Skip to main content

Unified Agent Architecture

The One RMM uses a unified agent model: a single binary is installed on every managed device, and the capabilities available to it are determined by your organization's active subscriptions — not by which agent you installed.

This is the same model used by enterprise EDR vendors like CrowdStrike. One agent, multiple modules. Upgrade your subscription and new capabilities activate automatically.

How It Works

┌─────────────────────────────────────────────────────┐
│                  TheOneRMM Agent                     │
│                                                      │
│  ┌──────────────┐  ┌──────────────┐  ┌───────────┐  │
│  │  RMM Module  │  │ Defend Module│  │  Backups  │  │
│  │  (always on) │  │  (if licensed│  │  Module   │  │
│  │              │  │   for Defend)│  │  (if lic.)│  │
│  └──────────────┘  └──────────────┘  └───────────┘  │
│                                                      │
│  ┌──────────────────────────────────────────────────┤
│  │         Agent Event Bus (shared)                  │
│  └──────────────────────────────────────────────────┤
│  ┌──────────────────────────────────────────────────┤
│  │        Hub Subscription Check (at startup)        │
│  └──────────────────────────────────────────────────┤
└─────────────────────────────────────────────────────┘

At startup and on each heartbeat, the agent contacts Hub to check which modules are licensed for your organization. Modules are loaded or unloaded dynamically without restarting the agent.

Modules

RMM Module

Always active when the agent is installed. Provides:

  • Monitoring — CPU, RAM, disk, network, uptime telemetry; Windows services; event logs
  • Patch management — OS patch scanning and deployment via local WU/apt/yum agents
  • Remote execution — Bidirectional command channel for PowerShell, bash, and shell commands
  • Script execution — Scheduled and alert-triggered automation scripts
  • CMDB sync — Hardware inventory sync to The One CMDB every 4 hours
  • Alert processing — Evaluates alert rule thresholds locally, reports triggers to the API

Defend Module

Activated when a Defend EDR subscription is present. Provides:

  • EDR telemetry — Process creation, file system events, network connections, registry changes
  • Platform-specific collection:
    • Windows — ETW (Event Tracing for Windows) providers
    • Linux — eBPF (kernel 4.18+) with auditd fallback
    • macOS — EndpointSecurity framework via System Extension
  • Smart filtering — Events are filtered locally before transmission: discard, always-ship, aggregate, or sample
  • Compressed streaming — Batched, compressed events sent to Azure Event Hub → ADX
  • Behavioral response — Executes response actions from the Defend console (process kill, network isolation)
  • Performance budget — Less than 2% CPU and less than 50 MB RAM at all times

Backups Module

Activated when a Backups subscription is present. Provides:

  • Local backup agent for file-level and image-based backups
  • Backup scheduling and retention management
  • Restore orchestration

Module Loading

  1. Enrollment — Agent checks Hub subscriptions and loads licensed modules.
  2. Subscription change — When you add a Defend or Backups subscription in Hub, the agent receives a module-load signal on its next heartbeat (within 60 seconds). No reinstallation.
  3. Subscription removal — When a subscription is removed, the module is unloaded on the next heartbeat. Data collected by that module is retained per the product's data retention policy.

Agent Update Mechanism

The agent self-updates silently in the background:

  • The agent checks for updates every 24 hours.
  • Updates are downloaded incrementally (delta patches, not full reinstalls).
  • The agent restarts itself during low-activity periods (typically between 2–4 AM local time, respecting maintenance windows).
  • Update activity is logged under Device Detail → Agent Logs.

Administrators can:

  • Pin an agent version per device group (useful for regression testing)
  • Force an immediate update from Device Detail → Update Agent
  • View the agent version history per device

Agent Resource Usage

The agent is designed to have minimal impact on endpoints:

ResourceTypical UsageMaximum
CPU< 0.5% idle< 5% during patch scan
RAM40–60 MB120 MB (with Defend module)
Disk50 MB installed200 MB (with local disk buffer)
Network< 1 KB/s heartbeat50 KB/s during patch download

The Defend module specifically is held to a budget of < 2% CPU and < 50 MB RAM. If the budget is exceeded, the smart filter automatically increases event sampling rates to stay within bounds.

Agent Architecture Decisions

Why a single binary?

  • Fewer deployments — one GPO, one MDM profile, one Jamf policy
  • Shared hardware fingerprint and device identity across all modules
  • Single heartbeat and connectivity check, not three
  • Coordinated self-update without version skew between modules

Why module activation via subscription, not separate installers?

  • Add Defend to a client without touching every endpoint
  • Offboard cleanly by removing the subscription — no endpoint visit required
  • Consistent agent version across all modules (no compatibility matrix)