MeshCentral2 - Design Document, TPM support, Speed & IoT

This holiday break was no break for MeshCentral as it continued to progress. Big thanks to the people that post issues on GitHub. Because of the community, MeshCentral is getting a lot better and issues that would be difficult to find are being fixed. Over the past month a lot of things have changed and here is a small rundown of some of them:
  • Published the first version of the Design and Architecture document. This new document comes on top of the existing Install Guide and User’s Guide documents. It covers the internal workings of MeshCentral including the programming languages used, the dependencies, certificate generation, connection authentication, security and much more. The goal here for anyone to be able to get a good grasp as to how MeshCentral2 was designs, the trade-offs and how the security works. This is the first published version. Obviously, this document will grow in size as times permits. One possible use of this document is so that anyone can conduct a security review of MeshCentral.
  • Windows Mesh Agent now supports TPM modules for extra security. Each mesh agent connecting to the server uses a self-generated certificate to uniquely authenticate to the server. The hash of the public key of the agent certificate becomes the device identifier and this is not a identifier that can be easily spoofed by other agents on the network. In order to improve security and harden the agent certificate, the Windows Mesh Agent will now automatically detect that a TPM module is present on the platform and make use of it by generating it’s certificate using the TPM backed cryptographic provider. This means that the device identifier on the server is now backed by hardware on the agent if available. Also, if you delete the “meshagent.db” file and start the agent again, it will come back to the server with the same device identifier, which is pretty cool.
  • Mesh Agent setup and start speed improvement. On smaller, less capable IoT devices the mesh agent was very slow to start. Especially the first time you ran it. This is because the agent was generating no less than 5 certificates the first time it ran and generating 2 certificates each time after that. This was very inefficient, caused CPU and power waste and very slow starts. The new agent on Linux/OSX as of 2 weeks ago only generates 1 certificate on first run and no certificates after that making it super-fast. On Windows, the agent will generate 2 certificates on first run (with one possibly in TPM) and no certificate generation on subsequent runs.
  • Improved MeshCentral IoT testing. As the picture shows below, the MeshCentral lab has gotten a bunch of small IoT devices permanently connected for ongoing testing. The 4 devices (2 Raspberry Pi, 1 Tinker Board, 1 LattePanda) are used to run both the MeshAgent and the MeshCentral server. It’s pretty amazing that the entire server can run on such small devices and manage quite a large network of computers. As time goes on, more will likely be added to the test bench.
This is just a few of the changes, you can see a list of the MeshCentral commits on GitHub here. Many thanks for Bryan Roe who tirelessly keeps improving the MeshAgent. Many of this new features have not made it into the server yet, so that is a backlog in fun things to come.

Enjoy!
Ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral



Published the new MeshCentral2 Design & Architecture Guide
http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2DesignArchitecture.pdf



The MeshCentral2 agent on Windows now supports TPM modules for improved security.
It will automatically use the Windows TPM cryptographic provider when available.



There is a set of small computers being used for MeshCentral2 testing.
These computers run both the agent and the entire server.

Popular posts from this blog

Starting work at Microsoft

Image
Hi everyone. It’s been a while since the last blog post and I wanted up update everyone on what is going on. As many of you know already from a discussion on GitHub , Bryan and I have been laid-off from Intel in early November 2022. This was quite a surprise as MeshCentral, MeshCommander, MeshCMD and other tools where widely used. This said, Intel has been having poor financials and Bryan and I where part of a very large first wave of downsizing by the company that involved many people that I know and worked with for a long time. I had been working for Intel for over 25 years having started in September 1998. Over the years I worked on IPsec key negotiation, Universal Plug & Play, DLNA and Intel® AMT. I loved working on all these projects and especially loved working with the open-source community on Mesh projects. Obviously, this was not my decision and Bryan and I had look for what comes next. One option was to continue working on MeshCentral as part of another company or with
Read more

MeshCentral - Windows ARM64, NodeJS v11, NPM Packages

Image
Hi all. It's been a while since I last posted and now that I am settling a bit more in my work at Microsoft, I have a bit of time to occasionally look after MeshCentral again. It's about time, there where a bunch of things that needed to get fixed. Before that, I want to say that I am doing great. I am working on Microsoft Forms which is one of the offerings of Microsoft 365. For kicks, I started a YouTube channel on Microsoft Forms here during a Microsoft hacking week. I tried to up my game since the videos I last published for MeshCentral. Also, I wanted to share pictures below. I was at a Tesla Supercharger last weekend and, by luck, got to see a Tesla Cybertruck in person. It's very big. Obviously, this is a release candidate driven by a Tesla employee. I saw it after attempting to see the solar eclipse over Oregon, but sadly, too many clouds and saw nothing. In any case, back to MeshCentral. In the last few months a few things have happened with the new releases. Wind
Read more

MeshCentral - New Windows Agents - Installation Dialog, Customization and Server Lock

Image
Lots is going on with MeshCentral, just yesterday Bryan Roe released a new MeshAgent for Windows with many improvements. An improved installation dialog box, logo customization and, to continue MeshCentral’s leadership in security, a new agent code signing locking feature that will surely be used by many to improve trust and security of their MeshCentral installation. In addition to this, we have many more server improvements to cover. In detail: MeshAgent with improved installation dialog box . The new MeshAgent for Windows is much improved with months of changes and bug fixes. The most noticeable feature is by far the new installation dialog with the new logo and connection details button. The new installer is a lot friendlier and easier on end-users. MeshAgent with improved customizations . In addition to all the existing agent customizations available in prior versions, the MeshAgent has new server settings for the installation text and logo. You can now set your own 200x200 PNG c
Read more