Developer-first
One script to install. Manage with CLI or API. Embed where your team already works.
Outbound-only agent
Two static IPs
Embeddable console
Remote access that survives real networks.
Keep tunnels alive behind firewalls, allowlist predictable egress, and ship a branded operator console directly inside your product.
Works behind NAT + firewalls
CLI + API first
ARM + x86
Fleet
Device
Endpoints
Status
field-device-123
agent · Docker · outbound-only
shell.endpoint
https.endpoint
Healthy
edge-gateway-02
agent · systemd · outbound-only
embed.console
audit.stream
Healthy
Why CommandPlane
Predictable allowlisting, outbound-only networking, and an operator console that can live inside your app.
Features
Everything operators need
Less ceremony. More control. Built for production networks.
Predictable endpoints
Two IPs to allowlist. No surprise egress. No “what changed?” tickets.
White-label ready
Bring your domain, colors, and logo. Iframe the console in minutes.
Runs anywhere
Tiny daemon for ARM, x86, on-prem, and hybrid clouds.
How it works
Three steps
Onboard a device, claim endpoints, and ship the console.
01
Enroll the device
Run the signed install script. The daemon stays outbound-only and inherits your allowlist rules.
02
Claim your endpoints
Shell and web endpoints arrive with mTLS, roles, and audit trails—anchored to predictable egress.
03
Embed the console
Iframe a white-labeled operator console into your app and stream device controls where you need them.
Security
Guardrails, not speed bumps
Purpose-built controls for regulated environments and real operators.
mTLS + key rotation
Device keypairs, short-lived tokens, and org isolation by default.
Least privilege
Scoped endpoints, granular roles, and audits tied to predictable allowlisting.
Production ready
<2s auto-reconnect, HA gateways, and regional failover keep fleets online.
Get started
Try it in 60 seconds
Install with your signed link, confirm the agent, and embed the console—no inbound ports required.
# 1) Install + register via your signed link
curl -fsSL https://commandplane.com/i/<install-token> | sh
# 2) Verify the agent is running
sudo systemctl status commandplane-agent
# 3) Stream logs or run manually without systemd
sudo journalctl -u commandplane-agent -f
# ./commandplane-agent --config ./config.json
Outbound-only networking
Predictable allowlisting
Iframe-ready console