Releases: pgadient/TikMan
Release list
TikMan v2.2.0
📬 Scheduled update check (new)
Settings → Auto-check: once a day, at a time you pick, TikMan asks every RouterOS device with a
login whether it has an update, and e-mails you what it found.
It only checks — nothing is installed, and that's the design rather than a first step. A check
can't strand you: if it fails at 03:00, the worst case is a mail that doesn't arrive. Installing is
what reboots devices, and that stays a decision you make while you're watching.
- Daily at HH:mm, with catch-up. TikMan is a desktop app, so the schedule only runs while it's
open — a slot missed because the app was closed is run at the next opportunity rather than skipped. - Several recipients, comma-separated, and a choice between a mail after every run or only when
there's an update or a failure. - A test button that sends with the settings as they are on screen. Find the typo now, not at
03:00 in a mail that never arrives and can't report its own absence. - The SMTP password is DPAPI-encrypted, like every other password TikMan stores. An empty user
means an unauthenticated relay. - Port 587 (STARTTLS). Port 465 (implicit TLS) isn't supported and says so up front rather than
failing later as an unreadable timeout.
🔓 The update check falls back to SSH
A broken RouterOS HTTPS handshake is the whole reason TikMan's SSH read path exists — monitoring,
topology, Wi-Fi names, logs and the config export all fall back to it. The update check was the one
that didn't, so on exactly the devices that need the fallback most it failed at the first step and
took the whole run down with it. Setting the channel and checking now go HTTPS REST → SSH CLI,
like everything else. Not via the plain-HTTP fallback, even when you've allowed it: this writes a
setting with your password attached.
🧭 Backup and updates: only what can actually happen
- Pick what to save — configuration (
.rsc) and/or binary backup (.backup). Each device gets
the intersection of what you asked for and what it can produce, and Start is only offered when
that isn't empty. - The lists hold what qualifies. The update list used to contain every device TikMan knows,
printers and IoT plugs included. Devices that can't be backed up grey out and say why on hover. - The runs count honestly. "2 updated" for a run that installed one update and skipped the other
is now "1 updated, 1 skipped". A backup where the config saved but the binary didn't is partial. - The binary backup is no longer silent — it was fetched and never mentioned.
- The folder is asked for every time, rather than silently reusing an hour-old choice.
- The channel dropdown reads
2026-06-02 7.23.1 (stable): version and release date where you
choose, so the separate "Latest" column is gone. It's a read from MikroTik's public server and
touches no device; your device's channel is still only written when you install.
🚀 A calmer app
- The update check runs first on startup, before anything touches the network, and the download
gets a real progress window instead of a status line that looked like a hang. - "No scan at startup" now means it. Restored devices stay grey ("not checked yet") instead
of a green dot nobody verified. - The bottom bar is a banner that wraps; the detail pane folds away with a chevron.
- A PC running Spotify is not a speaker. mDNS was trusted ahead of everything, so a workstation
advertising_spotify-connect._tcpwas filed as a speaker, ahead of the RDP/WMI+SMB signature that
exists to say "this is a PC".
The bulk-update warning claimed edge-devices-first as if it were a law. It's a rule of thumb, and
CAPsMAN inverts it when the controller carries its CAPs along (upgrade-policy).
Downloads
| File | Platform | Runtime |
|---|---|---|
TikMan-2.2.0-win-x64.exe |
Intel/AMD 64-bit | none (self-contained, ~68 MB) |
TikMan-2.2.0-win-x64-fdd.exe |
Intel/AMD 64-bit | .NET 10 Desktop Runtime (~12 MB) |
TikMan-2.2.0-win-arm64.exe |
ARM64 | none (self-contained, ~65 MB) |
TikMan-2.2.0-win-arm64-fdd.exe |
ARM64 | .NET 10 Desktop Runtime (~12 MB) |
When in doubt, take the self-contained build (-x64 or -arm64). The exes are unsigned, so Windows
SmartScreen shows an "unknown publisher" notice on first run — More info → Run anyway.
