What Is OpenUEM?
OpenUEM is a free, open-source, self-hosted Unified Endpoint Manager built by Miguel Angel Alvarez Cabrerizo, a freelance DevOps engineer based in Spain. It provides complete endpoint inventory, remote management, software deployment, and configuration profiles for Windows, Linux, and macOS through lightweight agents.
Licensed under Apache 2.0, OpenUEM is entirely self-hosted — your asset data stays on your infrastructure. No cloud dependency, no per-seat licensing, no endpoint caps.
Why OpenUEM Stands Out
The RMM and UEM market is dominated by proprietary solutions with per-endpoint or per-technician pricing. For small IT teams, solo sysadmins, and MSPs getting started, these costs add up fast. OpenUEM provides a viable alternative with a feature set that covers the core needs of endpoint management.
Security-First Architecture
OpenUEM takes a fundamentally different approach to security compared to most RMM tools. Digital certificates are mandatory, not optional. All communication between components uses mutual TLS. Console authentication is certificate-based — no passwords stored in the database. VNC sessions are started on-demand with one-time passwords and automatically shut down after use.
Multi-Platform Agent Support
Agents are available for:
- Windows (amd64) — with Winget integration for package management
- Linux — Debian-based and RedHat-based distributions via .deb and .rpm packages
- macOS — Intel (amd64) and Apple Silicon (arm64) with Homebrew integration
Integrated Package Management
One of OpenUEM's strongest features is its native integration with platform-specific package managers. Deploy software from the web console using Winget on Windows, Flatpak/FlatHub on Linux, and Homebrew on macOS. No need for custom packaging or separate deployment tools.
Key Features
- Hardware and software inventory — Model, memory, disks, printers, network adapters, installed software
- Remote assistance — VNC, RDP (Gnome/Wayland), and RustDesk integration with TLS encryption
- Configuration profiles — Automated tasks per OS: packages, registry keys, local users/groups, scripts, MSI packages
- Windows Update monitoring — Track update status and browse update history
- Security monitoring — Antivirus status, BitLocker encryption, pending security updates
- SFTP file management — Browse, download, and upload files to managed endpoints
- Wake-on-LAN — Remote power-on and scheduled power management
- Multi-tenancy — Multiple organizations and sites under one installation
- Identity Provider support — Authelia, Authentik, Keycloak, Zitadel
- Report generation — PDF and CSV exports for agents, computers, security, and software views
Architecture
OpenUEM is built entirely in Go and follows a modular architecture:
- Agents — Lightweight processes installed on endpoints that gather system information
- Agent Workers — Process agent reports and store data in PostgreSQL
- Console — Web UI built with Echo, HTMX, and Franken UI
- NATS Server — Message broker for communication between all components
- Cert-Manager — Built-in Certificate Authority for mutual TLS
- OCSP Responder — Certificate validation service
Components can run on a single machine or be distributed across multiple servers. Deployment options include native packages (Windows installer, .deb, .rpm) and Docker with docker-compose.
Active Development
OpenUEM is under active development with regular releases. The roadmap includes APT/DNF repository management, Kopia backup integration, VPN support (NetBird, WireGuard, OpenVPN), Android MDM, and Kubernetes deployment via Helm Charts.
The project has an active community on Discord and the full source code is available on GitHub.
Getting Started
The fastest way to try OpenUEM is via Docker. The documentation provides step-by-step guides for all deployment methods. Installation requires PostgreSQL and the NATS message broker, both of which can be deployed alongside OpenUEM using the provided docker-compose files.
