Seamless Ninja RMM and Nanitor CTEM Integration for MSPs

2025-04-02    3730 words    19 minutes
nanitor security rmm ctem ninjarmm ninja

Background

This guide walks you through setting up Nanitor with Ninja RMM in a multi-tenant environment. Nanitor is designed with MSSPs in mind — a top-level organization is used to centrally manage global settings, while each customer exists as a child organization beneath it. This structure allows the MSSP to enforce security policies while ensuring customers only see data relevant to their own organization.

Each Nanitor organization has a unique SignupURL, which is used during agent deployment to ensure devices are registered under the correct customer.

Since Ninja RMM does not support organization-level variables, the SignupURL must be hardcoded into each automation script. As a result, separate scheduled tasks are needed per customer when installing the Nanitor agent. However, the Nanitor Agent Monitor script requires no parameters, allowing you to reuse a single task across all organizations for daily status synchronization.

By the end of this guide, you’ll have a fully functional Ninja RMM setup with per-organization agent installation tasks, and a shared monitoring task that keeps Nanitor data synced through global custom fields.

Preparing Nanitor

Before we begin, ensure you have access to a running Nanitor CTEM server. In this guide, we'll use https://rmmtest.nanitor.net as our example MSSP instance. Here, rmmtest represents the top-level organization, serving as the parent for all customer organizations.

In our example, we'll focus on a customer organization named CompanyA, which has rmmtest as its parent. Our goal is to deploy a Ninja RMM task that installs the Nanitor agent and registers it under the CompanyA organization.

To get started, open the admin page for CompanyA within the Nanitor portal and locate the Signup URL. Copy this URL and store it securely, it will look something like: https://rmmtest.nanitor.net/api/agent_signup_key/...

Preparing Ninja RMM

Creating the Organization

Start by creating the CompanyA organization in Ninja RMM. Navigate to AdministrationOrganizations and click Create New Organization.

Once saved, the organization will appear in your list and be ready for use.

Creating Global Custom Fields

To synchronize data from Nanitor CTEM into Ninja RMM for each device, we’ll use global custom fields. These fields only need to be created once, as they are defined at the system level.

Go to AdministrationDevicesGlobal Custom Fields and create the following fields, all using the Device scope:

Field Name Label Type Required
nanitorDeviceUrl Nanitor Device URL URL No
nanitorHealthScore Nanitor Health Score Decimal No
nanitorCriticalIssues Nanitor Critical Issues Text No
nanitorAgentVersion Nanitor Agent Version Text No
nanitorAgentUpgradeAvailable Nanitor Agent Upgrade Available Text No


After completing this step, the global custom fields should be visible and ready to be populated by the Nanitor scripts.

Create Ninja Scripts for Nanitor

Next, we'll create two automation scripts in Ninja RMM:

  • Nanitor CTEM Agent Installer [WIN] – installs the Nanitor agent on Windows desktops and servers.
  • Nanitor CTEM Agent Monitor [WIN] – syncs agent data from Nanitor CTEM and updates global custom fields in Ninja RMM.

Nanitor CTEM Agent Installer [WIN]

Navigate to AdministrationLibraryAutomation, click AddNew Script, and configure the script with the following settings:

  • Name: Nanitor CTEM Agent Installer [WIN]
  • Description: Nanitor CTEM Agent Installer for Windows Desktops and Servers.
  • Categories: Maintenance
  • Architecture: All
  • RunAs: System

Under Script Variables, create:

  • Name: NANITOR_SIGNUP_URL
  • Description: Nanitor Signup URL represents the Signup URL for a Nanitor organization.
  • Mandatory: Enabled
  • Default Value: (leave empty)

Then paste the installer script and click Save.

<# Nanitor Agent Installer for Ninja RMM :: Build 6, March 2025
   This script installs the Nanitor CTEM Agent on Windows devices. 

