Quick-support & remote sessions

Two related, lightweight ways to reach a customer's machine without deploying a full RMM agent.

Mitch Wigham

Updated 24 June 2026 · 7 views

17 · Quick-support & remote sessions

Two related, lightweight ways to reach a customer's machine without deploying a full RMM agent.

Quick-support — the customer pastes a public URL into their browser and downloads a one-off OS-specific installer that opens a short-lived session.
Remote sessions — the live list of sessions (both quick-support and full-agent), with Connect buttons.

Where to find it

Quick-support: Sidebar → Quick-Support or /quick-support. Also surfaced as a tab inside RMM.
Remote sessions: Sidebar → Remote Sessions or /remote-sessions. Also a tab inside RMM.

Both require the rmm feature.

Quick-support

The Quick-support tab shows Waiting / Active / Ended KPI counts and a session queue. + New session opens a small form (optional customer name + note) and generates a session with a public URL of the form <portal-origin>/support/connect/<token>.

+------------------------------------------------+
| Quick-support           [+ New session]        |
|------------------------------------------------|
| Waiting 1    Active 0    Ended 4               |
|------------------------------------------------|
| Customer   Device          OS       Status     |
| Acme Ltd   not connected   —        WAITING    |
| Beta Co    BETA-WS-02      WINDOWS  ENDED      |
+------------------------------------------------+

📷 Screenshot placeholder: screenshots/quick-support.png

How it works

The technician opens Quick-support → + New session and copies the generated …/support/connect/<token> URL.
The customer opens the URL in a browser. The connect page detects their OS (with Windows / macOS / Linux buttons to override) and offers a per-OS download.
Download mints a fresh one-shot installer token for the session and serves the matching install script (kwgroup-quicksupport.exe, .dmg or .sh). The customer runs it and the device registers against the session.
The session shows up in Remote sessions with a Connect button once a remote session is started against it.

The connect page also has a one-way note box so the customer can describe the issue, and polls session status every 5 seconds.

When to use vs. full RMM agent

Quick-support	RMM agent
One-off, ad-hoc	Persistent monitoring
One-shot install script per session	Installs as a service
Tied to one support session	Always-on
Customer runs the download	Tech hands over the install command

The public page

The connect page picks up the platform's brand colours via CSS variables, but its copy ("KW Group remote support — a technician will assist you shortly") is fixed; there is no Studio editor for it.

Per-OS installer flow

The quick-support download is the same kind of script installer the RMM agent uses — a one-shot install command bound to the session token, not a pre-built signed binary:

Windows — kwgroup-quicksupport.exe (the served file is a PowerShell-style install script). Run elevated for full access.
macOS — kwgroup-quicksupport.dmg (a bash install script). Run with sudo.
Linux — kwgroup-quicksupport.sh. Run with sudo bash.

Remote sessions

+----------+----------------------------------------------+
| Filters  | Active sessions                               |
| Active   |---------------------------------------------|
| Recent   | LON-DC-01     persistent  Mitch  ▶ Connect  |
|          | qs-8c2af1     quick       —      ▶ Connect  |
|          |---------------------------------------------|
|          | Past 24h                                      |
|          | LON-WS-04     persistent  Emma   3h ago      |
+----------+----------------------------------------------+

📷 Screenshot placeholder: screenshots/remote-sessions.png

Connect

For a device, opening Remote Connection launches the locked popup window described in RMM — a header reading "Remote · " and Screen / SSH / Commands / Files tabs. The window blocks soft-navigation.

You can also start a session from the Start session launcher on the Remote sessions tab: pick a device, a type (Attended / Unattended), a protocol (Web / RDP / VNC / SSH) and an optional reason, with an Enable session recording checkbox.

Screen & shell

There is no separate "Take control" toggle. The Screen tab is a noVNC viewer (the agent must have a local VNC server); the SSH tab is a live PTY shell for Linux/macOS. See the RMM Remote Connection section for the full bridge behaviour.

Quick-support / persistent-agent consent prompts and a screen view-only mode are not implemented in the current build.

File transfer

The viewer's Files tab currently points the operator at running file-transfer commands through the Commands tab; native drag-and-drop transfer is not yet wired up.

Recording

A session row carries a recordingEnabled flag and the data model supports recording chunks + a manifest, but the relay-service itself only pipes the WebSocket stream — it does not capture recordings. There is no fixed 30-day retention in the current build.

Ending a session

The viewer's ✕ End session closes the window.
A session can also be ended via the API; the relay closes a paired session when either side disconnects.
The relay enforces a maximum paired-session lifetime (default 1 hour, RELAY_SESSION_TTL_SEC) and closes an unpaired side after the pair timeout (default 60s, RELAY_PAIR_TIMEOUT_SEC).

Relay service

All screen-share and shell traffic flows through the relay-service, a separate Docker container so the heavy WebSocket binary traffic doesn't impact the portal API. It defaults to wss://relay.portal.kwgroup.org.uk (override with RELAY_PUBLIC_URL).

The relay pairs an agent side and a tech side by a shared session id, both holding HMAC tokens minted by rmm-service (signed with the shared RELAY_SECRET). Tokens are role-scoped and short-lived (10-minute lifetime). It's a single-instance in-memory pairing map — multi-node would need Redis pub/sub.

CNAME relay.portal.kwgroup.org.uk should resolve to the same address as portal.kwgroup.org.uk; Traefik routes by hostname.

→ Setup: Domain runbook, relay section.

Common workflows

Ad-hoc help for a non-managed customer

Open Quick-support.
Click Copy URL or Show QR for phone-screen scan.
Send to customer. They run the installer.
Connect when they appear in Remote sessions.
Help them, end session — installer self-removes.

Customer escalation that needs persistent access

Help them via quick-support first to triage.
To make access persistent, generate a normal RMM installer under Admin → Agent installers and have the customer run it — that installs the agent as a service.
Future work goes through the persistent agent's device page.

Debug the relay

Inspect the relay container's logs on the host.
The relay exposes /health (includes the active pair count) and /stats (per-session agent/tech presence).

Permissions

Quick-support and remote-session endpoints require an authenticated session; the public connect-page endpoints are token-based and need no login. The RMM service does not gate these actions by role.