What gets installed
The install scripts, share links, and platform zips on the deploy page all deploy the NexusRMM Go agent — the current, shipping agent for every supported platform.There is no separate .NET agent. Older in-product copy referred to a “new .NET agent (v1.1+)” with cross-platform auto-update; that agent does not exist. The Go agent in
nexusrmm-agent is the only agent NexusOS ships today. If you see install guides or runbooks pointing at a .NET build or per-platform v1.1 zips, treat them as out of date.Supported platforms and feature matrix
The agent runs on Windows, macOS, and Linux, but a few capabilities are Windows-only today. Confirm the column you need before rolling the agent out to a fleet.| Capability | Windows | macOS | Linux |
|---|---|---|---|
| Agent install / enrollment | ✅ | ✅ | ✅ |
| Heartbeat, inventory, scripts, patching | ✅ | ✅ | ✅ |
| Remote desktop (JPEG path) | ✅ | ✅ | ✅ |
| Auditable session recording | ✅ | ⛔ Stub | ⛔ Stub |
| Field auto-update | ✅ | ⛔ | ⛔ |
- Remote desktop uses the cross-platform JPEG capture path, so live remote control works the same way on every OS.
- Auditable session recording is implemented only on Windows. The macOS and Linux recorder capture paths are stubs — starting a recording on those platforms will not produce a reviewable artifact.
- Field auto-update (
agent.update) is Windows-only. On macOS and Linux the command returnsagent.update only supported on Windows. To pick up a new agent build on those platforms, re-run the installer (see Updating macOS and Linux endpoints).
Deploy a new endpoint
Prerequisites:- A NexusOS operator account with access to RMM Agents → Deploy Agent.
- The client company exists in CRM (each company gets a stable enrollment token automatically).
- Administrator /
sudoaccess on the target endpoint.
Open the deploy page
In NexusOS, go to RMM Agents → Deploy Agent. Each company in CRM is listed with its reusable enrollment token.
Reveal the enrollment token
Click the eye icon next to the target company to reveal the token. Install commands are gated behind this reveal because they embed the token.
Pick the target OS
Switch between Windows, macOS, and Linux tabs. Each tab exposes three equivalent install paths:
- Download installer — a pre-baked installer with the server URL, company, and token already set.
- Share the agent link — a URL you can send to the end user; opening it serves the same installer.
- Use the install command — a one-liner you run in an elevated PowerShell (Windows) or
sudo-capable terminal (macOS / Linux).
Run the installer on the endpoint
Run the installer or one-liner on the endpoint as administrator. The installer generates a unique RSA-2048 keypair locally, submits a CSR with the enrollment token, and the server signs the certificate and auto-assigns the agent to the company. The agent then connects over mTLS on port
8443.Updating macOS and Linux endpoints
Becauseagent.update is Windows-only, the in-product “update agent” action is a no-op on macOS and Linux. To roll a new agent build to those endpoints, re-deploy from the same page:
Re-run the installer or one-liner
Use the same install command or installer for the platform. The installer is idempotent — re-running it on an already-enrolled endpoint updates the binary in place and keeps the existing certificate and identity.
macOS / Linux
Verifying a release before you deploy
The Download Agent card on the deploy page lists the current release for each platform with its SHA-256. The installer and the Windows field auto-update both verify downloads against this hash. If you are scripting deployment outside the UI, copy the hash from the Copy hash button and pin to it.Enrollment and configuration at a glance
Enrollment is zero-trust and certificate-based:- The installer generates a unique RSA-2048 keypair on the endpoint. The private key never leaves the device.
- A Certificate Signing Request (CSR) is sent to the server with the company enrollment token.
- The server validates the token, signs the CSR with the NexusOS CA, and auto-assigns the agent to the company.
- The agent connects via mutual TLS (mTLS) on port
8443. Each agent has its own certificate so it can be revoked individually.
| Setting | Value |
|---|---|
| RMM server (mTLS) | <your-server>:8443 |
| Enrollment API | <your-server>/api/rmm/enroll |
| Heartbeat interval | 30s (servers) / 60s (workstations) |
| Certificate validity | 1 year, auto-renewed on heartbeat |
