Skip to content

Releases: pgadient/TikMan

TikMan v2.2.0

Choose a tag to compare

@pgadient pgadient released this 16 Jul 23:27

📬 Scheduled update check (new)

Settings → Auto-check: once a day, at a time you pick, TikMan asks every RouterOS device with a
login whether it has an update, and e-mails you what it found.

It only checks — nothing is installed, and that's the design rather than a first step. A check
can't strand you: if it fails at 03:00, the worst case is a mail that doesn't arrive. Installing is
what reboots devices, and that stays a decision you make while you're watching.

  • Daily at HH:mm, with catch-up. TikMan is a desktop app, so the schedule only runs while it's
    open — a slot missed because the app was closed is run at the next opportunity rather than skipped.
  • Several recipients, comma-separated, and a choice between a mail after every run or only when
    there's an update or a failure.
  • A test button that sends with the settings as they are on screen. Find the typo now, not at
    03:00 in a mail that never arrives and can't report its own absence.
  • The SMTP password is DPAPI-encrypted, like every other password TikMan stores. An empty user
    means an unauthenticated relay.
  • Port 587 (STARTTLS). Port 465 (implicit TLS) isn't supported and says so up front rather than
    failing later as an unreadable timeout.

🔓 The update check falls back to SSH

A broken RouterOS HTTPS handshake is the whole reason TikMan's SSH read path exists — monitoring,
topology, Wi-Fi names, logs and the config export all fall back to it. The update check was the one
that didn't, so on exactly the devices that need the fallback most it failed at the first step and
took the whole run down with it. Setting the channel and checking now go HTTPS REST → SSH CLI,
like everything else. Not via the plain-HTTP fallback, even when you've allowed it: this writes a
setting with your password attached.

🧭 Backup and updates: only what can actually happen

  • Pick what to save — configuration (.rsc) and/or binary backup (.backup). Each device gets
    the intersection of what you asked for and what it can produce, and Start is only offered when
    that isn't empty
    .
  • The lists hold what qualifies. The update list used to contain every device TikMan knows,
    printers and IoT plugs included. Devices that can't be backed up grey out and say why on hover.
  • The runs count honestly. "2 updated" for a run that installed one update and skipped the other
    is now "1 updated, 1 skipped". A backup where the config saved but the binary didn't is partial.
  • The binary backup is no longer silent — it was fetched and never mentioned.
  • The folder is asked for every time, rather than silently reusing an hour-old choice.
  • The channel dropdown reads 2026-06-02 7.23.1 (stable): version and release date where you
    choose, so the separate "Latest" column is gone. It's a read from MikroTik's public server and
    touches no device; your device's channel is still only written when you install.

🚀 A calmer app

  • The update check runs first on startup, before anything touches the network, and the download
    gets a real progress window instead of a status line that looked like a hang.
  • "No scan at startup" now means it. Restored devices stay grey ("not checked yet") instead
    of a green dot nobody verified.
  • The bottom bar is a banner that wraps; the detail pane folds away with a chevron.
  • A PC running Spotify is not a speaker. mDNS was trusted ahead of everything, so a workstation
    advertising _spotify-connect._tcp was filed as a speaker, ahead of the RDP/WMI+SMB signature that
    exists to say "this is a PC".

The bulk-update warning claimed edge-devices-first as if it were a law. It's a rule of thumb, and
CAPsMAN inverts it when the controller carries its CAPs along (upgrade-policy).

Downloads

File Platform Runtime
TikMan-2.2.0-win-x64.exe Intel/AMD 64-bit none (self-contained, ~68 MB)
TikMan-2.2.0-win-x64-fdd.exe Intel/AMD 64-bit .NET 10 Desktop Runtime (~12 MB)
TikMan-2.2.0-win-arm64.exe ARM64 none (self-contained, ~65 MB)
TikMan-2.2.0-win-arm64-fdd.exe ARM64 .NET 10 Desktop Runtime (~12 MB)

When in doubt, take the self-contained build (-x64 or -arm64). The exes are unsigned, so Windows
SmartScreen shows an "unknown publisher" notice on first run — More info → Run anyway.

TikMan v2.1.8

Choose a tag to compare

@pgadient pgadient released this 16 Jul 22:50

Everything since 2.0.2, and nearly all of it came from using the thing: a device that wouldn't update,
a list full of rows that could never do anything, a marker that marked nothing, and a summary that
claimed work it hadn't done.

