Community discussions

MikroTik App
 
User avatar
BrianHiggins
Forum Veteran
Forum Veteran
Topic Author
Posts: 702
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Allow TikApp?

Wed Nov 09, 2022 1:36 am

I'm considering allowing end users to access their CPEs through the MikroTik Home app to configure their wifi and see connection stats, since it appeared to have its own permissions and limited access (and therefore an inability for them to break things)... However, in testing it seems that even though I've granted the users login group tikapp rights, the app logs in using winbox access. Therefore it seems I have to grant full winbox to users to use the MikroTik Home app, which seems to defeat the whole purpose of the tikapp permission in groups. What am I missing here?

testing this on 6.49.7...

Can anyone suggest a method to allow the android MikroTik Home app (and presumably there's an iOS equivalent?) to login without also granting full winbox access?
This /user group policy that I was expecting to work was this:
policy=reboot,read,write,test,password,web,sniff,tikapp,!local,!telnet,!ssh,!ftp,!policy,!winbox,!sensitive,!api,!romon,!dude
but the logs show the account failed to login via winbox, and as indicated set policy=winbox allowed the user to login. However I do not want to grant full winbox access to the users.

disclaimer, only tried the MikroTik Home app once when it was very first launched, and it didn't recognize PPPoE client setups. haven't opened it again before testing today, so I don't have any real experience with using it.

-Edited to add policy detail
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Allow TikApp?

Wed Nov 09, 2022 11:16 am

Will check if there isn't a bug somewhere, but ... even if it would work as advertised, note that TikApp has all the same functionality as winbox. There isn't a "Home specific" policy there, only tikapp. But we have TikApp "Pro" and Tikapp "Home". So it would not achieve anything to give tikapp rights. Users can just use TikApp "pro" and change any config anyway.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Allow TikApp?

Wed Nov 09, 2022 11:38 am

.
It is time for MikroTik to make a very trivial app where the customer changes the SSID and the password on his own,
so that he can see the number of devices connected to the wifi and how much traffic passes, without assulting anything else.
So the end users are interested only in this without any other frills.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Allow TikApp?

Wed Nov 09, 2022 2:42 pm

This seems like a great opportunity to use the REST API for a custom client dashboard hosted by the ISP where those settings can be changed. No need to fiddle with teaching users to use an app, just have it at the same place as where they pay the bill.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Allow TikApp?

Wed Nov 09, 2022 3:40 pm

.
It is time for MikroTik to make a very trivial app where the customer changes the SSID and the password on his own,
so that he can see the number of devices connected to the wifi and how much traffic passes, without assulting anything else.
So the end users are interested only in this without any other frills.
We have such app, it's called MikroTik Home. The problem is, that there is no policy that rectricts users to ONLY this app.
 
User avatar
BrianHiggins
Forum Veteran
Forum Veteran
Topic Author
Posts: 702
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: Allow TikApp?

Wed Nov 09, 2022 4:39 pm



It is time for MikroTik to make a very trivial app where the customer changes the SSID and the password on his own,
so that he can see the number of devices connected to the wifi and how much traffic passes, without assulting anything else.
So the end users are interested only in this without any other frills.
We have such app, it's called MikroTik Home. The problem is, that there is no policy that rectricts users to ONLY this app.
Sounds like I don't even need to submit a feature request, you already know what needs to be done! The pro app signs in using winbox permissions, the home app signs in using tikapp permissions, and suddenly every is happy and everything works out.

As mentioned above, and alluded to in my original post, we would all benefit need a simple app for end users to control simple functions, that cannot access things like scripting or changing the update branch (ideally it would also honor disabled menus in the skins like winbox in v7), and since you already have an app for this, we just need it to be permissioned out so we can limit users to this app and not full system access through winbox and terminal.
 
GREGT
just joined
Posts: 7
Joined: Thu Nov 19, 2020 4:19 pm

Re: Allow TikApp?

Wed Mar 15, 2023 5:54 pm

We need the Mikrotik Home App for IOS... is there a release date or beta version to use?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Allow TikApp?

Wed Mar 15, 2023 6:15 pm

The iOS app already hides the advanced configuration behind the gear, which seems like a reasonable approach. The issue is that changing the Wi-Fi password requires both "sensitive" and "write", in other words a full admin. That wouldn't change by just having two apps, or a "TikApp" role.

Rather than having TWO apps for iOS, the current app should just respect the "skin.json" file for the user. And perhaps control the "Home Screen" items, instead of the app's local configuration that does it today. Apple MDM also be fine to control this, but I don't see that happening anytime soon – they don't even use the keychain for the saved passwords.
 
User avatar
BrianHiggins
Forum Veteran
Forum Veteran
Topic Author
Posts: 702
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: Allow TikApp?

Tue Apr 18, 2023 9:22 pm



We have such app, it's called MikroTik Home. The problem is, that there is no policy that rectricts users to ONLY this app.
Sounds like I don't even need to submit a feature request, you already know what needs to be done! The pro app signs in using winbox permissions, the home app signs in using tikapp permissions, and suddenly every is happy and everything works out.

As mentioned above, and alluded to in my original post, we would all benefit need a simple app for end users to control simple functions, that cannot access things like scripting or changing the update branch (ideally it would also honor disabled menus in the skins like winbox in v7), and since you already have an app for this, we just need it to be permissioned out so we can limit users to this app and not full system access through winbox and terminal.
Normis, any progress in making the Home App sign in using the tikapp Permission?

Also any progress on the mobile winbox app honoring the skins file like regular winbox does?

Who is online

Users browsing this forum: coffee1978, DanMos79, EsaqzpHot, icemending and 87 guests