Authentication Changes for Datto RMM

In August, we announced our intention to move to mandatory two-factor authentication (2FA) for Datto RMM after a period of feedback. Your supportive responses leave us confident that mandating 2FA for Datto RMM is the appropriate action to keep our partners and their end clients secure. We also recognized an opportunity to act on many of the enhancement suggestions received. We will be implementing a series of changes to:

  • Move Datto RMM authentication to Datto Platform SSO beginning December 9. Refer to the v7.8.5 release notes for more information.
  • Enable mandatory 2FA for ALL Datto RMM users in early January.

This plan brings MSPs closer to a single login experience for all Datto products and delivers many of the requested benefits that already exist within Datto SSO. If you have any questions or concerns, please email drmm-feedback@datto.com.

What is the impact of this change?

  1. Users will need to use their email address when logging in to Datto RMM instead of their Datto RMM username. In cases where multiple Datto RMM accounts are linked to a single email address, users will be able to select one before being redirected to their Datto RMM platform.
  2. The Agent Browser will change such that logging in directly from the UI is handled differently. Authenticating via the Agent UI will first launch a web browser tab from which authentication will be managed.

Why did we decide on these specific changes?

We learned the following from reviewing and discussing all of the feedback we received:

  1. Users overwhelmingly agree on using 2FA to protect their RMM solution. Most of the concerns were around usability and 2FA features in Datto RMM.
  2. Our partners requested additional 2FA options like SMS, Voice and most commonly Push notifications.
  3. Our partners much prefer a unified process for multiple Datto/Autotask products. Having different authentication options for these products is not ideal.
  4. Our partners also requested federated security options like Microsoft ADFS and OKTA.

It became clear to us that, to create a satisfactory solution for our partners, we couldn’t just add/fix 2FA features to Datto RMM. We needed to expedite our move to SSO across all Datto products. This would result in less disruption and also significant benefits for our partners:

  1. Datto Authweb has more 2FA options than Datto RMM. This includes Push notification (using the Authy App) and SMS.
  2. SSO will offer our partners centralized security. A single user change can lock them out of all Datto products.
  3. SSO will offer a better cross-product experience. Users will be able to jump from one Datto product to another without having to re-authenticate.
  4. SSO will allow us to integrate with other authentication providers in a single place in the future, rather than having to do it for all our products separately.

Frequently asked questions

Q: What 2FA options will be available in the Portal?

A: Users can authenticate using Time-based One-time Password (TOTP) or Authy. TOTP is most commonly used with tokens generated by Google Authenticator, Microsoft Authenticator, DUO, Lastpass, Myki or others. We will also be able to deliver the tokens over email. Authy can work with Push notifications in its mobile app. Tokens can also be delivered using the app, SMS or voice call. A great benefit of Authy in addition to Push support is that users can migrate their configurations between phones. Authy requires a phone number to setup. More details on these options can be found in this Knowledge Base article.


Q: Do I need to go to Datto Portal to login to Datto RMM?

A: No, users will be able to login from the same place as before (https://www.centrastage.net/csm/login or autotask.net)


Q: Will I need to setup my Google Authenticator again once this goes live?

A: No, users who had Google Authenticator setup will be able to use it as before; we are migrating your configuration.


Q: What is the impact for the SSO between Autotask PSA and Datto RMM?

A: This change will have no effect on SSO between Autotask PSA and Datto RMM. When users jump from Autotask PSA to Datto RMM no re-authentication will be required. Be sure to enable 2FA in Autotask PSA if you allow users to SSO into RMM. In the future, Autotask PSA will also move to Datto Authweb (SSO).


Q: My users/I don’t have a Phone to use for 2FA. What do I do?

A: There are various solutions that support TOTP in a desktop application. Applications like Authy and Myki can be configured to generate tokens for you without the need for an app on a phone, either via a Desktop or Browser app. The email based 2fa would also work without the need for a phone.


Q: My CentraStage iOS app can’t authenticate anymore, is this related?

A: Yes - the iOS app doesn’t support our new authentication method, fixing it demands significant time and effort. Note that our new interfaces (UI and Web Remote) are responsive and mobile-compatible by default.


Q: Will I still see logins in my activity logs?

A: Yes, user sessions and activity will still be available in the User Activity log.


Q: Will I still be asked to validate new IPs at login?

A: The IP validation feature, requiring user approval for sessions from unknown IPs, is only in effect for users without 2FA enabled. Since all users will be required to use 2FA, this feature will no longer be necessary. Authweb will however send you an email notification anytime someone logs in from an unauthorized IP.


Q: What changes can I expect in the RMM webportal?

A: Under Setup -> My info, the options for 2FA and Change Password will redirect to the corresponding page in Datto Portal.

Under Setup -> Account Settings, the option to Enable/Disable 2FA for all users will be removed.


Q: What will happen when a new user gets created in Datto RMM?

A: After a new user is created in RMM, the user will receive an email with steps to create their own password and setup 2FA.
It will no longer be incumbent on the Administrator to set a password for the new user.


Q: How do I reset a user’s password in Datto RMM?

A: Administrators will be able to send password reset emails to users wishing to change their passwords.


Q: Will my previously configured Agent and Web Portal IP Whitelisting settings remain valid?

A: IP whitelisting rules that are setup in the RMM portal will still be in effect. If configured, users will only be able to login from IP addresses listed in the whitelisting section.


Q: Will the Community integration still work from Datto RMM?

A: Yes, logging in and interacting on the Datto RMM Community is unchanged.


Q: Do I need to add new IP address to my whitelist?

A: Yes. Authentication will happen using auth.datto.com with IP address 8.34.181.198


Q: We are using radius based authentication. What will change for us?

A: No changes will be made to radius based authentication.


Q: Where can I go with questions?

A: Please contact our support group with any questions you might have: https://www.datto.com/contact
You can also use the Community if you have other questions.