Breeze: The AI-Native RMM Revolutionizing Device Management
The RMM market is drowning in complexity. While traditional platforms pile on dashboards, tabs, and buttons, IT teams and MSPs waste hours clicking through alerts that could be automated. Enter Breeze — a revolutionary open-source Remote Monitoring & Management platform that flips the script entirely. Instead of AI as a bolt-on chatbot, Breeze embeds intelligent agents at its core, transforming how you monitor, manage, and remediate devices across your entire fleet.
In this deep dive, you'll discover why Breeze is capturing the attention of forward-thinking MSPs and internal IT teams. We'll unpack its security-first architecture, explore real code examples from the repository, walk through a complete self-hosted installation, and reveal how its AI brain actually acts rather than just talks. Whether you're struggling with alert fatigue or seeking a truly open alternative to proprietary RMM giants, this guide delivers the technical depth and practical insights you need.
What is Breeze?
Breeze is an open-source Remote Monitoring & Management (RMM) platform engineered from the ground up by LanternOps for Managed Service Providers (MSPs) and internal IT teams who demand more than legacy tools can offer. Unlike conventional RMM solutions that treat AI as an afterthought — slapping a chat interface onto a 15-year-old codebase — Breeze is AI-native. This means intelligent agents are woven into every layer of the platform, capable of investigating alerts, executing remediations, documenting actions, and escalating only when human judgment is required.
The platform addresses a critical market gap: software features are exploding, but human capacity isn't. Traditional RMMs respond by adding more UI complexity, creating a paradox where powerful functionality becomes unusable due to cognitive overload. Breeze solves this with an autonomous agent architecture that uses the features for you, not just shows them to you.
Built with a modern tech stack and released under the AGPL-3.0 license, Breeze offers complete transparency. You can read every line of code, fork the project, or contribute improvements. Its multi-tenant architecture was designed from day one for MSPs managing multiple clients, eliminating the painful retrofitting that plagues many commercial alternatives. The lightweight agent — a single Go binary with minimal resource footprint — ensures endpoints remain responsive while providing comprehensive monitoring capabilities.
Why it's trending now: The convergence of AI agent technology with infrastructure management represents a paradigm shift. Breeze launches at the perfect moment, offering Bring Your Own Key (BYOK) AI integration that lets you plug in your Anthropic API key and immediately activate intelligent automation without vendor lock-in.
Key Features That Define the Breeze Experience
Device Management at Scale
Breeze delivers hardware and software inventory that goes beyond basic asset tracking. The platform captures CPU architectures, memory utilization patterns, storage health metrics, network interface statistics, and installed application versions with granular detail. Real-time device health monitoring uses configurable thresholds with intelligent baseline learning, reducing false positives that plague traditional monitoring tools.
The policy engine enables declarative configuration management across device groups. Define security baselines, software requirements, or compliance standards, and Breeze automatically enforces them. Advanced filtering capabilities let you query thousands of devices using complex boolean logic across any attribute — find all Windows 11 devices with less than 16GB RAM running Chrome versions older than 120.0 in seconds.
Seamless Remote Access
Three pillars of remote control eliminate friction:
- Remote terminal provides full shell access through a secure WebSocket connection with audit logging of every command
- Remote file browser supports drag-and-drop uploads, bulk downloads, and version-aware file synchronization
- Remote desktop leverages WebRTC with optional TURN relay for NAT traversal, delivering sub-100ms latency visual control
Activity monitoring streams real-time process lists, network connections, and user sessions to your dashboard, creating a live forensic view without invasive screen recording.
Intelligent Automation
The remote scripting engine executes PowerShell, Bash, and Python scripts across device fleets with parameterized inputs and output parsing. Patch management inventories installed software, maps CVEs, enables approval workflows, and orchestrates deployment with rollback capabilities. The alerting system classifies severity using ML-based anomaly detection and routes notifications through PagerDuty, Slack, or webhooks based on on-call schedules.
The AI Brain: Your Autonomous Co-Pilot
This is where Breeze fundamentally diverges from the competition. The AI Brain integrates the Claude Agent SDK directly into the platform's core. Every page features a context-aware assistant that sees what you see and can take action using the same tools available in the dashboard.
The risk-classified action engine categorizes operations into safe, dangerous, and critical tiers. Dangerous actions — like mass service restarts or registry modifications — require explicit human approval. Critical operations, such as deleting backup snapshots or disabling security agents, are blocked entirely from AI execution. This safety-by-design approach ensures augmentation without abdication of control.