   It requires the NANITOR_SIGNUP_URL variable to be set before execution.
#>

$INSTALLER_DIR = "${env:TEMP}\nanitor-ninja-installer"

Write-Host "Nanitor CTEM Agent Installer for Ninja RMM"
Write-Host "- InstallerDir: $INSTALLER_DIR"
Write-Host "====================================================="

# Remove the existing installer directory if it exists
if (Test-Path $INSTALLER_DIR) {
    Remove-Item -Recurse -Force $INSTALLER_DIR
}

# Create the installer directory
New-Item -ItemType Directory -Force -Path $INSTALLER_DIR

# Change the working directory to the installer directory
Set-Location $INSTALLER_DIR

Start-Transcript -Path "$INSTALLER_DIR\install-ninja.log"

#region Ensure Nanitor is not already present -----------------------------------------------------------------

Write-Host "- Checking if Nanitor CTEM Agent is already installed..."
if (Test-Path 'C:\ProgramData\Nanitor\Nanitor Agent\nanitor.db') {
    Write-Host "! NOTICE: Nanitor CTEM Agent appears to be installed. Skipping reinstallation."
    exit 0
}

#region Signup URL Checks -------------------------------------------------------------------------------------
$nanitorSignupURL = $env:NANITOR_SIGNUP_URL
if (!$nanitorSignupURL) {
    write-host "! ERROR: No Nanitor Signup URL supplied."
    write-host "  The Nanitor CTEM Agent requires a Signup URL to validate installation."
    write-host "  Please provide it via the Ninja Script variable."
    exit 1
}

if ($nanitorSignupURL -NotLike 'https://*') {
    write-host "! ERROR: Nanitor Signup URL should start with 'https://'."
    exit 1
}

write-host "- Nanitor Signup URL: $nanitorSignupURL"

#region Bitness Checks ----------------------------------------------------------------------------------------

$osArchitecture = (Get-CimInstance Win32_OperatingSystem).OSArchitecture
$procArchitecture = (Get-CimInstance Win32_Processor).Architecture

Write-Host "- Detected OS Architecture: $osArchitecture"
Write-Host "- Detected Processor Architecture: $procArchitecture"

switch ($osArchitecture) {
    "32-bit" {
        $varArch='i386'
        Write-Host "- System is 32-bit (x86)"
    }
    "64-bit" {
        switch ($procArchitecture) {
            9 {
                $varArch='amd64'
                Write-Host "- System is 64-bit (x86-64)"
            }
            12 {
                Write-Host "! ERROR: Arm64 architecture detected."
                Write-Host "  Arm64 is not supported at this time."
                exit 1
            }
            default {
                Write-Host "! ERROR: Unknown processor architecture ($procArchitecture)"
                exit 1
            }
        }
    }
    default {
        Write-Host "! ERROR: Unknown OS architecture ($osArchitecture)"
        exit 1
    }
}

#region Download/Verify Installer -----------------------------------------------------------------------------

$downloadUrl="https://nanitor.io/agents/nanitor-agent-latest_$varArch.msi"
write-host "- Download URL: $downloadUrl"

#download......................................................................................................
[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType], 3072)
$script:WebClient=New-Object System.Net.WebClient
$script:webClient.UseDefaultCredentials = $true
$script:webClient.Headers.Add("X-FORMS_BASED_AUTH_ACCEPTED", "f")
$script:webClient.Headers.Add([System.Net.HttpRequestHeader]::UserAgent, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)')
$script:webClient.DownloadFile("$downloadUrl", "$INSTALLER_DIR\nanitorAgent.msi")

#verify........................................................................................................
$varChain=New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
try {
    $varChain.Build((Get-AuthenticodeSignature -FilePath "$INSTALLER_DIR\nanitorAgent.msi").SignerCertificate) | out-null
} catch {
    write-host "! ERROR: Unable to verify digital signature for Agent installer."
    write-host "  Please ensure your device is able to access https://nanitor.io."
    exit 1
}

if (($varChain.ChainElements | % {$_.Certificate} | ? {$_.Subject -match "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"}).Thumbprint -ne '7B0F360B775F76C94A12CA48445AA2D2A875701C') {
    write-host "! ERROR: Digital signature for Agent installer did not match expected values."
    write-host "  Please contact Nanitor support."
    exit 1
}

#region Install -----------------------------------------------------------------------------------------------

$varInstaller=Start-Process "msiexec.exe" -ArgumentList "/i `"$INSTALLER_DIR\nanitorAgent.msi`" ACCEPTEULA=yes SIGNUP_URL=$nanitorSignupURL /qn" -Wait -PassThru
switch ($varInstaller.ExitCode) {
    0 {
        write-host "- Installation succeeded."
    } 3010 {
        write-host "- Installation succeeded but a reboot is required."
    } default {
        write-host "! ERROR: Installation concluded with code $_."
        write-host "  Please check the event log to find out what the issue was."
        exit 1
    }
}

Nanitor CTEM Agent Monitor [WIN]

Similarly create another script and put:

  • Name: Nanitor CTEM Agent Monitor [WIN]
  • Description: Monitors the Nanitor CTEM Agent and syncs to global custom fields.
  • Categories: Maintenance
  • Architecture: All
  • RunAs: System
  • Script variables: None

Then copy paste the following code:

<#
Nanitor CTEM Agent Monitor :: Build 4, Feb 2025

Description:
This script retrieves the Nanitor CTEM agent status (health score, critical issues, device URL) and updates Ninja RMM Custom-Fields.