TikMan v2.1.8
Everything since 2.0.2, and nearly all of it came from using the thing: a device that wouldn't update,
a list full of rows that could never do anything, a marker that marked nothing, and a summary that
claimed work it hadn't done.
🔓 The update check falls back to SSH
A broken RouterOS HTTPS handshake is the whole reason TikMan's SSH read path exists — monitoring,
topology, Wi-Fi names, logs and the config export all fall back to it. The update check was the one
that didn't, so on exactly the devices that need the fallback most it failed at the first step and
took the whole run down with it:
Update check failed: The SSL connection could not be established.
→ An existing connection was forcibly closed by the remote host.
Setting the channel and checking now go HTTPS REST → SSH CLI, like everything else. Not via the
plain-HTTP fallback, even when you've allowed it: this writes a setting with your password attached.
🧭 Backup and updates: only what can actually happen
- Pick what to save. Two tickboxes — configuration (
.rsc) and binary backup (.backup) — and
each device gets the intersection of what you asked for and what it can produce. Start is only
offered when that intersection isn't empty, so a disabled button tells you there's nothing to do
before the click instead of the log telling you after. - The lists hold what qualifies. The update list used to contain every device TikMan knows —
printers, IoT plugs, the lot. Updating is/system package update; those rows existed to be
scrolled past. Devices that can't be backed up grey out and say why on hover. - The runs count honestly. "2 updated" for a run that installed one update and left the other
device alone — because it was already current — is now "1 updated, 1 skipped, 0 failed". A backup
where the config saved but the binary didn't is partial, not saved: it was rounding to "done". - The binary backup is no longer silent. It was fetched and never mentioned: the log named the
.rscand the.backupsat next to it on disk, unlogged. Only failures were ever logged. - The folder is asked for every time. For something that writes files, confirming where they go
beats silently reusing a folder from an hour ago. - Both lists lead with type and vendor, and their columns share the width instead of being fixed
and clipped. Per-device progress lives in the log, which scrolls and can be read afterwards.
⬆️ The update channel says what you'd get
The channel dropdown reads 2026-06-02 7.23.1 (stable) — version and release date, in the place
where you choose, so the separate "Latest" column is gone. That's a read from MikroTik's public
server: it touches no device. Your device's channel is still only ever written when you install, and
the log now says which way it went (channel switched: "stable" → "long-term").
The bulk-update warning claimed edge-devices-first as if it were a law. It's a rule of thumb, and
CAPsMAN inverts it when the controller is set to carry its CAPs along (upgrade-policy). Both the
warning and the README say so now.
🚀 A calmer app
- The update check runs first, before anything touches the network, and the download gets a real
progress window instead of a status line that looked like a hang. - "No scan at startup" now means it. TikMan still queried every device on launch to refresh
monitoring — exactly what the setting turns off. Restored devices stay grey ("not checked yet")
instead of showing a green dot nobody verified. - The bottom bar is a banner that wraps, because most of what TikMan has to say is a sentence.
- The detail pane folds away with a chevron, and doesn't appear at all under the backup and update
assistants, which bring their own device list.
🐛 A PC running Spotify is not a speaker
mDNS was trusted ahead of everything, so any workstation with Spotify open — it advertises
_spotify-connect._tcp so you can cast to it — was filed as a "speaker", ahead of the RDP/WMI+SMB
signature that exists to say "this is a PC". An mDNS model is what a device is; an mDNS service is
only what happens to be running. Real speakers are unaffected.
Downloads
| File | Platform | Runtime |
|---|---|---|
TikMan-2.1.8-win-x64.exe |
Intel/AMD 64-bit | none (self-contained, ~68 MB) |
TikMan-2.1.8-win-x64-fdd.exe |
Intel/AMD 64-bit | .NET 10 Desktop Runtime (~12 MB) |
TikMan-2.1.8-win-arm64.exe |
ARM64 | none (self-contained, ~65 MB) |
TikMan-2.1.8-win-arm64-fdd.exe |
ARM64 | .NET 10 Desktop Runtime (~12 MB) |
When in doubt, take the self-contained build (-x64 or -arm64). The exes are unsigned, so Windows
SmartScreen shows an "unknown publisher" notice on first run — More info → Run anyway.
