Administration
Admin sign-in, tenants, and enrollment keys
How access works, how tenants are created, and how the two kinds of enrollment keys behave.
Sign in
SnitchOS is Microsoft Entra ID SSO only — the dashboard does not accept local passwords. Sign in at app.snitchos.com/login with your Microsoft 365 account. Admin accounts are provisioned first (by SnitchOS or an existing administrator); the same email must match your Microsoft account.
Two seat types exist: admins see every tenant; managers see only the tenants they're granted. Sign-in metadata (name, object ID, IP, user agent) is captured to the audit log on every login.
Create a tenant
- Sign in → top nav → Tenants.
- Fill in name + slug, click Create tenant.
Every row of endpoint data, every object-store key, and every API call is scoped to the tenant — isolation is enforced at the database and storage layers.
Enrollment keys
Keys are what agents present at install time. There are two workflows:
Fleet keys for RMM deployment
- The first RMM-installer download creates a reusable fleet key and places it in the per-tenant wrapper.
- Normal downloads reuse the current key so existing RMM jobs keep working.
- Use Rotate & download, or revoke the key, when you need to invalidate an older wrapper.
One-off keys (bench machines, demos, manual installs)
- Tenant overview → Enrollment keys → label it (e.g.
bench-machine), setmax uses = 1and a short expiry, click Mint key. - The plaintext is shown once. Treat it like a password — never paste keys into ticket bodies, chat, or scripts you commit.
Revoking
Revoke a key from the key list at any time. Already-enrolled agents are unaffected because they use a device token after enrollment. Rotate or revoke the fleet key after suspected exposure or an administrator departure.
White-label branding
Per-tenant display name, logo, and accent color can be set under Tenant → Branding, so client-side viewers see their MSP's brand on reports and the dashboard.
Admin offboarding
Deactivate the admin account from the dashboard when someone leaves. Deactivation blocks new sign-ins immediately; the audit log records who did it and when.