Security and Access Control

Default access model

RemotePilot is designed for operators who need to inspect and manage registered PCs remotely. Access is controlled by registered administrator accounts, registered managed PCs, and the allowed network environment.

In local network deployments, the admin console connects to RemotePilot Client through the managed PC's private internal IP address. Addresses such as 172.16.x.x through 172.31.x.x are private network addresses and are not directly reachable from the public internet.

Admin console
  -> Review registered managed PCs
  -> Connect to RemotePilot Client through the internal IP path
  -> Run remote sessions, status checks, power actions, and scripts

In the default local network mode, managed PCs are not exposed directly to the public internet.

Local network mode

Local network mode is the simplest fit for classrooms, training labs, offices, and similar environments where the admin PC and managed PCs are on the same internal network. It uses the customer network path instead of an external cloud relay, which keeps latency low and can work in restricted internet environments.

• Target: registered managed PCs with RemotePilot Client installed
• Operator: authorized administrator account
• Access path: customer internal network
• Direct public internet access: not enabled by default
• Main functions: remote sessions, status checks, restart, shutdown, Wake-on-LAN, script execution

When external access is needed

An internal IP that works on site does not automatically work from the public internet. Customers who need external access should use a separate network configuration.

Recommended options are:

• Connect through the customer's VPN, then use RemotePilot over the internal network
• Configure a dedicated customer relay server
• Use a Cloud Gateway model where RemotePilot Client creates an outbound connection to an approved server

Directly exposing managed PCs through public IP addresses and port forwarding is not recommended. For labs with dozens of PCs, it creates operational complexity and a larger firewall risk surface.

Permission control

Administrators should only be allowed to manage the locations, groups, or PCs assigned to them. Sensitive actions such as script execution, restart, shutdown, and Wake-on-LAN should be limited to accounts with the right administrator permissions.

• Administrator account: only approved administrators can sign in
• PC registration: only PCs registered in RemotePilot can be managed
• Group management: separate PCs by classroom, site, or department
• Feature permissions: separate remote control, power management, and script execution permissions
• Access logs: review remote access and command execution history
• Network limits: restrict access to approved internal networks or VPN paths

Wake-on-LAN requirements

When a PC is powered off, RemotePilot Client is not running, so power-on behavior depends on Wake-on-LAN support. Check these requirements before relying on remote power-on.

• BIOS/UEFI settings: Wake-on-LAN must be enabled
• Operating system settings: network adapter power and wake settings must allow wake events
• Wired LAN: Wake-on-LAN over Wi-Fi is often unreliable
• Network configuration: same broadcast domain or WOL packet forwarding must be supported
• Power state: WOL cannot work if the power strip or power source is fully off

Security review checklist

• Confirm managed PCs are not exposed directly through public IP addresses.
• Define whether access uses local network, VPN, relay, or Cloud Gateway mode.
• Document administrator authentication and permission separation.
• Separate permissions for remote control, power management, and script execution.
• Keep access logs and command execution history available for review.
• Limit allowed firewall ports and network ranges.