I'm considering allowing end users to access their CPEs through the MikroTik Home app to configure their wifi and see connection stats, since it appeared to have its own permissions and limited access (and therefore an inability for them to break things)... However, in testing it seems that even though I've granted the users login group tikapp rights, the app logs in using winbox access. Therefore it seems I have to grant full winbox to users to use the MikroTik Home app, which seems to defeat the whole purpose of the tikapp permission in groups. What am I missing here?

testing this on 6.49.7...

Can anyone suggest a method to allow the android MikroTik Home app (and presumably there's an iOS equivalent?) to login without also granting full winbox access?
This /user group policy that I was expecting to work was this: but the logs show the account failed to login via winbox, and as indicated set policy=winbox allowed the user to login. However I do not want to grant full winbox access to the users.

disclaimer, only tried the MikroTik Home app once when it was very first launched, and it didn't recognize PPPoE client setups. haven't opened it again before testing today, so I don't have any real experience with using it.

-Edited to add policy detail

Will check if there isn't a bug somewhere, but ... even if it would work as advertised, note that TikApp has all the same functionality as winbox. There isn't a "Home specific" policy there, only tikapp. But we have TikApp "Pro" and Tikapp "Home". So it would not achieve anything to give tikapp rights. Users can just use TikApp "pro" and change any config anyway.

.

It is time for MikroTik to make a very trivial app where the customer changes the SSID and the password on his own,
so that he can see the number of devices connected to the wifi and how much traffic passes, without assulting anything else.
So the end users are interested only in this without any other frills.

This seems like a great opportunity to use the REST API for a custom client dashboard hosted by the ISP where those settings can be changed. No need to fiddle with teaching users to use an app, just have it at the same place as where they pay the bill.

.

It is time for MikroTik to make a very trivial app where the customer changes the SSID and the password on his own,
so that he can see the number of devices connected to the wifi and how much traffic passes, without assulting anything else.
So the end users are interested only in this without any other frills.

We have such app, it's called MikroTik Home. The problem is, that there is no policy that rectricts users to ONLY this app.

It is time for MikroTik to make a very trivial app where the customer changes the SSID and the password on his own,
so that he can see the number of devices connected to the wifi and how much traffic passes, without assulting anything else.
So the end users are interested only in this without any other frills.

We have such app, it's called MikroTik Home. The problem is, that there is no policy that rectricts users to ONLY this app.

Sounds like I don't even need to submit a feature request, you already know what needs to be done! The pro app signs in using winbox permissions, the home app signs in using tikapp permissions, and suddenly every is happy and everything works out.

As mentioned above, and alluded to in my original post, we would all benefit need a simple app for end users to control simple functions, that cannot access things like scripting or changing the update branch (ideally it would also honor disabled menus in the skins like winbox in v7), and since you already have an app for this, we just need it to be permissioned out so we can limit users to this app and not full system access through winbox and terminal.

We need the Mikrotik Home App for IOS... is there a release date or beta version to use?

The iOS app already hides the advanced configuration behind the gear, which seems like a reasonable approach. The issue is that changing the Wi-Fi password requires both "sensitive" and "write", in other words a full admin. That wouldn't change by just having two apps, or a "TikApp" role.

Rather than having TWO apps for iOS, the current app should just respect the "skin.json" file for the user. And perhaps control the "Home Screen" items, instead of the app's local configuration that does it today. Apple MDM also be fine to control this, but I don't see that happening anytime soon – they don't even use the keychain for the saved passwords.

We have such app, it's called MikroTik Home. The problem is, that there is no policy that rectricts users to ONLY this app.

Sounds like I don't even need to submit a feature request, you already know what needs to be done! The pro app signs in using winbox permissions, the home app signs in using tikapp permissions, and suddenly every is happy and everything works out.

As mentioned above, and alluded to in my original post, we would all benefit need a simple app for end users to control simple functions, that cannot access things like scripting or changing the update branch (ideally it would also honor disabled menus in the skins like winbox in v7), and since you already have an app for this, we just need it to be permissioned out so we can limit users to this app and not full system access through winbox and terminal.

Normis, any progress in making the Home App sign in using the tikapp Permission?

Also any progress on the mobile winbox app honoring the skins file like regular winbox does?