Feature Matrix
A scannable overview of every NetLock RMM feature area and its platform support, with links to the chapter that documents each in full.
Feature Matrix
This appendix is a single-page index of what NetLock RMM does. It groups every feature into Console, server, and agent areas, records platform support where it varies, and links to the chapter that documents the feature in full. Use it to answer "does the product do X, and where do I read about it?" — not as a configuration reference. For mechanics, follow the cross-links.
Three conventions apply throughout:
- Yes / No in a platform column means the feature is or is not available on that operating system.
- A dash (
—) means the feature does not apply to that platform. - Where a column names a tool or shell instead of Yes (for example
PowerShell), that is the platform-specific implementation.
Note: This matrix summarises shipped behaviour. When a feature area carries deployment-specific or licensing-specific limits, the linked chapter is authoritative.
X.7.1 Console features
The web Console is the single operator surface. The features below are available regardless of agent platform; they are properties of the Console itself.
| Feature | Summary | Documented in |
|---|---|---|
| Multi-tenancy | Tenant, location, and group hierarchy for organising devices. | Chapter 4 |
| Users and roles | Per-user, permission-gated access; tenant-scoped visibility. | Chapter 14 |
| Two-factor authentication | Time-based one-time password (TOTP) on operator accounts. | Chapter 14 |
| Single sign-on | OpenID Connect with Azure AD, Google, Keycloak, Okta, or Auth0; one provider active at a time. | A.4 |
| IP whitelist | Restricts Console access to named networks. | A.4 |
| Dashboard and Panel Builder | Per-user dashboards with chart and table panels driven by a visual or raw SQL query builder. | Chapter 2 |
| Setup Wizard | First-run guided setup shown on the Dashboard. | Chapter 2 |
| Events browser | Operational event stream, filterable by severity, type, scope, device, and time. | Chapter 12 |
| Audit log | Immutable record of administrative actions in the Console. | Chapter 12 |
| Notifications | Email, Microsoft Teams, Telegram, ntfy.sh, and webhook channels. | A.8 |
| Reports | Pre-built and custom reports, brand templates, and scheduled delivery. | Chapter 11 |
| Custom fields | Operator-defined device-detail tabs, sections, and fields. | Chapter 8.4 |
| File Server | Stores files for distribution; files can be referenced from scripts. | Chapter 9.1 |
| AI Chat and assistants | Optional LLM features for chat and per-feature assistance. | Chapter 13, A.11 |
| Ticket System | Optional helpdesk: departments, SLAs, time tracking, templates. | Chapter 10 |
| Device World Map | Plots managed devices by IP geolocation. | Chapter 3 |
| Maintenance mode | Manual and scheduled windows that suppress outbound notifications. | A.2 |
| Database management | Per-table retention, cleanup, and an optional SQL console. | A.3 |
| Localization | Language, timezone, and date-format settings. | A.5 |
| Custom Installer and Agent Download | Generates command-line configs and one-click installers for Windows, Linux, and macOS. | Chapter 3 |
| Whitelabeling | Branding of logos, colours, login page, and Console chrome. | A.6 |
| Community catalogues | Shared Scripts, Reports, and Themes through the Members Portal. | Chapter 15 |
Optional module: The Ticket System applies only when it is enabled in
Settings → Ticket System. See Chapter 10.
The AI features are optional and require an LLM provider to be configured (see A.11). Two kinds exist: the general-purpose AI Chat page, and targeted per-feature assistants. The targeted integrations are the AI Assistant in the Scripts editor (which writes directly into a script), the AI Assistant on the Automations dialogs, the AI SQL Assistant in the Widget Editor, and the Analyze with AI action on event and audit details (which opens AI Chat with the entry pre-filled). See Chapter 13.
Whitelabeling options
Whitelabeling is broad enough to list separately. Each option below is configured under Settings → Whitelabeling and documented in A.6.
| Option | Summary |
|---|---|
| Console title and logo | Custom title text and a custom logo image. |
| Login page layout | Centred-card or side-panel layout with toggles for logo, glow, and fun facts. |
| Login page background | Custom background image or video. |
| Welcome text and footer links | Custom greeting and custom footer links on the login page. |
| AppBar and navigation | Per-icon AppBar visibility and a collapsed-drawer mode. |
| Visual effects | Optional seasonal overlays and particle backgrounds. |
| Colour palette | A full light-mode and dark-mode colour palette with live preview. |
| Iframe embedding | Allows or blocks embedding the Console in third-party applications. |
| Theme import, export, and community themes | JSON theme exchange and a community theme gallery. |
X.7.2 Server features
The server is the central service the Console reads from and agents report to. Self-hosted operators run it themselves; cloud operators do not.
| Feature | Summary | Documented in |
|---|---|---|
| Role-based deployment | The backend can be split into separate server roles. | A.1 |
| Agent handshake | Only agents issued by your own deployment can communicate with your backend. | A.1 |
Self-hosted only: Server architecture and role splitting apply to self-hosted deployments. Cloud deployments delegate server operation to the hosted operations team.