User Variables:
  - NANITOR_HEALTHSCORE_THRESHOLD:: (Used to overwrite default Health Score threshold)

Prerequisites:
  - Nanitor CTEM agent installed on the target device.
  - Ninja RMM agent installed on the target device.
  - PowerShell 2.0 or later.

Execution Context:
  - This script runs as NT AUTHORITY\SYSTEM (highly privileged user account).
  - **It must run silently and not prompt the user for interaction**.

Licensing and Usage:
  - This script may not be shared, sold, or distributed beyond the Ninja RMM product, whole or in part, even with modifications applied, for any reason. This includes on Reddit, on Discord, or as part of other RMM tools. PCSM is the one exception to this rule.
  - **The moment you edit this script it becomes your own risk and support will not provide assistance with it**.

Notes:
  - This script does not automatically reboot devices.
  - It logs detailed information to ${env:TEMP}\nanitor-ninja-monitor\install-ninja-monitor.log.
  - Ensure the Nanitor Agent is installed and functioning correctly on the target devices.
  - Populates Custom fields only, no alerts yet.
#>

$INSTALLER_DIR = "${env:TEMP}\nanitor-ninja-monitor"
$LogFile = "$INSTALLER_DIR\logfile.txt"

Write-Host "Nanitor CTEM Agent Monitor"
Write-Host "- InstallerDir: $INSTALLER_DIR"
Write-Host "====================================================="

# Remove the existing installer directory if it exists
if (Test-Path $INSTALLER_DIR) {
    Remove-Item -Recurse -Force $INSTALLER_DIR
}

# Create the installer directory
New-Item -ItemType Directory -Force -Path $INSTALLER_DIR

# Change the working directory to the installer directory
Set-Location $INSTALLER_DIR

Start-Transcript -Path "$INSTALLER_DIR\install-ninja-monitor.log"

$fieldDeviceURL = "nanitorDeviceUrl"
$fieldHealthScore = "nanitorHealthScore"
$fieldCriticalIssues = "nanitorCriticalIssues"
$fieldAgentVersion = "nanitorAgentVersion"
$fieldAgentUpgradeAvailable = "nanitorAgentUpgradeAvailable"

$HealthScoreThresholdDefault = 0.70

# Allow global og site level variable to overwrite the threshold, Alerts on the device
# if the health score on the device is under this limit.
$HealthScoreThreshold = [double]${env:nanitorHealthScoreThreshold}
if (-Not $HealthScoreThreshold) {
    $HealthScoreThreshold = $HealthScoreThresholdDefault
}

# Function to log messages with a timestamp
function Log-Message ($message, $level = "INFO") {
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $logEntry = "$timestamp [$level] $message"
    Add-Content -Path $LogFile -Value $logEntry
}

function write-DRMMDiag ($messages) {
    Write-Host  '<-Start Diagnostic->'
    foreach ($Message in $Messages) { 
        Write-Host $Message
        Log-Message $Message "DIAG"
    }
    Write-Host '<-End Diagnostic->'
}

function write-DRRMAlert ($message) {
    Write-Host '<-Start Result->'
    Write-Host "Alert=$message"
    Write-Host '<-End Result->'
    Log-Message "Alert triggered: $message" "ALERT"
}

# This function is to make it easier to set Ninja Custom Fields.
function Set-NinjaProperty {
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory = $True)]
        [String]$Name,
        [Parameter()]
        [String]$Type,
        [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
        $Value,
        [Parameter()]
        [String]$DocumentName
    )

    # If we're requested to set the field value for a Ninja document we'll specify it here.
    $DocumentationParams = @{}
    if ($DocumentName) { $DocumentationParams["DocumentName"] = $DocumentName }