🔓 The update check falls back to SSH

A broken RouterOS HTTPS handshake is the whole reason TikMan's SSH read path exists — monitoring,
topology, Wi-Fi names, logs and the config export all fall back to it. The update check was the one
that didn't, so on exactly the devices that need the fallback most it failed at the first step and
took the whole run down with it:

Update check failed: The SSL connection could not be established.
→ An existing connection was forcibly closed by the remote host.

Setting the channel and checking now go HTTPS REST → SSH CLI, like everything else. Not via the
plain-HTTP fallback, even when you've allowed it: this writes a setting with your password attached.

🧭 Backup and updates: only what can actually happen

  • Pick what to save. Two tickboxes — configuration (.rsc) and binary backup (.backup) — and
    each device gets the intersection of what you asked for and what it can produce. Start is only
    offered when that intersection isn't empty
    , so a disabled button tells you there's nothing to do
    before the click instead of the log telling you after.
  • The lists hold what qualifies. The update list used to contain every device TikMan knows —
    printers, IoT plugs, the lot. Updating is /system package update; those rows existed to be
    scrolled past. Devices that can't be backed up grey out and say why on hover.
  • The runs count honestly. "2 updated" for a run that installed one update and left the other
    device alone — because it was already current — is now "1 updated, 1 skipped, 0 failed". A backup
    where the config saved but the binary didn't is partial, not saved: it was rounding to "done".
  • The binary backup is no longer silent. It was fetched and never mentioned: the log named the
    .rsc and the .backup sat next to it on disk, unlogged. Only failures were ever logged.
  • The folder is asked for every time. For something that writes files, confirming where they go
    beats silently reusing a folder from an hour ago.
  • Both lists lead with type and vendor, and their columns share the width instead of being fixed
    and clipped. Per-device progress lives in the log, which scrolls and can be read afterwards.

⬆️ The update channel says what you'd get

The channel dropdown reads 2026-06-02 7.23.1 (stable) — version and release date, in the place
where you choose, so the separate "Latest" column is gone. That's a read from MikroTik's public
server: it touches no device. Your device's channel is still only ever written when you install, and
the log now says which way it went (channel switched: "stable" → "long-term").

The bulk-update warning claimed edge-devices-first as if it were a law. It's a rule of thumb, and
CAPsMAN inverts it when the controller is set to carry its CAPs along (upgrade-policy). Both the
warning and the README say so now.

🚀 A calmer app

  • The update check runs first, before anything touches the network, and the download gets a real
    progress window instead of a status line that looked like a hang.
  • "No scan at startup" now means it. TikMan still queried every device on launch to refresh
    monitoring — exactly what the setting turns off. Restored devices stay grey ("not checked yet")
    instead of showing a green dot nobody verified.
  • The bottom bar is a banner that wraps, because most of what TikMan has to say is a sentence.
  • The detail pane folds away with a chevron, and doesn't appear at all under the backup and update
    assistants, which bring their own device list.

🐛 A PC running Spotify is not a speaker

mDNS was trusted ahead of everything, so any workstation with Spotify open — it advertises
_spotify-connect._tcp so you can cast to it — was filed as a "speaker", ahead of the RDP/WMI+SMB
signature that exists to say "this is a PC". An mDNS model is what a device is; an mDNS service is
only what happens to be running. Real speakers are unaffected.

Downloads

File Platform Runtime
TikMan-2.1.8-win-x64.exe Intel/AMD 64-bit none (self-contained, ~68 MB)
TikMan-2.1.8-win-x64-fdd.exe Intel/AMD 64-bit .NET 10 Desktop Runtime (~12 MB)
TikMan-2.1.8-win-arm64.exe ARM64 none (self-contained, ~65 MB)
TikMan-2.1.8-win-arm64-fdd.exe ARM64 .NET 10 Desktop Runtime (~12 MB)

When in doubt, take the self-contained build (-x64 or -arm64). The exes are unsigned, so Windows
SmartScreen shows an "unknown publisher" notice on first run — More info → Run anyway.

