v26.07
Knocknoc 26.07.1 is one of our biggest releases to date. It reworks how you see and manage the people, devices and sessions accessing your network, improves multi-server high availability enablement that you can configure from the admin portal, ships two new important integrations (F5 BIG-IP and Proxmox VE) plus a fully supported OpenBSD agent, and includes a large number of stability, performance and polish fixes throughout.
We've also added a new agenticAgentic access control method, allowing (authorized) users to grant tightly-scoped access to particular Knoc's or access paths. It requires their human approval, offers visibility and instant access termination, but enables control of inbound agentic access to avoid users handing credentials to agents. Think of it as short-term delegated network visibility, exposure and access control, enabled by Administrators while offering new levels of visibility.
🚀 Highlights
- One place for every identity. Users, Groups, Admins, Agentic and non-interactive access now live in a single Identities area, with observability, full session history and the ability to terminate sessions. You can answer "who reached what, from where, and when" at a glance.
- New places to enforce access, F5 BIG-IP and Proxmox VE integrations, plus a fully supported OpenBSD agent.
- Network access without a live login. Register trusted, always-on Companion devices, or hand time-limited Agentic access through a secure link. No standing access, no shared credentials, terminate immediately or on demand.
- User experience redirection uplift. Per-knoc "always redirect" option skips the login screen entirely based on the users destination, handing off to SSO, for a cleaner single-sign-on-first experience even for mixed-login deploys.
- High availability management in the portal. For those running multiple servers behind a load balancer, see the whole fleet and its leader, and drain a node for maintenance, all from Admin Settings.
🔁 Agentic & Companion access control
Need an Agent to access something for a controlled period of time, without handing it credentials? The new Agentic feature allows the sharing of direct network access in a controlled and approval-required way. Don't worry, it's opt-in and off-by-default, but helps you control Agentic use. Similarly the new Companions feature allows regular agents/or fixed IP sources to be enabled or paused, also scoped to specific Knoc access paths, for those pairing with agents on the regular.
- Agentic access. Share time-limited access through a secure link. It's opened from the device that needs access, after your approval (human in the loop) that device is granted network visibility for the window you set: no account shared, no login, and the link is single-use so it can't be quietly re-used by persistent agents.
- Companion devices. Register the trusted, always-on devices you work from (a home office, a jump box, a CI runner) as individually named devices, each holding access to its own set of knocs. Add, edit, delete, pause or resume any single device. Ideal for machines that need access but can't sit in front of a login screen, or they're untrusted to hold any standing credentials.
🧭 Identities, users & sessions
- Users and Groups are now one "Identities" area. Users, Groups, Admins and Agentic & Companion access share one home, with a new Overview showing recent activity across your organization (grants, admin logins and new accounts). No more hopping between pages to piece together what's going on. Prettier than the detailed audit logs.
- Full session history for every user and admin, not just currently-live sessions. See when each session started, how long it lasted, how it ended (logged out, expired, or ended by an admin), the authentication method used, and the IdP groups it carried. When you need to reconstruct exactly who had access and why, it's all there.
- Device footprint. Each session records every distinct IP address, browser and device it was seen from, with first-seen and last-seen times and a clear flag when something changes ("IP changed", "browser changed"). A session that suddenly roams to a new device or location stands out immediately.
- One-click session controls. Admins can invalidate all other admin sessions, or all user sessions, straight from the portal (with confirmation), and both actions land in the audit log. Handy the moment you suspect something is up.
- Better sorting, filtering and search across every Identities table, including a dedicated Sessions filter (active / inactive) separate from Capabilities (MFA / agentic / companion), a grant-status filter that now includes revoked grants, and a per-table search box at the top of each list.
- Built for large teams. The Users list is more granular, and group and admin views carry more context: membership source (SAML, dynamic rule, or manual), recent admin logins and logouts, an "Admins logged in (last 30 days)" chart, and the last SAML assertion time.
- Easier API-key setup. It was too hard, it's now friendlier.