    # This is a list of valid fields we can set. If no type is given we'll assume the input doesn't have to be changed in any way.
    $ValidFields = "Attachment", "Checkbox", "Date", "Date or Date Time", "Decimal", "Dropdown", "Email", "Integer", "IP Address", "MultiLine", "MultiSelect", "Phone", "Secure", "Text", "Time", "URL"
    if ($Type -and $ValidFields -notcontains $Type) { Write-Warning "$Type is an invalid type! Please check here for valid types. https://ninjarmm.zendesk.com/hc/en-us/articles/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality" }

    # The below field requires additional information in order to set
    $NeedsOptions = "Dropdown"
    if ($DocumentName) {
        if ($NeedsOptions -contains $Type) {
            # We'll redirect the error output to the success stream to make it easier to error out if nothing was found or something else went wrong.
            $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1
        }
    }
    else {
        if ($NeedsOptions -contains $Type) {
            $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1
        }
    }

    # If we received some sort of error it should have an exception property and we'll exit the function with that error information.
    if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }

    # The below type's require values not typically given in order to be set. The below code will convert whatever we're given into a format ninjarmm-cli supports.
    switch ($Type) {
        "Checkbox" {
            # While it's highly likely we were given a value like "True" or a boolean datatype it's better to be safe than sorry.
            $NinjaValue = [System.Convert]::ToBoolean($Value)
        }
        "Date or Date Time" {
            # Ninjarmm-cli is expecting the time to be representing as a Unix Epoch string. So we'll convert what we were given into that format.
            $Date = (Get-Date $Value).ToUniversalTime()
            $TimeSpan = New-TimeSpan (Get-Date "1970-01-01 00:00:00") $Date
            $NinjaValue = $TimeSpan.TotalSeconds
        }
        "Dropdown" {
            # Ninjarmm-cli is expecting the guid of the option we're trying to select. So we'll match up the value we were given with a guid.
            $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header "GUID", "Name"
            $Selection = $Options | Where-Object { $_.Name -eq $Value } | Select-Object -ExpandProperty GUID

            if (-not $Selection) {
                throw "Value is not present in dropdown"
            }

            $NinjaValue = $Selection
        }
        default {
            # All the other types shouldn't require additional work on the input.
            $NinjaValue = $Value
        }
    }

    # We'll need to set the field differently depending on if its a field in a Ninja Document or not.
    if ($DocumentName) {
        $CustomField = Ninja-Property-Docs-Set -AttributeName $Name -AttributeValue $NinjaValue @DocumentationParams 2>&1
    }
    else {
        $CustomField = Ninja-Property-Set -Name $Name -Value $NinjaValue 2>&1
    }

    if ($CustomField.Exception) {
        throw $CustomField
    }
}

# Returns device labels in a string format, less than 255 characters as that is the UDF limit.
function Get-DeviceLabels {
    param (
        [string[]]$items
    )

    $ret = ""
    $maxLength = 255

    for ($i = 0; $i -lt $items.Count; $i++) {
        $newItem = $items[$i]

        # Check if adding the new item exceeds the maximum length
        if (($ret.Length + $newItem.Length + 1) -gt $maxLength) {
            break
        }

        # If not the first item, add a space before the next one
        if ($ret -ne "") {
            $ret += " "
        }

        $ret += $newItem
    }

    return $ret
}

# Returns critical issues in a string format, less than 255 characters as that is the UDF limit.
function Get-CriticalIssues {
    param (
        [object[]]$items
    )

    $ret = ""
    $maxLength = 255
    $maxItems = 5

    for ($i = 0; $i -lt $maxItems -and $i -lt $items.Count; $i++) {
        $newItem = $items[$i]

        if ($newItem.risc_score -lt 90) {
            continue
        }

        $title = $newItem.title

        # Check if adding the new label exceeds the maximum length
        if (($ret.Length + $title.Length + 1) -gt $maxLength) {
            break
        }

        # If not the first item, add a space before the next one
        if ($ret -ne "") {
            $ret += " "
        }

        $ret += $title
    }

    return $ret
}


# Start of the script
Log-Message "Starting Nanitor CTEM Agent Monitor"

# Use quotes to handle the space in 'Program Files'
$NanitorCommand = "${env:ProgramFiles}\Nanitor\Nanitor Agent\nanitor-agent.exe"

$NanitorInfo = Try {
    Log-Message "Running Nanitor agent command: $NanitorCommand"