TikMan v2.0.0

Choose a tag to compare

@pgadient pgadient released this 15 Jul 23:11

A big release: TikMan now runs in your browser, talks to your devices securely by default, and reads
everything over SSH when a RouterOS device's HTTPS is broken. Highlights below.

🌐 Built-in web server (new)

Toggle it from the Web server menu (off by default) and manage the whole fleet from a browser —
even your phone. It runs in-process and mirrors the desktop app:

  • Live device list (filter + sort), scan control with live progress, and the topology map.
  • Per-device detail with Wake-on-LAN, set login, and backup download (config .rsc and
    full binary .backup).
  • A full SSH terminal (xterm.js) and a VNC viewer (noVNC), right in the browser.
  • Security: HTTP Basic auth is required; every credential- or screen-bearing action (login,
    backup, terminal, VNC) is HTTPS-only and refused over plain HTTP. Bring your own certificate or
    let TikMan generate and cache a self-signed one. Set the port, user and password under
    Settings › Web.

🔒 Secure by default

Credentials and configuration now only ever travel over HTTPS or SSH. Plain HTTP is off unless
you turn it on
(Settings › Connections). When it's off, a device that only answers over HTTP is
skipped with a hint instead of silently sending your password in clear text.

🔓 Full SSH fallback for RouterOS

Many RouterOS devices ship a broken HTTPS handshake. Instead of failing (or falling back to HTTP),
TikMan now reads everything over the encrypted SSH CLI when HTTPS doesn't work:

  • Monitoring (CPU/RAM/uptime/version), the physical topology (bridge FDB + neighbours),
    Wi-Fi network names (incl. CAPsMAN), and the device log.
  • Config export (/export) and the full binary backup, and installing updates, all over SSH.

So a MikroTik with broken HTTPS is fully and securely usable — with no HTTP anywhere.

💾 Backup assistant

"Save backups" now opens an assistant (like the update one): pick the devices that have a login,
set the order, watch the progress. A checkbox additionally pulls the full binary .backup from
MikroTik devices (over SSH); other vendors ignore it.

🗺️ Topology & UI

  • A "Building the map…" indicator while the forwarding tables are gathered, and a fix so the map
    isn't flat right after restoring a saved device list.
  • A 🔑 column marking devices that have a stored login.

🐛 Notable fixes

  • Settings and the device list now actually persist across restarts (they never did before — a
    serialization bug reset everything to defaults on load).
  • Config backup no longer fails on :443 for RouterOS devices with a broken HTTPS stack.

Downloads

File Platform Runtime
TikMan-2.0.0-win-x64.exe Intel/AMD 64-bit none (self-contained, ~68 MB)
TikMan-2.0.0-win-x64-fdd.exe Intel/AMD 64-bit .NET 10 Desktop Runtime (~12 MB)
TikMan-2.0.0-win-arm64.exe ARM64 none (self-contained, ~65 MB)
TikMan-2.0.0-win-arm64-fdd.exe ARM64 .NET 10 Desktop Runtime (~12 MB)

When in doubt, take the self-contained build (-x64 or -arm64). The exes are unsigned, so Windows
SmartScreen shows an "unknown publisher" notice on first run — More info → Run anyway.

TikMan v1.10.27

Choose a tag to compare

@pgadient pgadient released this 15 Jul 18:49

New: "Check now" button in Settings

Until now, the update check only ran at startup. Settings › General now has a "Check now" button next to the update option that shows the result directly:

  • Up to date: "Up to date (version X.Y)" (green)
  • New version found: "Version X.Y 'Release Name' available" (orange) plus an "Update & restart" button that downloads immediately and replaces the running version in place
  • Failed (offline / no matching package): "Check failed"
    The startup check and the settings button share the same code (download → start new version → delete old one), including the already-hardened URL/filename validation. New strings in all 7 languages.

No signature/checksum check: A key or hash that lives on the same GitHub can be tampered with by the same attacker as the exe — it wouldn't improve security, only add complexity. Can be added later if there's a real need.

Downloads

File Platform Runtime
TikMan-1.10.27-win-x64.exe Intel/AMD 64-bit none needed (self-contained, ~68 MB)
TikMan-1.10.27-win-x64-fdd.exe Intel/AMD 64-bit .NET 10 Desktop Runtime (~11 MB)
TikMan-1.10.27-win-arm64.exe ARM64 none needed (self-contained, ~64 MB)
TikMan-1.10.27-win-arm64-fdd.exe ARM64 .NET 10 Desktop Runtime (~11 MB)

When in doubt, go with the self-contained variant (-x64 or -arm64).