TikMan v2.0.0
A big release: TikMan now runs in your browser, talks to your devices securely by default, and reads
everything over SSH when a RouterOS device's HTTPS is broken. Highlights below.
🌐 Built-in web server (new)
Toggle it from the Web server menu (off by default) and manage the whole fleet from a browser —
even your phone. It runs in-process and mirrors the desktop app:
- Live device list (filter + sort), scan control with live progress, and the topology map.
- Per-device detail with Wake-on-LAN, set login, and backup download (config
.rscand
full binary.backup). - A full SSH terminal (xterm.js) and a VNC viewer (noVNC), right in the browser.
- Security: HTTP Basic auth is required; every credential- or screen-bearing action (login,
backup, terminal, VNC) is HTTPS-only and refused over plain HTTP. Bring your own certificate or
let TikMan generate and cache a self-signed one. Set the port, user and password under
Settings › Web.
🔒 Secure by default
Credentials and configuration now only ever travel over HTTPS or SSH. Plain HTTP is off unless
you turn it on (Settings › Connections). When it's off, a device that only answers over HTTP is
skipped with a hint instead of silently sending your password in clear text.
🔓 Full SSH fallback for RouterOS
Many RouterOS devices ship a broken HTTPS handshake. Instead of failing (or falling back to HTTP),
TikMan now reads everything over the encrypted SSH CLI when HTTPS doesn't work:
- Monitoring (CPU/RAM/uptime/version), the physical topology (bridge FDB + neighbours),
Wi-Fi network names (incl. CAPsMAN), and the device log. - Config export (
/export) and the full binary backup, and installing updates, all over SSH.
So a MikroTik with broken HTTPS is fully and securely usable — with no HTTP anywhere.
💾 Backup assistant
"Save backups" now opens an assistant (like the update one): pick the devices that have a login,
set the order, watch the progress. A checkbox additionally pulls the full binary .backup from
MikroTik devices (over SSH); other vendors ignore it.
🗺️ Topology & UI
- A "Building the map…" indicator while the forwarding tables are gathered, and a fix so the map
isn't flat right after restoring a saved device list. - A 🔑 column marking devices that have a stored login.
🐛 Notable fixes
- Settings and the device list now actually persist across restarts (they never did before — a
serialization bug reset everything to defaults on load). - Config backup no longer fails on
:443for RouterOS devices with a broken HTTPS stack.
Downloads
| File | Platform | Runtime |
|---|---|---|
TikMan-2.0.0-win-x64.exe |
Intel/AMD 64-bit | none (self-contained, ~68 MB) |
TikMan-2.0.0-win-x64-fdd.exe |
Intel/AMD 64-bit | .NET 10 Desktop Runtime (~12 MB) |
TikMan-2.0.0-win-arm64.exe |
ARM64 | none (self-contained, ~65 MB) |
TikMan-2.0.0-win-arm64-fdd.exe |
ARM64 | .NET 10 Desktop Runtime (~12 MB) |
When in doubt, take the self-contained build (-x64 or -arm64). The exes are unsigned, so Windows
SmartScreen shows an "unknown publisher" notice on first run — More info → Run anyway.
TikMan v1.10.27
New: "Check now" button in Settings
Until now, the update check only ran at startup. Settings › General now has a "Check now" button next to the update option that shows the result directly:
- Up to date: "Up to date (version X.Y)" (green)
- New version found: "Version X.Y 'Release Name' available" (orange) plus an "Update & restart" button that downloads immediately and replaces the running version in place
- Failed (offline / no matching package): "Check failed"
The startup check and the settings button share the same code (download → start new version → delete old one), including the already-hardened URL/filename validation. New strings in all 7 languages.
No signature/checksum check: A key or hash that lives on the same GitHub can be tampered with by the same attacker as the exe — it wouldn't improve security, only add complexity. Can be added later if there's a real need.
