SECURITY
Security & Compliance
MFA, RBAC, and a full audit log of every action in the platform. Built for MSPs who answer to compliance audits and need to prove it.
An RMM platform has privileged access to every endpoint it manages. That means the security posture of your MaxRMM account directly affects every client you manage. MaxRMM is built with that responsibility in mind — access controls are not an afterthought, they're a core part of the platform.
Every technician account supports TOTP-based MFA. Role-based access control lets you define exactly what each person can see and do: owners have full access, admins manage the platform, technicians work tickets and manage agents, and read-only accounts can view without changing anything. API keys are scoped to specific permissions, so integrations only have access to what they need.
Every action in MaxRMM is logged — every script run, every patch approved, every login, every configuration change. The audit log is searchable and exportable. When a compliance audit asks what changed and who changed it, you have the answer ready. Session management lets you force logout any active session and configure idle timeouts platform-wide.
What's included
MFA (TOTP) for All Technicians
Enforce time-based one-time password authentication for every account. Supports standard authenticator apps.
RBAC (Role-Based Access Control)
Four built-in roles: Owner, Admin, Technician, Read-Only. Each role has clearly defined permissions across every platform function.
Full Audit Log
Every action is logged — script runs, patch approvals, remote sessions, logins, configuration changes. Searchable and exportable.
API Key Management
Create API keys with scoped permissions. Integrations only get access to the endpoints they need — nothing more.
Session Management
View and force-terminate any active session. Configure idle timeouts platform-wide to reduce exposure from unattended sessions.
Agent Auth (Bearer Tokens)
Agents authenticate to the platform using rotating bearer tokens. Token rotation is handled automatically — no manual key management needed.
IP Allowlisting
Restrict platform access to specific IP addresses or ranges. Useful for MSPs who want to lock access to their office network or VPN.
How it works
Set roles
Assign each team member a role that matches their responsibilities. Technicians can manage agents, read-only accounts can view dashboards without making changes.
Enable MFA
Enforce MFA across your organization. New team members are required to set up their authenticator app before accessing the platform.
Every action is logged
From that point forward, every action — logins, script runs, patch approvals, remote sessions — is captured in the audit log with user, timestamp, and full context.
WHY MAXRMM IS DIFFERENT
Audit everything. Every script run, every patch approved, every login — searchable and exportable.
Compliance audits don't ask "do you have security controls?" — they ask "prove it." MaxRMM's audit log captures every privileged action in the platform with the user, timestamp, IP address, and full context. When an auditor asks who approved a patch, who ran a script on a HIPAA-covered machine, or who had remote access to a specific device on a specific date — you export the log and answer the question in seconds. No reconstructing from memory, no gaps in the record.
Secure your platform. Prove it to auditors.
MFA, RBAC, and a full audit log — built into every MaxRMM plan.