Meshtastic Managed Mode and Admin Channels
For deployed infrastructure nodes - community repeaters, fixed gateways - you want to prevent unauthorized configuration changes while still being able to administer the node remotely. Meshtastic provides two tools for this: Managed Mode and Admin Channels.
Managed Mode
When Managed Mode is enabled, the node ignoresblocks all client applications from writing configuration packetsover fromany local interface - BLE, USB serial, and TCP alike (configuration can still be read). Once enabled, configuration can only be changed through PKC Remote Admin (firmware 2.5+) or the locallegacy BluetoothAdmin connectionchannel unless(firmware theyprior cometo from an authorized admin.2.5). This prevents anyone who walks up to the repeater and pairs their phone from changing the configuration.
Managed Mode is set via the security.is_managed boolean, not a device role - there is no "MANAGED" device role:
meshtastic --set device.rolesecurity.is_managed MANAGEDtrueConfigure and test your admin access (admin channel or PKC remote admin key) before enabling security.is_managed. If you enable Managed Mode without working admin access, you lose the ability to reconfigure the node over BLE, USB serial, and TCP - the only recovery is a physical firmware erase / factory reset, which also wipes your keys and configuration.
With Managed Mode active:
- Local
BLEconfigconfigurationwritesisover BLE, USB serial, and TCP are all blocked (requireschanges require Remote Admin or the adminchannel for config changes)channel) USB serial connectionConfiguration can stillconfigurebethereaddeviceover(physicallocalaccess = admin)interfaces- The node continues to route and relay normally
Admin Channel
The Admin Channel is an encrypted control channel that allows authorized administrators to configure any node in the mesh remotely - even nodes that are out of direct radio range (configuration packets are relayed through the mesh). On firmware 2.5 and newer, the preferred approach is PKC Remote Admin, which authorizes administrators by their public key rather than a shared channel PSK; the legacy shared-PSK admin channel remains for older firmware.
Setting Up an Admin Channel
- Create a channel with a random PSK and name it "admin" (or any name you choose)
meshtastic --ch-set name "admin" --ch-index 1
meshtastic --ch-set psk random --ch-index 1
meshtastic --set security.admin_channel_enabled trueThe legacy integer admin_channel_index field is deprecated; on current firmware the admin channel is enabled via the security.admin_channel_enabled boolean. On firmware 2.5+, prefer PKC Remote Admin (admin keys) over the shared-PSK admin channel where possible.
Remote Configuration via Admin Channel
Once an admin channel is configured, you can send configuration commands to remote nodes via the app's remote admin feature. The command is encrypted with the admin channel PSK,PSK (or, with PKC remote admin, the admin keypair), relayed through the mesh, and executed on the target node. The target node responds with its updated configuration.
Security Considerations
- The admin channel PSK (or PKC admin key) is the master key for your infrastructure - anyone holding it can administer every node that trusts it, so guard it
carefullycarefully. Managed Mode does not protect against an attacker who already has this credential. - Distribute admin
channelcredentials only to trusted operators - Consider a separate admin
channelchannel/key per node, or per geographic cluster, to limit blast radius if a key is compromised - Managed Mode blocks normal config writes over USB serial too. Physical access
alwaysstilloverridesallows a firmware erase / factory reset, which wipes ManagedModeMode, keys, and configuration -physicalbutaccess to the hardwarethat isalwaysarootreset,accessnot live reconfiguration of a running node.