Meshtastic Managed Mode and Admin Channels

For deployed infrastructure nodes - community repeaters, fixed gateways - you want to prevent unauthorized configuration changes while still being able to administer the node remotely. Meshtastic provides two tools for this: Managed Mode and Admin Channels.

Managed Mode

When Managed Mode is enabled, the node blocks all client applications from writing configuration over any local interface - BLE, USB serial, and TCP alike (configuration can still be read). Once enabled, configuration can only be changed through PKC Remote Admin (firmware 2.5+) or the legacy Admin channel (firmware prior to 2.5). This prevents anyone who walks up to the repeater and pairs their phone from changing the configuration.

Managed Mode is set via the security.is_managed boolean, not a device role - there is no "MANAGED" device role:

meshtastic --set security.is_managed true

Configure and test your admin access (admin channel or PKC remote admin key) before enabling security.is_managed. If you enable Managed Mode without working admin access, you lose the ability to reconfigure the node over BLE, USB serial, and TCP - the only recovery is a physical firmware erase / factory reset, which also wipes your keys and configuration.

With Managed Mode active:

Local config writes over BLE, USB serial, and TCP are all blocked (changes require Remote Admin or the admin channel)
Configuration can still be read over local interfaces
The node continues to route and relay normally

Admin Channel

The Admin Channel is an encrypted control channel that allows authorized administrators to configure any node in the mesh remotely - even nodes that are out of direct radio range (configuration packets are relayed through the mesh). On firmware 2.5 and newer, the preferred approach is PKC Remote Admin, which authorizes administrators by their public key rather than a shared channel PSK; the legacy shared-PSK admin channel remains for older firmware.

Setting Up an Admin Channel

Create a channel with a random PSK and name it "admin" (or any name you choose)
Designate that channel as the admin channel (the security admin-channel setting)
Add this channel to all nodes you want to manage
Only administrators should have the admin channel PSK

meshtastic --ch-set name "admin" --ch-index 1
meshtastic --ch-set psk random --ch-index 1
meshtastic --set security.admin_channel_enabled true

The legacy integer admin_channel_index field is deprecated; on current firmware the admin channel is enabled via the security.admin_channel_enabled boolean. On firmware 2.5+, prefer PKC Remote Admin (admin keys) over the shared-PSK admin channel where possible.

Remote Configuration via Admin Channel

Once an admin channel is configured, you can send configuration commands to remote nodes via the app's remote admin feature. The command is encrypted with the admin channel PSK (or, with PKC remote admin, the admin keypair), relayed through the mesh, and executed on the target node. The target node responds with its updated configuration.

Security Considerations

The admin channel PSK (or PKC admin key) is the master key for your infrastructure - anyone holding it can administer every node that trusts it, so guard it carefully. Managed Mode does not protect against an attacker who already has this credential.
Distribute admin credentials only to trusted operators
Consider a separate admin channel/key per node, or per geographic cluster, to limit blast radius if a key is compromised
Managed Mode blocks normal config writes over USB serial too. Physical access still allows a firmware erase / factory reset, which wipes Managed Mode, keys, and configuration - but that is a reset, not live reconfiguration of a running node.

Meshtastic Protocol Overview

Meshtastic Flooding Mesh Protocol Explained

Meshtastic Node IDs, Addresses, and Naming

Meshtastic Setup Guide

Initial Node Configuration Checklist

Advanced Configuration for Infrastructure Nodes

Personal Device Roles

Infrastructure Roles: Router and Repeater

Specialized Roles

How Meshtastic Channels Work

Creating Private Channels

Built-in Telemetry Types

Monitoring Channel Utilization

Meshtastic Python CLI Guide

Complete Meshtastic CLI Command Reference

Meshtastic MQTT Setup

Building a Meshtastic Internet Gateway

MQTT Topic Structure and Packet Format

Preventing MQTT Message Loops

Meshtastic Web Interface and Remote Access

Meshtastic Module Configuration Reference

Traceroute and Path Diagnostics

Neighbor Info and Signal Mapping

Meshtastic APRS Gateway

Meshtastic Python Scripting

Home Assistant Integration via MQTT

Node-RED Flows for Mesh Automation

Meshtastic Channel Encryption

Privacy Best Practices

Understanding Channels and PSKs

Sharing Channels via QR Code

Channel Strategy for Community Networks

Reading Network Statistics in the Meshtastic App

Using the Meshtastic Python CLI for Diagnostics

Mesh Topology and Path Analysis

Common Network Problems and Solutions

Building a Meshtastic Network Map

Getting Started with the Meshtastic Python Library

Automating Meshtastic: Practical Scripts

Meshtastic Python API Reference

Telemetry Module: Device, Environment, and Power

Store and Forward Module

Range Test Module

External Notification and Canned Messages

Serial, MQTT, and Ambient Light Modules

PKC Direct Messaging (v2.5+)

Meshtastic Managed Mode and Admin Channels

Device Configuration Settings

Position Configuration Settings

Network Configuration Settings

Meshtastic Android App Overview

Meshtastic iOS App Overview

Meshtastic Web Client and Python CLI

Meshtastic Power Settings Reference

Power Configuration Settings Reference

Meshtastic LoRa Settings Reference

Choosing the Right Modem Preset

Meshtastic Managed Mode and Admin Channels

Managed Mode

Admin Channel

Setting Up an Admin Channel

Remote Configuration via Admin Channel

Security Considerations