X.7.3 Device management and remote access
These features act on managed devices through the agent. Platform columns record where each is available.
| Feature | Win | Linux | macOS |
|---|---|---|---|
| CPU, RAM, network, and drive inventory | Yes | Yes | Yes |
| Installed software inventory | Yes | Yes | Yes |
| Service overview | Yes | Yes | Yes |
| Logon, Task Scheduler, and driver overview | Yes | — | — |
| Remote Task Manager | Yes | Yes | Yes |
| Remote Service Manager | Yes | Yes | Yes |
| Remote Shell | PowerShell | Bash | Zsh |
| Bulk Remote Shell | Yes | Yes | Yes |
| Remote File Browser | Yes | Yes | Yes |
| Remote Event Log Viewer | Yes | — | — |
| Remote Registry Editor | Yes | — | — |
| Remote Screen Control | Yes | Experimental | — |
| SNMP Tools | Yes | Yes | Yes |
| Uninstall application | Yes | Yes | Yes |
| Wake on LAN | Yes | Yes | Yes |
| Relay Server | Yes | Yes | Yes |
Remote Screen Control delivers H.264 video over the relay when available and falls back to JPEG frames over SignalR when it cannot. The product does not use VNC or RDP. Full detail, including session switching, recording, and unattended access, is in Chapter 3 and A.7. Linux support is experimental and depends on the device's display server (X11 or Wayland); its prerequisites, the desktop/display-server support matrix, and how unattended access works on Wayland are covered in X.8.5.
The Relay Server provides end-to-end-encrypted TCP tunnels and jump-host access for network devices without an agent. See Chapter 9.
X.7.4 Security and control
| Feature | Win | Linux | macOS | Notes |
|---|---|---|---|---|
| Microsoft Defender management | Yes | No | No | Scan jobs, exclusions, and notifications. |
| Firewall status | Yes | Yes | Yes | Read-only inventory of firewall state. |
| Firewall configuration | Yes | Yes | No | Windows uses Defender Firewall; Linux uses UFW. |
| Application Control | Yes | No | No | Allowlist rulesets matched by path, metadata, hash, or signing certificate. |
| USB Device Control | Yes | No | No | Allowlist with device, tenant, location, group, and global scope. |
Antivirus management covers Microsoft Defender only; third-party antivirus products are not managed. Application Control and Device Control are library features under Collections — see Chapter 8.6 and Chapter 8.7. A ruleset or whitelist reaches devices only through a policy; see Chapter 6.
X.7.5 Software and patching
| Feature | Win | Linux | macOS | Notes |
|---|---|---|---|---|
| App Hub catalogue | Winget, Chocolatey, Script | Flathub, Script | Script | Catalogue only; not an execution engine. |
| Software Deployment | Yes | Yes | Yes | Four-step wizard with retry and per-device attempt tracking. |
| Patch Management | Yes | Yes | Yes | Windows: OS, Winget, Chocolatey. Linux: Apt, Dnf, Yum. macOS: native. Docker: image updates. |
The App Hub is a catalogue you pick from; installation runs through Software Deployment. See Chapter 8.5 and Chapter 8.8.
Patch Management is split across two surfaces. The /patch-management page is a global approval queue with a vulnerability view and SLA tracking; per-policy rollout rules — schedule, deployment rings, reboot, retry, notifications — live inside the policy editor. See Chapter 7 for the page and Chapter 6 for per-policy rollout.
X.7.6 Automation and monitoring
| Feature | Win | Linux | macOS | Notes |
|---|---|---|---|---|
| Policies | Yes | Yes | Yes | One policy per device; agent behaviour, security, patching, App Hub. |
| Automations | Yes | Yes | Yes | Routes one policy to devices by a device-attribute condition. |
| Jobs | Yes | Yes | Yes | Scheduled script execution with twelve schedule types. |
| Sensors | Yes | Yes | Yes | Utilization, event log, script, service, ping, and SNMP sensors. |
| Device uptime monitoring | Yes | Yes | Yes | Connection and disconnection alerts per device. |
| Website uptime monitoring | Yes | Yes | Yes | HTTP status, SSL expiry, response time, DNS, content checks. |
| Port Scanner | Yes | Yes | Yes | TCP scans of operator-defined targets with banner grabbing. |
An automation is a condition → policy rule, not a workflow engine: there are no event triggers, no schedules, and no actions other than assigning one policy. Automations are evaluated in a fixed condition-type order — Device Name, then Internal IP, External IP, Domain, Group, Location, and Tenant — and the first matching condition type assigns its policy. Automations cannot run scripts, send notifications, or compose Sensors and Jobs. See Chapter 5 for the resolution model and Chapter 6 for what a policy contains.
Note: A device is assigned at most one policy at a time. Policies do not attach to tenants, locations, groups, or devices directly — attachment is routed exclusively through Automations.
Sensors not only alert but can run an action script on a threshold breach. Sensor and Job mechanics live in Chapter 8.2 and Chapter 8.3. Website uptime monitoring and the Port Scanner are documented in Chapter 9.
Tray icon
The agent exposes an optional tray application to end users on all three platforms. Its branding, button set, and App Hub window labels are configured per policy.
| Feature | Win | Linux | macOS |
|---|---|---|---|
| User tray icon | Yes | Yes | Yes |
| Custom tray branding | Yes | Yes | Yes |
See Chapter 6 for tray-icon policy settings.
X.7.7 Platform support
The supported operating systems and architectures — together with additional community-confirmed platforms and the Linux prerequisites for Remote Screen Control under X11 and Wayland — are documented on their own page: Platform Support.
Related chapters
- Chapter 3 — Devices — device inventory and remote access.
- Chapter 5 — Automations — policy routing.
- Chapter 6 — Policies — what a policy configures.
- Chapter 7 — Patch Management — the approval queue.
- Chapter 8 — Collections — the reusable libraries.
- Chapter 9 — File Server & Monitoring — relay, uptime, port scanning.
- X.5 — Integration endpoints — external systems the product talks to.
- X.8 — Platform Support — supported operating systems and Linux Remote Screen Control prerequisites.
Changelog pointer
Where to find release notes: the in-app Changelog dialog and the official NetLock website.
Platform Support
The operating systems and architectures the agent supports, additional community-confirmed platforms, and the Linux prerequisites for Remote Screen Control under X11 and Wayland.