TikMan v1.10.23

Choose a tag to compare

@pgadient pgadient released this 15 Jul 17:56
  • Progress bar fix: the combined scan bar could start around 70 % on a second scan
    or after clearing the list. It now averages only the phases the current scan actually
    runs, and a phase counts as finished only once it has genuinely run – so the bar
    starts at 0 % and climbs cleanly, in both normal and simple mode.
  • Set credentials now shows a message box asking you to select at least one device
    first, instead of a quiet status-bar line that was easy to miss.

TikMan v1.10.22

Choose a tag to compare

@pgadient pgadient released this 15 Jul 12:05

Scanning

  • Simple / corporate mode (toolbar checkbox, off by default): only the plain IPv4
    address scan – the ping sweep and TCP port scan. No MNDP, ZON, IPv6 discovery, mDNS
    or UPnP/SSDP packets, and no per-device SNMP/WMI/web probing. Nothing but ordinary
    connections goes on the wire, so a locked-down corporate network won't flag it.
    Devices are still classified from their OUI and open ports.
  • No automatic scan on startup (settings → General, off by default): TikMan starts
    without scanning and waits for a manual "Scan".

Topology

  • The topology and IP-distribution maps refresh at exactly one moment – when a scan
    finishes (any scan: initial, manual, continuous, or the one after a credentials
    change) – and never mid-scan. While a scan runs, an open map shows a small
    "updating when the scan finishes" banner.
  • Fixes the map not updating after credentials were added: the follow-up scan now
    rebuilds it on completion, so the new login's forwarding tables reach the map.

TikMan v1.10.20

Choose a tag to compare

@pgadient pgadient released this 15 Jul 10:45

Physical topology from the network itself

  • New Topology tab: the gateway on top, then the real wiring, proven from the
    switches' own forwarding tables (read over MikroTik REST, or SNMP for other
    vendors). A device hangs off the exact switch port it's really on – "ether5",
    "wifi1 (MyWLAN)" – drawn as a tidy tree: switches form the spine, clients cluster
    beneath them. Drag, pan, zoom-to-pointer; auto-fits to the window.
  • IP address distribution tab: internet → address segments (cut at real prefix
    boundaries into 4–8 slices) → devices, colour-coded by role.
  • Reads RouterOS over HTTP when its HTTPS handshake is broken, so the tables load
    reliably. Traceroute fills in routed hops.

Discovery & classification

  • mDNS/Bonjour + UPnP/SSDP: devices name themselves – iPhone vs iPad vs HomePod
    vs Apple TV, Swisscom TV boxes, Sonos, Chromecasts – no router access needed.
  • Many new device kinds: smartphone, tablet, speaker, TV vs streaming box, games
    console, payment terminal, franking machine, management controller (BMC/IP-KVM).
  • MikroTik split into router / switch / access point (even without a login), VMs
    flagged by hypervisor MAC, printers/phones no longer mislabelled as servers.
  • AirPrint / AirScan badges on printers and scanners.

UI

  • Settings grouped into tabs; Backup and Updates each get their own tab.
  • Combined scan progress bar: red while finding devices, green once the list is
    complete. Selected / filtered counts under the list. The search box matches the
    protocol badges too ("snmp", "airprint", …).
  • RTSP camera badges open in VLC. Cleaner Wake-on-LAN wording. Firewalls shown as
    their own type across many vendors.
  • A gentle banner points out that setting a login makes the readouts far richer.

TikMan v1.10.7

Choose a tag to compare

@pgadient pgadient released this 14 Jul 21:07

Discovery

  • mDNS/Bonjour: devices state their own model – iPhone, iPad, HomePod and Apple TV
    (one shared OUI, no open ports) are finally told apart; Sonos, Chromecast,
    printers and NAS get named too. No router access, no credentials.
  • UPnP/SSDP: names the boxes nothing else can – Swisscom TV Box, smart TVs – with
    the owner's own names ("Wohnzimmer unten") and the model (IP2000).
  • AirPrint / AirScan badges on printers and scanners (URF key / eSCL service),
    with targeted TXT follow-ups and query repeats to beat mDNS answer suppression.

