Obliance — Self-hosted RMM · Fleet management, remote access & compliance

Features

Full RMM, entirely under your control

From first contact to full remediation — manage, audit and secure your entire fleet without sending a single byte to a third-party SaaS.

Fleet management

Device approval workflow, hierarchical groups, per-device settings, hardware inventory with BitLocker key recovery and installed software list. Approve, suspend or uninstall from one screen.

Remote desktop via Oblireach

Native H.264 screen streaming with mouse and keyboard relay — directly in the browser, no plugin needed. Cross-session capable: connect even when no user is logged in.

Compliance policies

10 built-in presets covering CIS, NIST 800-171, ISO 27001, PCI DSS v4, HIPAA, SOC 2 and more. Run checks on demand or on schedule, export audit reports per device or group.

Hardware inventory

Full system snapshot per device: CPU, RAM, disks, GPU, network interfaces, OS version, installed software list, Windows Update status and BitLocker volume key recovery.

Script scheduling & library

Maintain a centralized script library. Schedule PowerShell, Bash or Python scripts to run on a device or across a group — with captured output, error reporting and audit trail.

Patch management

Deploy OS updates via Windows Update and applications via winget or Chocolatey. Define update policies per group with approval, staging windows and rollback support.

Privacy mode

Agent-side lock that blocks all remote commands from the server. Toggled by the user from the system tray or locked with file permissions — the agent refuses execution regardless of server-side instructions.

SSO via Obligate

Integrate with Obligate for single sign-on across the obli.tools ecosystem. OAuth authorization code flow, automatic user provisioning and multi-tenant RBAC with teams, scopes and permission levels.

Privacy mode — agent-enforced

When privacy mode is enabled on a device, the agent stops the Oblireach service and blocks every sensitive command locally — no matter what the server sends. The lock can be made permanent by the end user (attrib +R privacy.json), preventing even remote disable. The system tray icon reflects the locked state.

open_remote_tunnel run_script list_processes kill_process list_wts_sessions

Compliance

10 built-in compliance presets

Run compliance audits against industry-standard frameworks without writing a single rule from scratch. Each preset bundles dozens of checks targeting configuration, patching, encryption and access control.

Checks run per device or across a full group. Export HTML or JSON audit reports for your customers or your own compliance team. Customize any preset or create new policies from scratch.

Per-device checks Group-wide audits Scheduled runs Export reports Custom policies

CIS Windows L1

CIS Benchmark Level 1

Windows Baseline

Microsoft Security Baseline

NIST 800-171

NIST SP 800-171 r2

ISO 27001

ISO/IEC 27001:2022

PCI DSS v4

Payment Card Industry v4

HIPAA

HIPAA Security Rule

SOC 2

SOC 2 Type II criteria

Linux Baseline

Linux Security Baseline

macOS Baseline

macOS Security Baseline

Windows Performance

High performance profile

Obliance — Compliance audit · NIST 800-171

Obliance compliance audit — security baselines with scores

Oblireach

Native remote desktop in the browser

Oblireach streams the remote screen directly to the browser using H.264 over WebSocket, decoded with the WebCodecs API — no VNC, no RDP gateway, no plugin.

The agent captures the desktop via DXGI Desktop Duplication (Windows), encodes each frame with the native WMF H.264 hardware encoder and streams the result to the Obliance relay server. Mouse events and keyboard input travel the reverse path. The session works cross-session: the agent service runs in session 0 and spawns a helper process in the active user session.

H.264 / WebCodecs DXGI capture WMF encoder WebSocket relay Mouse & keyboard Cross-session Windows · macOS · Linux

Remote session

Automation

Scripts, schedules & execution history

Build a library of PowerShell, Bash or Python scripts. Schedule them across your fleet or run them on-demand — every execution is logged with output and status.

Script library · categories

Script library with Checks, Maintenance and Security categories

Create schedule

Schedule creation — script, target, recurrence

Run on agents

Execution history

Device management

Full visibility into every endpoint

Hardware inventory, live metrics, file explorer, running processes, services, installed updates and scheduled tasks — all from the browser.

Device overview · live metrics

Device overview with live CPU, RAM, disk metrics

Hardware inventory

File explorer

Services

Processes

Installed updates

Scheduled tasks

Workspaces

Stack

Built to self-host

Server and client ship as Docker images. The agent is a single Go binary with no runtime dependency — MSI installer on Windows, plain binary on Linux and macOS. Everything runs on your hardware.

Node.js / Express

TypeScript

React + Vite

PostgreSQL 16

Go agent

Docker

Socket.io

WiX MSI installer

Deploy Obliance — docker compose

$ curl -o docker-compose.yml \
https://raw.githubusercontent.com/MeeJay/Obliance/master/docker-compose.yml

$ docker compose up -d

✓ obliance-server started on :3000

✓ obliance-client started on :80

✓ postgres:16 ready

# Then download the agent for each machine

$ msiexec /i OblianceAgent.msi
SERVER_URL=https://rmm.example.com
API_KEY=<your-api-key>

Agents available for Windows (MSI), Linux and macOS

Part of the obli.tools ecosystem

Obliance integrates natively with Obliview and Obliguard. The agent shares its telemetry with Obliview monitors so you get uptime and metrics in one place. Security events from Obliguard can trigger RMM remediation scripts automatically — quarantine a machine, push a firewall rule or restart a service without human intervention.

Obliview Obliguard Oblimap obli.tools →