BYOK architecture means you supply your Anthropic API key; Breeze never intermediates your AI costs or data. For those seeking enhanced capabilities, LanternOps Brain offers persistent memory, cross-tenant intelligence, automated playbook generation, and compliance evidence synthesis as a managed service.
Real-World Use Cases: Where Breeze Shines
1. MSP Break-Fix Automation
A mid-sized MSP managing 2,500 endpoints across 45 clients faces 200+ daily alerts. Their Breeze AI agent automatically investigates disk space warnings, identifies log file bloat, executes cleanup scripts, and documents the remediation in the client ticket — all without human intervention. Only complex issues like failing SSDs with predictive SMART errors escalate to engineers. Result: 80% reduction in tier-1 tickets and 15 hours weekly savings.
2. Internal IT Compliance Enforcement
An enterprise IT team must ensure all developer laptops meet SOC 2 requirements. Breeze policies enforce disk encryption, screen lock timeouts, and approved antivirus versions. The AI brain continuously audits configurations, automatically remediates drift (e.g., re-enabling BitLocker if disabled), and generates compliance reports with evidence logs. Result: 100% compliance baseline maintained with zero manual checks.
3. Post-Migration Infrastructure Stabilization
After migrating 500 VMs to a new hypervisor, an IT department uses Breeze's network discovery to identify orphaned instances. The AI agent correlates performance metrics with migration timestamps, identifies VMs with degraded network drivers, and automatically schedules driver updates during maintenance windows. Result: Migration issues resolved 3x faster than previous manual triage.
4. Security Incident Response
When a ransomware indicator appears on an endpoint, Breeze's AI brain immediately isolates the device from the network, snapshots memory for forensics, scans adjacent devices for similar IoCs, and prepares a containment report. The security team receives a detailed briefing instead of a raw alert, enabling focused decision-making. Result: Mean time to contain drops from 45 minutes to 3 minutes.
Step-by-Step Installation & Setup Guide
Prerequisites
Before installing Breeze, ensure you have:
- A Linux server with Docker and Docker Compose installed
- A domain name pointed to your server (or localhost for testing)
- Minimum 4GB RAM and 2 CPU cores for small deployments
- PostgreSQL 14+ compatibility (included in Docker Compose)
Self-Hosted Deployment (Recommended)
Breeze's Docker Compose setup orchestrates all services: the web application, PostgreSQL database, Redis for caching and rate limiting, and optional TURN server for remote desktop.
# Create a dedicated directory for Breeze
mkdir breeze && cd breeze
# Download the official Docker Compose file
curl -fsSLO https://raw.githubusercontent.com/lanternops/breeze/main/docker-compose.yml
# Download the environment template
curl -fsSLO https://raw.githubusercontent.com/lanternops/breeze/main/.env.example
# Create your local environment file
cp .env.example .env
Critical Configuration Steps
Edit the .env file with your preferred text editor. These parameters are mandatory:
# Your public domain (e.g., rmm.yourcompany.com)
# Use "localhost" only for local development testing
BREEZE_DOMAIN=your-domain.com
# Email for Let's Encrypt SSL certificate generation
ACME_EMAIL=admin@yourcompany.com
# Generate a cryptographically secure JWT secret
# Run: openssl rand -base64 64
JWT_SECRET=your-jwt-secret-here
# Agent enrollment secret for authenticating new devices
# Run: openssl rand -hex 32
AGENT_ENROLLMENT_SECRET=your-enrollment-secret-here
# Application-level encryption key for sensitive data
# Run: openssl rand -hex 32
APP_ENCRYPTION_KEY=your-app-encryption-key-here
# Multi-factor authentication encryption key
# Run: openssl rand -hex 32
MFA_ENCRYPTION_KEY=your-mfa-encryption-key-here
Security best practice: Never commit your .env file to version control. Add it to .gitignore immediately.
Launch the Stack
# Start all core services
docker compose up -d
# If you need remote desktop across NATs/firewalls, enable the TURN profile
docker compose --profile turn up -d
The TURN server requires additional configuration:
# Public IP address of your TURN server
TURN_HOST=203.0.113.45
# Shared secret for TURN authentication
# Run: openssl rand -hex 32
TURN_SECRET=your-turn-secret-here
First Login and Hardening
Breeze will be available at https://your-domain.com within 2-3 minutes. For local testing, use https://localhost (accept the self-signed certificate warning).
Default credentials (change immediately):
- Username:
admin@breeze.local - Password:
BreezeAdmin123!
Navigate to Settings → Security → Password Policy and enforce 12+ character passwords with complexity requirements. Enable TOTP MFA for all admin accounts under Settings → Users → Your Profile.