Topology (two new fullscreen tabs)

  • Logical: internet → address ranges → devices, pastel-coloured by role.
  • Physical: gateway on top, traceroute-derived paths – a device behind another
    router visibly hangs behind it. Drag, pan, zoom-to-pointer; positions persist.

Classification

  • New kinds: smartphone, tablet, speaker, TV set, streaming box, games console,
    payment terminal, franking machine, management controller (BMC/IP-KVM).
  • TV vs streaming box by maker; HomePod vs Apple TV via HomeKit role.
  • MikroTik split without credentials (MNDP board: CRS ⇒ switch, radio ⇒ AP).
  • VMs flagged via hypervisor OUIs ("… (VM)"); SIP + shell ⇒ PBX, not a phone.

UI

  • Settings dialog in four tabs; one combined scan progress bar (configurable).
  • RTSP badges click through to the registered player (VLC).
  • "Refresh all" button removed – a scan does the same.

TikMan v1.9.24

Choose a tag to compare

@pgadient pgadient released this 14 Jul 18:03

Firewall detection: generic across vendors, and no longer blind

Two fixes, one of which was quietly disabling the other:

  • The classifier never actually saw the model. It was handed Model.Model, while
    the model read over SNMP, WMI or the web UI lands elsewhere and is folded into the
    model shown in the list. For a device known only over SNMP — which is every Zyxel
    firewall — that field is empty, so the model-based rules had nothing to match. The
    classifier is now given the same model text the list displays.

  • Series names are matched as whole tokens, not substrings. The model is split on
    non-alphanumerics and on letter/digit boundaries ("USG40" → usg, 40), so "atp"
    no longer fires inside "STRATPOINT" nor "usg" inside "BUSGATE". Matching runs in
    three tiers:

    1. Firewall-only vendors — Fortinet, Palo Alto, SonicWall, WatchGuard,
      Check Point, Sophos, Stormshield, Clavister, Hillstone, Forcepoint, Netgate,
      Endian, Untangle.
    2. Unambiguous series — USG, USG FLEX, ZyWALL, ATP, NSG, FortiGate,
      FortiWiFi, Firebox, XTM, Firepower, SRX, pfSense, OPNsense, IPFire, UDM/UXG,
      CloudGen.
    3. Short series, scoped to their maker — Sophos XG/XGS/SG/UTM, Cisco ASA/FTD,
      Meraki MX, Palo Alto PA, SonicWall TZ/NSA, Fortinet FG, Zyxel VPN.

    The scoping matters: XGS is a Sophos firewall but a Zyxel switch, and SG is a
    Sophos firewall but a TP-Link switch. Zyxel switches, TP-Link TL-SG, Cisco Catalyst
    and Juniper EX all stay switches.

TikMan v1.9.23

Choose a tag to compare

@pgadient pgadient released this 14 Jul 16:42

Device types: utility gear is no longer filed as "Server"

Most devices on a LAN are utility gear — printers, copiers, phones, switches, access
points — that happen to serve a web UI. Anything with an open port used to end up as
"Server". Two things were wrong:

  • The printer, SIP and RTSP ports were never scanned, so the rules that recognise
    them outright could never fire. The scan now probes 515 (LPD), 554 (RTSP),
    631 (IPP), 5060 (SIP) and 9100 (JetDirect)
    , each with its own badge.
  • The classifier fell back to "has 80/443/22 ⇒ Server." It now trusts, in order:
    the model line (firewall / printer / access point / phone — one vendor ships
    firewalls, switches and APs under the same OUI), then the definitive services,
    then the Windows signature (RDP, or WMI+SMB — which outranks the OUI), then
    purpose-built makers, then a real mailbox server. Bare SMTP no longer implies
    a server — that is what every copier's scan-to-mail listens on. A device with only a
    web or SSH port is left unknown rather than mislabelled.

Fixed, all seen on a real scan:

  • Toshiba e-STUDIO copier and Brother MFPs read as servers → now Printer
  • Yealink desk phones and a Cisco SPA122 ATA read as servers/switches → now Phone
  • Zyxel NWA access points read as switches → now Access Point
  • A Windows workstation on a Zyxel-branded NIC read as a switch → now PC