu, then click Export:
- Today: from last midnight (relative to current timezone) until the most recent message.
- Last week: from midnight 7 days ago until the most recent message.
- Last month: from midnight 30 days ago until the most recent message.
- All: from the first message until the most recent message (entire history).
NOTE Each option is only selectable if there are messages available within the specified timeframe.
The chat history will be downloaded to your device in TXT format.
NOTE The Export button will only appear once you have selected an option from the Export drop-down menu.
Technicians can view the chat history for offline devices, or for devices that are online but with no user currently logged into the device.
- On the Choose Session screen, select View Chat History next to the user you wish to view the chat history for.
NOTE The number of chat history records is limited to 50.
Requirements
Permissions
You must have PowerShell permissions enabled in Remote control tools to view and access this feature.
Supported operating systems
A Web Remote PowerShell session can be initiated for remote devices with the following operating systems only:
- Windows 10 version 1809 and above
- Windows Server 2019 and above
Session type
The PowerShell action is available only for Windows Console sessions (running as SYSTEM
).
PowerShell version
The PowerShell session will run the version of PowerShell installed via C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
. Even if installed, pwsh
will not be run.
To retrieve the PowerShell version information, run the command get-host
.
Overview
A Web Remote PowerShell session, which does not require screen control, allows technicians to privately solve remote device issues from the command line and view output in real time. The technician's browser communicates with the terminal via WebRTC. This feature includes support for special commands and escape sequences (for example: tab completion, CTRL+C, CTRL+V, and so forth).
NOTE While the Web Remote PowerShell window is open, copy and paste commands interact only with the clipboard of the device conducting the session and not the clipboard of the remote device. This prevents clipboard content that is private to the end user or unrelated to the PowerShell session from being inadvertently copied or pasted by the technician/Datto RMM user.
NOTE In PowerShell sessions initiated from Web Remote, you may be able to see stored commands from previous Web Remote sessions on the same device. This is considered expected behavior.
Web Remote shell actions are recorded in the Activity Log. Refer to Activity Log.
One of the following visual indicators, along with a session status description, will be continuously displayed in the header of the PowerShell interface:
- A green dot indicates the session is connected.
- A yellow dot indicates the session is in the process of connecting or awaiting acceptance. Refer to Step 4 in the following instructions.
- A red dot indicates any other status.
Initiate a Web Remote PowerShell session as follows:
- Follow any of the navigation paths described in Security and navigation.
- Observe that a new browser tab opens and the Connecting screen displays.
- Once connected to the device, select PowerShell for the user session you wish to connect to.
A padlock icon will be displayed next to the end user if they have locked their screen. The ability to initiate a PowerShell session will remain available. - Web Remote will attempt to launch the PowerShell session.
If Privacy Mode is enabled, the end user must respond to the connection request within 30 seconds for the session to connect.
If the end user declines the connection request or does not respond within 30 seconds, if the screen of the remote device is locked (preventing visibility of the request), or if another Privacy Mode-related error occurs, the session will not connect.
Refer to Privacy Mode considerations. - Upon successful connection, the session status will change to Connected. A full-page PowerShell terminal component will become available, allowing you to execute PowerShell commands for the remote device.
NOTE If the Show Connection Time toggle is turned on in the Preferences menu, you will see the amount of time it took to connect to the remote device. Refer to Preferences in View information about and perform actions on the connected device.
If the PowerShell session connection is interrupted, the session status will change to Reconnecting.... If the connection cannot be re-established within 30 seconds, the session will be disconnected.
If the reconnection attempt is successful, the PowerShell session will be restored with output history preserved. If Privacy Mode is enabled, end user permission will not be required again to continue the session.
The PowerShell session will be automatically disconnected if the browser tab in which the session is initiated is not visited for 30 minutes or more. The session will otherwise remain connected, assuming no network disruption, even if no interaction occurs within the terminal.
Upon disconnection, the session status will change to Disconnected due to user inactivity and the cursor will change in appearance.
To start a new PowerShell session following disconnection due to inactivity, simply refresh the page.
To close the connection to a device, close the device's browser tab. The connection to the remote device will be terminated.
NOTE The connection is automatically terminated after 30 minutes if there is no activity detected in the device's browser tab. Warning notifications are displayed after 10, 20, and 29 minutes if there is no activity detected.