How to Migrate from Datto RMM to TacticalRMM
Kristina Shkriabina
Step-by-step guide for MSPs switching from Datto RMM to TacticalRMM. Covers pre-migration audit, agent deployment, feature mapping, and cost comparison.
Kaseya ended high-watermark billing for Datto RMM on December 1, 2025. The change is called Committed Minimum Quantity (CMQ). What it means in practice: the 10% overage buffer is gone, billing is now calculated from actual device count at the end of each month, and you pay for every endpoint whether it's active or just sitting in inventory. MSPs who built their pricing around the old model are suddenly paying more for the same devices.
That's not the whole picture. Kaseya 365 pricing is moving from $3.99 toward $5.25 per endpoint, Kaseya laid off 250 employees in early 2026, and the full product stack continues to consolidate under one roof. Each of those things alone is manageable. Together they're a credible reason to start looking.
If you're one of the MSPs who has decided to migrate from Datto RMM to TacticalRMM, this is the practical guide you need. Not a pitch – a step-by-step walkthrough of what the migration actually involves, what TacticalRMM does well, what it doesn't, and what the math looks like on the other side.
Why MSPs Are Leaving Datto RMM
The billing model change is the trigger for a lot of shops right now, but it's worth understanding the full cost picture.
Under high-watermark billing, your monthly charge was based on the highest number of devices you had active in a given period. That created natural pricing buffer – you could onboard a new client, ramp up devices, and not pay for every endpoint immediately. CMQ eliminates that. Your bill now reflects actual device count at midnight UTC on the last day of each month. No buffer. No overage forgiveness.
For an MSP running 500 endpoints with 10–15% swing from onboarding and offboarding, that change adds up. At $2.89/endpoint (the commonly cited Kaseya 365 bundled rate), a 50-device swing is $145/month – $1,740/year – on billing mechanics alone, before any rate increase.
The platform uncertainty compounds the cost math. Kaseya has acquired and consolidated a significant number of MSP tools across its portfolio. When a major vendor lays off 250 people in a single quarter, it's reasonable to ask which products are investment priorities and which are in maintenance mode. Datto RMM hasn't been end-of-lifed, but the trajectory matters to shops planning three to five years out.
MSPs who have migrated to open-source RMM stacks – TacticalRMM plus MeshCentral, often paired with Wazuh for SIEM – consistently report 30–50% reductions in software licensing costs. That data point comes from MSPs who made the switch, not from vendors promising savings. The full breakdown is in the open-source RMM software guide on OpenMSP.
What Is TacticalRMM?
TacticalRMM is a source-available, self-hosted RMM built on Django (backend API), Vue.js (frontend), and Go (agent). The source code is on GitHub at amidaware/tacticalrmm. "Source-available" means you can read and modify the code, but it isn't OSI-certified open source – the license restricts commercial redistribution.
What it does: remote monitoring, automated patch management, script execution across Windows, Linux, and macOS, custom alert policies, and remote access via MeshCentral integration. Scripting supports PowerShell, Python, and shell. The agent talks to your TacticalRMM server – there's no cloud intermediary, no vendor routing your data through their infrastructure.
What it doesn't do: there's no built-in PSA, no native client portal, no managed hosting option. You own the server. You handle updates. You're the support tier one when something breaks. For shops accustomed to submitting a ticket to Datto, that's a real operational shift.
Two things worth knowing before you start:
The community is active. TacticalRMM has approximately 5,779 Discord members and a well-maintained documentation site at docs.tacticalrmm.com. Most deployment questions have been answered somewhere in the community.
Code-signed Windows agents require a $50/month GitHub sponsorship of the amidaware organization. Unsigned agents work fine on Linux and macOS, but Windows environments with strict code-signing policies need the sponsorship. It's not hidden – the docs are upfront about it. Factor it into your cost model.
For TacticalRMM's full feature breakdown, see the OpenMSP vendor page.
Before You Migrate – Pre-Migration Checklist
There's no automated migration script from Datto RMM to TacticalRMM. This is a manual process. How long it takes depends on your device count, how well-documented your current Datto configuration is, and whether you do a phased rollout or a hard cutover.
Before you touch a single agent, get these things done:
Audit your current Datto RMM environment. Count every device by OS (Windows, Linux, macOS). Document your site and client structure. Export all your automation policies, scripts, alert configurations, and monitoring checks. Datto's export options are limited – screenshot anything that doesn't export cleanly, because you'll be rebuilding these from scratch in TacticalRMM.
Set up your TacticalRMM server. Minimum specs: 2 vCPU, 4GB RAM, running Debian 12 or Ubuntu 22.04 LTS. A standard $20–$40/month VPS from Hetzner, Vultr, or DigitalOcean handles most small-to-mid MSP deployments. TacticalRMM doesn't support cloud-hosted managed options – you're running this yourself.