Downloads
| File | Platform | Runtime |
|---|---|---|
TikMan-1.10.27-win-x64.exe |
Intel/AMD 64-bit | none needed (self-contained, ~68 MB) |
TikMan-1.10.27-win-x64-fdd.exe |
Intel/AMD 64-bit | .NET 10 Desktop Runtime (~11 MB) |
TikMan-1.10.27-win-arm64.exe |
ARM64 | none needed (self-contained, ~64 MB) |
TikMan-1.10.27-win-arm64-fdd.exe |
ARM64 | .NET 10 Desktop Runtime (~11 MB) |
When in doubt, go with the self-contained variant (-x64 or -arm64).
TikMan v1.10.23
- Progress bar fix: the combined scan bar could start around 70 % on a second scan
or after clearing the list. It now averages only the phases the current scan actually
runs, and a phase counts as finished only once it has genuinely run – so the bar
starts at 0 % and climbs cleanly, in both normal and simple mode. - Set credentials now shows a message box asking you to select at least one device
first, instead of a quiet status-bar line that was easy to miss.
TikMan v1.10.22
Scanning
- Simple / corporate mode (toolbar checkbox, off by default): only the plain IPv4
address scan – the ping sweep and TCP port scan. No MNDP, ZON, IPv6 discovery, mDNS
or UPnP/SSDP packets, and no per-device SNMP/WMI/web probing. Nothing but ordinary
connections goes on the wire, so a locked-down corporate network won't flag it.
Devices are still classified from their OUI and open ports. - No automatic scan on startup (settings → General, off by default): TikMan starts
without scanning and waits for a manual "Scan".
Topology
- The topology and IP-distribution maps refresh at exactly one moment – when a scan
finishes (any scan: initial, manual, continuous, or the one after a credentials
change) – and never mid-scan. While a scan runs, an open map shows a small
"updating when the scan finishes" banner. - Fixes the map not updating after credentials were added: the follow-up scan now
rebuilds it on completion, so the new login's forwarding tables reach the map.
TikMan v1.10.20
Physical topology from the network itself
- New Topology tab: the gateway on top, then the real wiring, proven from the
switches' own forwarding tables (read over MikroTik REST, or SNMP for other
vendors). A device hangs off the exact switch port it's really on – "ether5",
"wifi1 (MyWLAN)" – drawn as a tidy tree: switches form the spine, clients cluster
beneath them. Drag, pan, zoom-to-pointer; auto-fits to the window. - IP address distribution tab: internet → address segments (cut at real prefix
boundaries into 4–8 slices) → devices, colour-coded by role. - Reads RouterOS over HTTP when its HTTPS handshake is broken, so the tables load
reliably. Traceroute fills in routed hops.
Discovery & classification
- mDNS/Bonjour + UPnP/SSDP: devices name themselves – iPhone vs iPad vs HomePod
vs Apple TV, Swisscom TV boxes, Sonos, Chromecasts – no router access needed. - Many new device kinds: smartphone, tablet, speaker, TV vs streaming box, games
console, payment terminal, franking machine, management controller (BMC/IP-KVM). - MikroTik split into router / switch / access point (even without a login), VMs
flagged by hypervisor MAC, printers/phones no longer mislabelled as servers. - AirPrint / AirScan badges on printers and scanners.
UI
- Settings grouped into tabs; Backup and Updates each get their own tab.
- Combined scan progress bar: red while finding devices, green once the list is
complete. Selected / filtered counts under the list. The search box matches the
protocol badges too ("snmp", "airprint", …). - RTSP camera badges open in VLC. Cleaner Wake-on-LAN wording. Firewalls shown as
their own type across many vendors. - A gentle banner points out that setting a login makes the readouts far richer.
TikMan v1.10.7
Discovery
- mDNS/Bonjour: devices state their own model – iPhone, iPad, HomePod and Apple TV
(one shared OUI, no open ports) are finally told apart; Sonos, Chromecast,
printers and NAS get named too. No router access, no credentials. - UPnP/SSDP: names the boxes nothing else can – Swisscom TV Box, smart TVs – with
the owner's own names ("Wohnzimmer unten") and the model (IP2000). - AirPrint / AirScan badges on printers and scanners (URF key / eSCL service),
with targeted TXT follow-ups and query repeats to beat mDNS answer suppression.