🖥️ High availability & fleet management
- Influence high availability from the admin portal. For deployments running multiple servers, a new Servers / Fleet Topology page shows every node, its health, and which node is currently the leader, with load-balancer guidance.
- Drain a node for maintenance straight from the portal. Take a server out of rotation for upgrades or maintenance without disrupting the fleet, backed by a
/_statusreadiness endpoint your load balancer can health-check. - Safe rolling upgrades. Partially upgrading? This feature can remove older nodes from your load balancer during maintenance windows automatically, so users aren't affected.
🔌 New integrations & agent improvements
- F5 BIG-IP. Knocknoc can now enforce access on F5 BIG-IP. Grants and revocations apply with no policy rebuild, using a least-privilege service account, and the setup wizard validates connectivity before you commit.
- Proxmox VE. A native integration that manages firewall access at the cluster or per-VM level (Proxmox VE 7.0+). This is via the Proxmox API, making integration pointy-clicky, instead of the on-host Linux IPSet firewall.
- OpenBSD orchestration agent. A fully supported, OpenBSD agent package, covering local PF (we <3 PF) and external systems, joining our Linux, Windows and HP-UX/Solaris platforms.
- Cloudflare has been sped up, with smarter batching windows to handle APIs that zone out every once in a million.
- Redesigned Agents page. The flat list is replaced with a grouped, filterable view built to scale well past 500 agents. You can group by name, network, integration or version, filter from a summary bar by connectivity, platform and role, and see which integrations each agent actually has configured. Filtered views are shareable via the URL, and there are download links for agent packages. Finding one misbehaving agent in a large fleet is now a matter of seconds.
- Configurable Windows Firewall matching. Choose which inbound rules the Windows agent manages, by rule-name prefix and/or port, instead of a fixed set.
- Friendlier integration errors. Validation messages for MikroTik and pfSense are just better now.
🔑 Authentication, SAML & Branding
SAML redirections has been improved again with a per-knoc option, UX is important. Authentication within Settings for Admins has been simplified, I know we've said this before, and it's probably not the last time we'll say it - but it's just better now.
- Per-knoc "always redirect to SAML". Send visitors for a given knoc straight to your identity provider instead of showing the local-login screen first, for a cleaner single-sign-on experience.
- Session-takeover screen. After authenticating you can see existing sessions (logins, agents, magic links) and what each can reach, so you can disconnect one and carry on when you're out of sessions.
- Click-to-renew for expired access. A time-limited grant that runs out mid-session now shows a clear "Access expired, click to renew" card instead of a dead one.
- Clearer blocked-access messages. Distinct, friendly cards explain why access was refused (threat intelligence, source IP not permitted, expired, and so on) instead of a blank disabled card, so users can self-diagnose rather than raise a ticket.
- SAML group visibility on no-access. When a signed-in user matches no access paths, the portal shows the exact group names their identity provider sent, turning "why can't I get in?" from a guessing game into a two-minute fix.
- SAML certificate-expiry visibility. The portal now surfaces when an identity-provider or service-provider certificate is expiring or has expired, with a severity indicator. One less silent outage waiting to happen.
- Public URL setting. Set your deployment's public URL (a fresh install adopts the address the first admin logs in from), with a header warning if you reach the portal from a different URL, since a mismatch can cause SAML gripes.
- Smaller touches. New groups default to SAML, the knoc picker no longer shows duplicate entries, and you can upload a custom favicon for the user portal (the admin portal keeps the standard icon) because reasons.
🐛 Fixes & performance
- Faster admin audit-log pages that stay fast as history grows.
- More reliable access revocation on multi-server deployments deployed on pi's or micro instances.
- Fewer redundant network requests and smoother login and session handling, including the end of some redirect loops on session expiry, and access status that refreshes promptly right after login.
- Mobile fixes: dashboard animation freezing on Android, in-app company logos, and the agentic access panel on small screens.
- Numerous smaller UI polish and consistency improvements throughout the admin portal.
Release date: 14th July 2026
How do I upgrade?
This release is backwards compatible. Upgrade via your operating system's package manager as usual: follow this guide to upgrade.