Configure DNS before anything else. TacticalRMM requires three separate subdomains pointing to your server: rmm., api., and mesh.. These can be on any domain you control. Critical note from the official docs: TacticalRMM doesn't support changing DNS names after deployment. A rename later requires a paid migration. Choose your subdomains carefully and lock them in before you install.
Decide: phased rollout or cutover. Phased means you run both platforms in parallel per client – you migrate one client at a time over several weeks while Datto stays active. Cutover means you move all agents at once. Phased is lower risk and lets you troubleshoot by client. Cutover is faster but creates a period where you're managing two RMM consoles simultaneously. Most shops with 300+ devices choose phased.
Budget your time honestly. Expect 20–40 hours for a clean migration on a 200–500 device environment. That's server setup, DNS configuration, agent deployment, script migration, and alert policy rebuild. It's a one-time cost, but it's real.
Step-by-Step Migration Process
Here's the migration sequence in order. Follow it linearly – skipping the server setup steps to rush agent deployment creates problems that take longer to fix than doing it right.
Step 1: Deploy your TacticalRMM server. Run the official install script on a fresh Debian 12 or Ubuntu 22.04 VPS. The installer handles Nginx, PostgreSQL, Redis, and the Django backend. Full instructions are at docs.tacticalrmm.com/install_server.
Step 2: Configure your DNS records. Create A records for rmm.yourdomain.com, api.yourdomain.com, and mesh.yourdomain.com, all pointing to your server's IP. After DNS propagates, open each subdomain in a browser and accept the HTTPS certificate before you log in for the first time. Skipping this step causes a "Backend is offline" error on first login that confuses a lot of first-time installers.
Step 3: Create your client and site structure. TacticalRMM organizes devices under Clients → Sites, which maps directly to Datto RMM's Sites → Devices structure. Rebuild your hierarchy here before deploying a single agent. Deploying agents first and reorganizing later is painful at scale.
Step 4: Generate deployment scripts per client. From the TacticalRMM console, generate an agent installer for each site. Each installer embeds the site and client assignment, so agents self-register in the right place on first check-in. Don't reuse a single installer across clients.
Step 5: Deploy agents. Windows: use Group Policy to push the MSI silently, or run the installer manually on each endpoint if GPO isn't available. Linux: run the one-line shell script from the TacticalRMM console. macOS: community-maintained installer scripts work on supported macOS versions, though macOS agent support is less polished than Windows.
Step 6: Migrate your automation scripts. PowerShell scripts from Datto RMM copy across with minimal modification. Python scripts run natively. Shell scripts for Linux/macOS carry over directly. Rebuild your script library in TacticalRMM's Script Manager, test each one on a non-production device before deploying broadly.
Step 7: Rebuild alert policies and monitoring checks. TacticalRMM handles alerts through Check policies (CPU, disk, memory, service state, script output) and Alert Templates. There's no import from Datto – you're rebuilding these manually. Prioritize your most critical alerts first and work down.
Step 8: Run both platforms in parallel. Keep Datto agents installed on all endpoints while you validate TacticalRMM coverage. Two to four weeks of parallel operation gives you confidence that checks are firing correctly, patch policies are working, and your techs are comfortable in the new console before you remove the fallback.
Step 9: Remove Datto agents. Once you've validated TacticalRMM coverage per client, uninstall Datto RMM agents. This can be done via Datto's mass-offboard feature or scripted through TacticalRMM once agents are confirmed active.
Step 10: Cancel your Datto RMM contract. Check your contract cancellation window before you start the migration. Datto RMM contracts typically require 30–60 days written notice. Time your Datto cancellation so it lands after your parallel validation period ends.
Feature Mapping – Datto RMM vs. TacticalRMM
| Feature | Datto RMM | TacticalRMM |
|---|---|---|
| Pricing | Per-endpoint, undisclosed (~$2.89 bundled) | $0 licensing (code-signed agents: $50/mo) |
| Licensing model | Vendor contract, CMQ billing | Source-available, self-hosted |
| Remote access | Built-in | MeshCentral integration |
| Patch management | Yes | Yes |
| Scripting | PowerShell, batch | PowerShell, Python, shell |
| macOS/Linux agents | Limited | Yes (community scripts) |
| PSA integration | Autotask (Kaseya ecosystem) | API-based, bring your own PSA |
| Client portal | Yes | No (custom dev required) |
| Self-hosted | No (cloud-only) | Yes |
| Contract required | Yes | No |
| Source-available | No | Yes |
| Managed hosting | Yes | No |
What TacticalRMM Won't Give You
This section matters more than the feature table. The table shows functional parity. This section shows where you'll actually feel the gap.