Topology (two new fullscreen tabs)
- Logical: internet → address ranges → devices, pastel-coloured by role.
- Physical: gateway on top, traceroute-derived paths – a device behind another
router visibly hangs behind it. Drag, pan, zoom-to-pointer; positions persist.
Classification
- New kinds: smartphone, tablet, speaker, TV set, streaming box, games console,
payment terminal, franking machine, management controller (BMC/IP-KVM). - TV vs streaming box by maker; HomePod vs Apple TV via HomeKit role.
- MikroTik split without credentials (MNDP board: CRS ⇒ switch, radio ⇒ AP).
- VMs flagged via hypervisor OUIs ("… (VM)"); SIP + shell ⇒ PBX, not a phone.
UI
- Settings dialog in four tabs; one combined scan progress bar (configurable).
- RTSP badges click through to the registered player (VLC).
- "Refresh all" button removed – a scan does the same.
TikMan v1.9.24
Firewall detection: generic across vendors, and no longer blind
Two fixes, one of which was quietly disabling the other:
-
The classifier never actually saw the model. It was handed
Model.Model, while
the model read over SNMP, WMI or the web UI lands elsewhere and is folded into the
model shown in the list. For a device known only over SNMP — which is every Zyxel
firewall — that field is empty, so the model-based rules had nothing to match. The
classifier is now given the same model text the list displays. -
Series names are matched as whole tokens, not substrings. The model is split on
non-alphanumerics and on letter/digit boundaries ("USG40" →usg,40), so "atp"
no longer fires inside "STRATPOINT" nor "usg" inside "BUSGATE". Matching runs in
three tiers:- Firewall-only vendors — Fortinet, Palo Alto, SonicWall, WatchGuard,
Check Point, Sophos, Stormshield, Clavister, Hillstone, Forcepoint, Netgate,
Endian, Untangle. - Unambiguous series — USG, USG FLEX, ZyWALL, ATP, NSG, FortiGate,
FortiWiFi, Firebox, XTM, Firepower, SRX, pfSense, OPNsense, IPFire, UDM/UXG,
CloudGen. - Short series, scoped to their maker — Sophos XG/XGS/SG/UTM, Cisco ASA/FTD,
Meraki MX, Palo Alto PA, SonicWall TZ/NSA, Fortinet FG, Zyxel VPN.
The scoping matters: XGS is a Sophos firewall but a Zyxel switch, and SG is a
Sophos firewall but a TP-Link switch. Zyxel switches, TP-Link TL-SG, Cisco Catalyst
and Juniper EX all stay switches. - Firewall-only vendors — Fortinet, Palo Alto, SonicWall, WatchGuard,
TikMan v1.9.23
Device types: utility gear is no longer filed as "Server"
Most devices on a LAN are utility gear — printers, copiers, phones, switches, access
points — that happen to serve a web UI. Anything with an open port used to end up as
"Server". Two things were wrong:
- The printer, SIP and RTSP ports were never scanned, so the rules that recognise
them outright could never fire. The scan now probes 515 (LPD), 554 (RTSP),
631 (IPP), 5060 (SIP) and 9100 (JetDirect), each with its own badge. - The classifier fell back to "has 80/443/22 ⇒ Server." It now trusts, in order:
the model line (firewall / printer / access point / phone — one vendor ships
firewalls, switches and APs under the same OUI), then the definitive services,
then the Windows signature (RDP, or WMI+SMB — which outranks the OUI), then
purpose-built makers, then a real mailbox server. Bare SMTP no longer implies
a server — that is what every copier's scan-to-mail listens on. A device with only a
web or SSH port is left unknown rather than mislabelled.
Fixed, all seen on a real scan:
- Toshiba e-STUDIO copier and Brother MFPs read as servers → now Printer
- Yealink desk phones and a Cisco SPA122 ATA read as servers/switches → now Phone
- Zyxel NWA access points read as switches → now Access Point
- A Windows workstation on a Zyxel-branded NIC read as a switch → now PC