The device-mode is a feature in ROS that sets specific limitations to a device for accessing specific configurations. By default, all devices have a mode: enterprise

[admin@MikroTik] > system/device-mode/print 
  mode: enterprise

enterprise is a mode that allows all functions on the device. Currently, the only additional mode is home, which means limited functionality. The device mode can be changed by the user, but remote access to the device is not enough to change it. After changing the device-mode, using the update command, you need to confirm it by pressing a button or perform a "cold reboot" - that is, unplug the power:

[admin@MikroTik] > system/device-mode/update mode=home 
  update: please activate by turning power off or pressing reset or mode button 
          in 5m00s
-- [Q quit|D dump|C-z pause]

If no power off or button press is performed within the specified time, the update is canceled. If another update is run in parallel, both will be canceled.

It is possible that in the future there will be a number of devices that will be set to mode = home at the factory, which means that they will reach users with limited functionality, and then if you want advanced features, you will have to change it yourself.

Properties

Following properties are available in the system/device-mode/ console path.

PropertyDescription

get

Returns value that you can assign to variable or print on the screen.

printShows the active mode and its properties.
updateUpdates selected properties.


Sub-menu: /device-mode/update

Properties

Property

Description

container, fetch, scheduler, traffic-gen,   
ipsec, pptp, smb, l2tp, proxy, sniffer, zerotier, bandwidth-test, email, hotspot, romon, socks.
(yes | no; Default: yes, for enterprise mode)
The list of available features can be disabled with the device-mode option.
activation-timeout (default: 5m);The reset button or power off activation timer can be set in range (00:00:10 .. 1d00:00:00).
flagging-enabled (yes | no; Default: yes)Enable or disable the flagging feature. See Flagged notice for a detailed description.
flagged (yes | no; Default: no)If the system has detected unauthorized access, the status "flagged" is set to yes. 
mode: (home, enterprise; default: enterprise);Allows choosing from available modes that will limit device functionality. In the future, various modes can be added. 

By default, enterprise mode allows all options except container. So to use the container feature, you will need to turn it on by performing a device-mode update.

By default, home mode disables the following features: scheduler, socks, fetch, bandwidth-test, traffic-gen, sniffer, romon, proxy, hotspot, email, zerotier, container.

Configuration

More specific control over the available features is possible. Each of the features controlled by device-mode can be specifically turned on or off, for example:

[admin@MikroTik] > system/device-mode/update mode=home email=yes
[admin@MikroTik] > system/device-mode/update mode=enterprise zerotier=no

If the update command specifies any of the mode parameters, this update replaces the entire device-mode configuration. In this case, all "per-feature" settings will be lost, except those specified with this command. For instance:

[admin@MikroTik] > system/device-mode/update mode=home email=yes fetch=yes
[admin@MikroTik] > system/device-mode/print 
   mode: home
  fetch: yes
  email: yes
[admin@MikroTik] > system/device-mode/update mode=enterprise sniffer=no
-- reboot --
[admin@MikroTik] > system/device-mode/print 
     mode: enterprise
  sniffer: no

We see that fetch = yes and email = yes is missing. However, specifying only "per-feature" settings will change only those:

[admin@MikroTik] > system/device-mode/update hotspot=no
-- reboot --
[admin@MikroTik] > system/device-mode/print 
     mode: enterprise
  sniffer: no
  hotspot: no

If the feature is disabled, an error message is displayed for interactive commands:

[admin@MikroTik] > system/device-mode/print 
     mode: enterprise
  sniffer: no
  hotspot: no
[admin@MikroTik] > tool/sniffer/quick 
failure: not allowed by device-mode

However, it is possible to add the configuration to a disabled feature, but there will be a comment showing about the disabled feature in the device-mode:

[admin@MikroTik] > ip hotspot/add interface=ether1 
[admin@MikroTik] > ip hotspot/print 
Flags: X, S - HTTPS
Columns: NAME, INTERFACE, PROFILE, IDLE-TIMEOUT
#   NAME      INTERFACE  PROFILE  IDLE-TIMEOUT
;;; inactivated, not allowed by device-mode
0 X hotspot1  ether1     default  5m          

Flagged notice

The Flag is another important "option". Along with the device-mode feature, ROS has implemented code that analyzes the whole configuration at system startup to determine if there are any signs of unauthorized access. If suspicious configurations are detected, the flagged flag is set at device-mode (and the corresponding configuration is disabled):

[admin@MikroTik] > system/device-mode/print 
     mode: enterprise
  flagged: yes
  sniffer: no
  hotspot: no

If the system has this flagged notice, then the current configuration works, but it is not possible to perform a series of actions. If the action is restricted, you will receive an error message when doing so:

[admin@MikroTik] > /tool sniffer/quick 
failure: configuration flagged, check all router configuration for unauthorized changes and update device-mode
[admin@MikroTik] > /int l2tp-client/add connect-to=1.1.1.1 user=user
failure: configuration flagged, check all router configuration for unauthorized changes and update device-mode

To remove the flagged notice, you must perform system/device-mode/update flagged=no

The following interactive actions will not be possible on the flagged device: bandwidth-test, traffic-generator, sniffer, as well as configuration actions that enable or create new configuration entries (it will still be possible to disable or delete) for the following contacts: scheduler, socks, pptp, l2tp, ipsec, proxy, smb.