No managed hosting. You own the server, the updates, and the backups. If your TacticalRMM server goes down at 2am, you're the one who fixes it. Factor in the operational overhead for a small team – it's not huge, but it's real. A well-configured VPS with monitoring and automated backups reduces this risk significantly.
No built-in PSA. Datto RMM plugs into Autotask (also Kaseya). TacticalRMM has no PSA – you pair it with whatever you're using. ITFlow is the zero-cost option for PSA. HaloPSA integrates cleanly via API. SuperOps bundles PSA and RMM if you want to consolidate further.
No client portal. Datto gives clients a self-service portal. TacticalRMM doesn't have one out of the box. If client-facing portal access is part of your service offering, this is a gap that requires custom work or a separate tool.
Community support only. There's no SLA, no phone number, no support queue. The TacticalRMM Discord is responsive and the documentation is solid, but if you need a vendor-backed support contract, TacticalRMM isn't that.
Code-signed Windows agents cost $50/month. Not a dealbreaker, but it's a real cost to include in your model. Unsigned agents work for most Linux and macOS deployments.
Real Cost Math
Here's what the switch actually saves a mid-size MSP.
Scenario: 300-endpoint MSP currently on Datto RMM
Datto RMM at the commonly cited ~$2.89/endpoint bundled rate: $867/month, or $10,404/year.
TacticalRMM: $0 licensing + $50/month code-signed agent sponsorship + ~$40/month VPS (2 vCPU, 4GB RAM on Hetzner or Vultr) = $90/month, or $1,080/year.
Annual savings: ~$9,300 on RMM licensing alone.
That number doesn't include SIEM, backup, or PSA – which most MSPs are also paying separately on the Kaseya stack. It also doesn't include the one-time labor cost of migration: budget 20–40 hours of setup time, which is a real expense but a one-time one.
The open-source MSP tools directory maps the full stack replacement picture – every tool category, with community-vetted alternatives to the commercial platforms most MSPs are paying for today.
Frequently Asked Questions
Is TacticalRMM actually free?
The software itself is free – $0 licensing cost. Code-signed Windows agents require a $50/month GitHub sponsorship of amidaware. You also pay for the VPS to host your server, typically $20–$40/month. Total all-in cost for most MSPs: $70–$90/month regardless of device count.
How long does a Datto RMM to TacticalRMM migration take?
For a 200–500 device environment doing a phased rollout, budget 20–40 hours of technical work over 4–6 weeks. That covers server setup, DNS configuration, agent deployment, script migration, and alert policy rebuild. Larger environments or complex automation configurations take longer. There's no automated migration tool – everything is manual.
Does TacticalRMM have a client portal like Datto?
No. TacticalRMM doesn't include a client-facing portal. If you currently use Datto's client portal as part of your service delivery, you'll need to either build something custom or find a separate tool to fill that gap. This is one of the more meaningful functional differences between the two platforms.
Can I run TacticalRMM and Datto RMM in parallel during migration?
Yes, and you should. Running both platforms simultaneously for 2–4 weeks per client is the standard migration approach. Agents from both platforms can coexist on the same endpoints. Use that parallel period to validate TacticalRMM coverage, test your alert policies, and confirm your techs are comfortable before you remove Datto agents.
What PSA works best with TacticalRMM?
TacticalRMM doesn't ship with a PSA and doesn't have a preferred integration. The most common community pairings: HaloPSA for mid-market shops that need deep billing customization, Syncro for smaller shops that want PSA and RMM bundled at a flat rate, and ITFlow for shops that want zero licensing cost and are comfortable with a self-hosted PSA.
Is TacticalRMM secure enough for enterprise clients?
TacticalRMM uses TLS for all agent-to-server communication, supports MFA on the console, and gives you full control over your server configuration and network exposure. The self-hosted architecture means your client data stays on infrastructure you control – no third-party cloud routing. For clients in regulated industries (healthcare, finance), the self-hosted model is often a feature, not a concern. The community has documented security hardening configurations extensively.
The Decision You're Actually Making
The migration is 30–40 hours of work. The savings are $8,000–$12,000 a year for a typical mid-size shop, every year, compounding as you add devices. That's the math.
But the more durable reason to switch isn't the cost – it's the control. With TacticalRMM, your RMM pricing doesn't change because a private equity firm decided to restructure billing. Your platform doesn't get sunset because an acquirer is consolidating products. Your agent data doesn't route through infrastructure you don't own.
That's what the migration actually buys you.
The OpenMSP community has MSPs at every stage of this switch – from shops just auditing their first Datto export to teams six months post-migration comparing notes on alert policy configurations. If you're starting this process, that's where to go.
Kristina Shkriabina
Our flock's megaphone – once a correspondent for Ukraine's Public Broadcasting Company, now the one making sure Flamingo and OpenMSP sound exactly like what they are: direct, useful, and built for MSPs. She runs content and community, writes about stack decisions and marketing strategy.