    # Enclose the path in double quotes and use the call operator (&)
    & $NanitorCommand agent_server_info | Out-String
}
catch {
    $errorMessage = "Nanitor Agent Status Fetch Failed: $($_.Exception.Message)"
    Log-Message $errorMessage "ERROR"
    write-DRRMAlert $errorMessage
    exit 1
}

# Logging the raw output for debugging
Log-Message "Nanitor Agent raw output: $NanitorInfo" "DEBUG"

# Parse the JSON into a PowerShell object
$parsedJson = $NanitorInfo | ConvertFrom-Json

if (-Not $parsedJson.PSObject.Properties.Match('health_score')) {
    write-DRRMAlert "Health Score not found in the JSON output."
    write-DRMMDiag $NanitorInfo
    Log-Message "Health Score not found in the JSON output." "ERROR"
    exit 1
}

if (-Not $parsedJson.PSObject.Properties.Match('decommissioned')) {
    write-DRRMAlert "decommissioned not found in the JSON output."
    write-DRMMDiag $NanitorInfo
    Log-Message "Decommissioned not found in the JSON output." "ERROR"
    exit 1
}

if (-Not $parsedJson.PSObject.Properties.Match('archived')) {
    write-DRRMAlert "archived not found in the JSON output."
    write-DRMMDiag $NanitorInfo
    Log-Message "Archived not found in the JSON output." "ERROR"
    exit 1
}

if (-Not $parsedJson.PSObject.Properties.Match('nanitor_link')) {
    write-DRRMAlert "nanitor_link not found in the JSON output."
    write-DRMMDiag $NanitorInfo
    Log-Message "nanitor_link not found in the JSON output." "ERROR"
    exit 1
}

$deviceLabels = ""
if ($parsedJson.PSObject.Properties.Match('device_labels')) {
    $dl = $parsedJson.device_labels
    $deviceLabels = Get-DeviceLabels items $dl
}

$criticalIssues = ""
if ($parsedJson.PSObject.Properties.Match('critical_issues')) {
    $cl = $parsedJson.critical_issues
    $criticalIssues = Get-CriticalIssues -items $cl
}

$healthScore = $parsedJson.health_score

# Convert health_score to percentage (no decimals)
$healthScoreThresholdPercentage = [math]::Round($HealthScoreThreshold * 100)
$healthScorePercentage = [math]::Round($healthScore * 100)

# Populating the custom field for the Nanitor agent version.
# and whether the agent has an upgrade available.
$agentVersion = ""
if ($parsedJson.PSObject.Properties.Match('agent_version')) {
    $agentVersion = $parsedJson.agent_version
}

$agentUpgradeAvailable = "No"
if ($parsedJson.PSObject.Properties.Match('agent_upgrade_available')) {
    if ($parsedJson.agent_upgrade_available) {
        $agentUpgradeAvailable = "Yes"
    }
}

$NinjaPropertyParams = @{
    Name        = $fieldAgentVersion
    Value       = $agentVersion
}

try {
    Set-NinjaProperty @NinjaPropertyParams
}
catch {
    # If we ran into some sort of error we'll output it here.
    Write-Error -Message $_.ToString() -Category InvalidOperation -Exception (New-Object System.Exception)
    Exit 1
}

$NinjaPropertyParams = @{
    Name        = $fieldAgentUpgradeAvailable
    Value       = $agentUpgradeAvailable
}

try {
    Set-NinjaProperty @NinjaPropertyParams
}
catch {
    # If we ran into some sort of error we'll output it here.
    Write-Error -Message $_.ToString() -Category InvalidOperation -Exception (New-Object System.Exception)
    Exit 1
}

# Populating the custom field for the Nanitor health score.
Write-Host "Sending $healthScorePercentage"
$NinjaPropertyParams = @{
    Name        = $fieldHealthScore
    Value       = $healthScorePercentage
}

try {
    Set-NinjaProperty @NinjaPropertyParams
}
catch {
    # If we ran into some sort of error we'll output it here.
    Write-Error -Message $_.ToString() -Category InvalidOperation -Exception (New-Object System.Exception)
    Exit 1
}