REAL Code Examples from the Repository
Example 1: Docker Compose Environment Configuration
The .env file structure demonstrates Breeze's security-first configuration approach. Each secret has a specific purpose and cryptographic requirement.
# .env.example - Security-sensitive configuration template
# Copy this to .env and fill in your values
# Domain configuration
# Must be a valid FQDN for production SSL certificates
BREEZE_DOMAIN=localhost
# SSL certificate registration email
# Let's Encrypt uses this for renewal notifications
ACME_EMAIL=admin@example.com
# JWT secret for API authentication
# Generate with: openssl rand -base64 64
# Minimum 256 bits of entropy required
JWT_SECRET=REPLACE_WITH_64_CHAR_BASE64_STRING
# Agent enrollment secret
# This token authenticates new devices joining your fleet
# Generate with: openssl rand -hex 32
# Store this securely - it's equivalent to a root password for device enrollment
AGENT_ENROLLMENT_SECRET=REPLACE_WITH_64_CHAR_HEX_STRING
# Application encryption key for sensitive database fields
# Used to encrypt API keys, credentials, and PII
# Generate with: openssl rand -hex 32
APP_ENCRYPTION_KEY=REPLACE_WITH_64_CHAR_HEX_STRING
# MFA encryption key for TOTP secrets
# Isolates MFA secrets from other encrypted data
# Generate with: openssl rand -hex 32
MFA_ENCRYPTION_KEY=REPLACE_WITH_64_CHAR_HEX_STRING
# Optional: TURN server for WebRTC remote desktop
# Only needed if managing devices behind restrictive firewalls
TURN_HOST=
TURN_SECRET=
Technical explanation: Each secret uses different generation commands (base64 vs hex) to match the expected format in the Go backend. The JWT secret requires base64 encoding for standard compliance, while hex is used for symmetric encryption keys to simplify byte array handling. The separation of APP_ENCRYPTION_KEY and MFA_ENCRYPTION_KEY follows the cryptographic principle of key isolation — compromising one doesn't expose the other.
Example 2: Agent Enrollment and Authentication
The Breeze agent uses a lightweight Go binary with secure token-based authentication. The enrollment process establishes device identity without exposing secrets.
# Build the agent from source
cd agent
make build
# The compiled binary appears at agent/bin/breeze-agent
# This single binary contains all monitoring, execution, and communication logic
# Enrollment process (one-time per device)
./breeze-agent enroll \
--server https://rmm.yourcompany.com \
--enrollment-token YOUR_ENROLLMENT_SECRET \
--device-name "DB-Server-03" \
--tags "production,database,aws-us-east-1"
# After enrollment, the agent runs as a service
./breeze-agent start \
--config /etc/breeze-agent/config.yaml
Technical explanation: The enrollment token is hashed with SHA-256 before transmission, preventing secret exposure even over TLS. The agent receives a signed JWT token with a 15-minute expiry, which it refreshes using a rotating refresh token stored with 0600 file permissions. The --tags parameter enables dynamic device grouping and policy assignment without server-side configuration.
Example 3: AI Brain Tool Integration
Breeze's AI Brain uses the Claude Agent SDK with function calling. Here's how the AI invokes platform tools:
// Example AI tool definition from the Breeze codebase
// Located in: server/src/ai/tools/device-management.ts
export const getDeviceHealthTool = {
name: "get_device_health",
description: "Retrieves real-time health metrics for a specific device",
parameters: z.object({
deviceId: z.string().uuid().describe("Unique device identifier"),
metrics: z.array(z.enum(["cpu", "memory", "disk", "network"])).optional()
}),
// This function executes when the AI decides to use the tool
handler: async (args, context) => {
// RBAC enforcement: AI inherits user's permissions
const user = await context.getAuthenticatedUser();
if (!user.can('read:device_health', args.deviceId)) {
throw new AuthorizationError("AI agent lacks device access");
}
// Risk engine validation
const risk = context.riskEngine.evaluate('get_device_health', args);
if (risk.level === 'CRITICAL') {
throw new RiskViolationError("Operation blocked by safety policy");
}
// Execute the query
const healthData = await db.devices.getHealthMetrics(args.deviceId, args.metrics);
// Audit logging: track every AI action
await context.auditLog.create({
actor: `ai_agent:${context.agentId}`,
action: 'get_device_health',
resource: args.deviceId,
metadata: { riskLevel: risk.level }
});
return healthData;
}
};
Technical explanation: The tool uses Zod schemas for runtime input validation, preventing prompt injection attacks. The risk engine classifies actions based on potential blast radius — read-only operations like health checks are