# Populating the custom field for the Nanitor URL.
$nanitorLink = $parsedJson.nanitor_link
$NinjaPropertyParams = @{
    Name        = $fieldDeviceURL
    Value       = $nanitorLink
}

try {
    Set-NinjaProperty @NinjaPropertyParams
}
catch {
    # If we ran into some sort of error we'll output it here.
    Write-Error -Message $_.ToString() -Category InvalidOperation -Exception (New-Object System.Exception)
    Exit 1
}

# Populating the custom field for the Nanitor critical issues.
$NinjaPropertyParams = @{
    Name        = $fieldCriticalIssues
    Value       = $criticalIssues
}

try {
    Set-NinjaProperty @NinjaPropertyParams
}
catch {
    # If we ran into some sort of error we'll output it here.
    Write-Error -Message $_.ToString() -Category InvalidOperation -Exception (New-Object System.Exception)
    Exit 1
}

Log-Message "Parsed Device Health Score: $healthScorePercentage%" "DEBUG"

$statusMessage = "Nanitor Agent health_score is healthy: $healthScorePercentage% - threshold is: $healthScoreThresholdPercentage%"

if ($healthScore -lt $HealthScoreThreshold) {
    $statusMessage = "Nanitor Agent health_score: $healthScorePercentage% is below threshold: $healthScoreThresholdPercentage%"
    write-DRRMAlert $statusMessage
    write-DRMMDiag $NanitorInfo
    Log-Message $statusMessage "INFO"
}

Log-Message $statusMessage "INFO"
Log-Message "Nanitor CTEM Agent Monitor completed."

Creating automations

We'll now create automations in Ninja RMM to execute both scripts on a daily schedule.

Nanitor CTEM Agent Installer [WIN]

This script only needs to run once per day. It will safely exit on devices where the Nanitor agent is already installed, making it harmless to re-run.

  1. Go to AdministrationTasks, then click New Task.
  2. Configure the task:
    • Enabled: Yes
    • Name: Company A – Install Nanitor CTEM Agent
    • Allow Groups: Yes
    • Schedule: Repeats daily (choose a time that works for your setup - note that Ninja RMM uses the PDT timezone for scheduling).
  3. Under Automations, click Add, filter by Type: Scripts, and select the Nanitor CTEM Agent Installer [WIN] script.
  4. Set the NANITOR_SIGNUP_URL parameter using the Signup URL you copied earlier for CompanyA, then click Apply.
  5. Open the Targets tab, click Add, and select the CompanyA organization. Click Apply.

After saving the task and waiting a few minutes, the device should appear in Nanitor:

Nanitor CTEM Agent Monitor [WIN]

Next, we'll create a task to run the Nanitor CTEM Agent Monitor [WIN] script once per day. This task keeps Ninja RMM in sync with the latest data from Nanitor CTEM by updating global custom fields.

You can choose to run it more frequently if you want near real-time updates.

  1. Go to AdministrationTasks, then click New Task.
  2. Configure the task:
    • Name: Nanitor CTEM Agent Monitor
    • Description: Monitor the Nanitor CTEM Agent for all devices.
    • Allow Groups: Yes
    • Schedule: Repeats daily (choose a time that works for your setup - note that Ninja RMM uses the PDT timezone for scheduling).
  3. Under Automations, click Add, filter by Type: Scripts, and select the Nanitor CTEM Agent Monitor [WIN] script. Click Apply.
  4. Switch to the Targets tab, click Add, and select the CompanyA organization. Click Apply.

💡 Tip: Since this script doesn't rely on any per-organization parameters, you can safely apply it to all organizations. However, Ninja RMM doesn't support dynamic targeting, so you’ll need to manually update the task to include any newly onboarded customers.

Once the configuration is complete, click Save.

After a few minutes, the script should populate the global custom fields for the devices:

Conclusion

With this setup, your integration between Nanitor CTEM and Ninja RMM is fully operational. Devices are automatically onboarded into the correct Nanitor organization, and their status is continuously synchronized using global custom fields in Ninja. While Ninja RMM currently requires some manual steps — such as assigning targets per organization — the result is a powerful and automated workflow for monitoring and managing security posture across all your clients.

This approach gives MSPs better visibility, reduces manual overhead, and ensures that Nanitor data is actionable within your existing RMM environment.

It also lays the foundation for integrating Nanitor CTEM checks into Ninja policies. For example, you could create alerts if a device's health score drops below a defined threshold or if the Nanitor agent is not up to date. In the latter case, since the agent updates itself automatically, the alert would typically resolve on its own — making it an elegant and low-maintenance monitoring solution.