groundskeeper v0.55.0
Self-Hosted — Privacy-First — Windows Server 2022

The IT dashboard
built for school networks.

Self-hosted. Privacy-first. Groundskeeper brings your entire school IT estate—26 connectors, local AI, instant alerts—into a single dashboard. Your data never leaves your network.

View on GitHub Read the Docs →
Groundskeeper v0.55.0

[INFO] Loading config.yaml...

[INFO] 26 connectors registered

[OK] Ollama reachable — llama3.1:8b

[OK] Scheduler started — all connectors active

[OK] Licence valid — Standard tier

[INFO] Dashboard at http://localhost:8000

[READY] Groundskeeper is watching

26
Connectors
7
AI Providers
11
Dashboard Views
£0
Community Edition

Core Pillars

Everything a school IT team actually needs.

The Technical Feed

A chronological, deduplicated event stream across all your connectors. Criticals surface immediately with instant email or Teams alerts. OK events suppressed for 60 minutes so you see what matters, not what's chattering.

CRIT — Meraki MX: WAN failover detected
WARN — Veeam: backup job failed (Finance-DC)
OK — M365: all services healthy

The AI Copilot

Runs entirely on your server via Ollama. No data leaves your network. Hit “Why?” on any alert for a plain-English explanation. Morning summaries auto-generated every 5 minutes. Also works via Azure OpenAI, Anthropic Claude, Google Gemini, or OpenAI.

AI › The Veeam failure on Finance-DC is likely a VSS writer timeout. Check the Windows Event Log on that server for VSS errors around the job start time...

The SLT View

A read-only traffic-light dashboard for Senior Leadership Teams. No jargon, no noise—just red/amber/green for each service area. Instant load, no AI dependency. Safe to share with a headteacher.

Internet
Email (M365)
Backups
MIS (Bromcom)

Instant Alerts

Critical events trigger immediate email alerts with quiet hours support so you're not paged at 2am for a non-issue. Teams and Slack webhooks also supported for channel notifications.

MAT Hub

Multi-Academy Trust dashboard aggregates traffic-light status across all schools into a single trust-wide view. Each school keeps its own self-hosted instance—no central cloud dependency.

Cyber Essentials Dashboard

Maps all five Cyber Essentials technical controls to live data from your connectors. RAG status per control. Built-in evidence trail for CE assessments. No extra tooling required.

Connector Ecosystem

Plug in. Pull data. Stop tab-switching.

Read-only connectors that never modify your systems. GDPR-friendly—data stays on your network.

Cloud & SaaS

Cisco Meraki
Devices, MT sensors, multi-org
Action1 RMM
EU/US/AU regions, patch status
M365 Service Health
Service health via Graph API
M365 Licences
Seat consumption, overage alerts
Veeam Backup
Job status, failure alerts
MIS Status
Bromcom, Arbor status pages
School Services
16 UK services incl. ParentPay, Wonde, RM Unify

Security

Domain Security
SPF, DMARC, DKIM, TLS, HTTPS, change detection
WatchGuard Firebox
Firewall health and status
WatchGuard Endpoint
Endpoint security status
SSL Cert Monitor
Expiry alerts, cert chain checks

Infrastructure & AD

Windows Server
CPU, memory, disk, services
Windows Clients
Endpoint health via GKAgent
Hyper-V
VM health and state monitoring
Active Directory
Health checks, lockout alerts
AD Account Health
Service account expiry, stale users
Windows Event Log
Critical event ingestion
DNS / DHCP
Scope utilisation, service health
Internet Health
Connectivity and latency checks
Endpoint Reports
Disk space and Win11 readiness
Devices Left On Overnight
Morning WMI scan, energy saving
Exam Marking Software
RM Assessor, Scoris, Surpass detection

Hardware

HP / Aruba Switches
SNMP polling, port status
UPS Monitoring
Battery and load via SNMP
Dell iDRAC
Server hardware health
Printers / MFDs
Toner, paper, error state via SNMP

GKAgent

Windows client visibility via GPO.

A lightweight PowerShell agent deployed to Windows client machines via Group Policy. Checks in every 5 minutes, reporting health data back to the Groundskeeper dashboard. No WinRM, no third-party agent framework—just a signed installer and a GPO.

  • Inno Setup installer — deploy via GPO startup script
  • NSSM-managed Windows service, survives reboots
  • Students cannot stop it (restricted service DACL)
  • BitLocker, Defender, local admins, update compliance

GPO Deployment

1Copy GKAgentSetup.exe to SYSVOL share
2Add GPO Computer Startup script
3Deploy ServerIP.txt via GPO Preferences
Devices appear in dashboard within 5 minutes

Windows Installer

One installer. No Python required.

The Groundskeeper Windows installer bundles everything—Python runtime, all dependencies, NSSM service wrapper. Run the wizard, click Next three times, and your school estate is being monitored. Uninstall cleanly from Add/Remove Programs.

  • Next / Next / Install wizard
  • Registers as a Windows service automatically
  • Opens setup wizard on first run
  • Built via GitHub Actions on every release
Download Latest Release

Groundskeeper Setup

1Welcome & licence agreement
2Choose install location
3Install & register Windows service
Setup wizard opens in browser

Project Roadmap

Where we are. Where we’re going.

Core Platform + 26 Connectors

Complete

FastAPI backend, APScheduler, SQLite, pluggable AI (Ollama, Azure, Anthropic, Gemini, OpenAI), full settings UI, first-run setup wizard, SLT traffic-light view, Windows service via NSSM. 26 connectors covering cloud services, infrastructure, security, hardware, AD hygiene, and school-specific monitoring.

GKAgent — Windows Client Agent

Complete

Lightweight PowerShell agent deployed via GPO. NSSM-managed service with Inno Setup installer. Reports BitLocker, Defender, firewall, local admins, Windows Update compliance, SMART disk health, BSOD events, battery health, and exam marking software detection.

Intelligence & Licensing

Complete

Immediate critical alerts with quiet hours. Teams/Slack webhooks. Cyber Essentials compliance dashboard. MAT hub-and-spoke view. Licence key system with four tiers (Ed25519 offline verification + Cloudflare call-home). Windows installer. GitHub Actions CI/CD for automated release builds.

Security Hardening Sprint (v0.55.0)

Complete

Independent security audit completed with all critical findings resolved. PowerShell injection eliminated codebase-wide via safe execution helper. GKAgent auto-update hardened with HTTPS enforcement, host pinning, SHA-256 verification, and Authenticode checking. Auth middleware first-run bypass removed.

Community Launch — Post-Summer

Next

Edugeek community launch. Autumn school budget cycle. Weekly email digest. Scheduled AI health reports.

Post-Launch — v1.x Connectors

Planned

Jamf School MDM, Entra Connect heartbeat, Smoothwall / Lightspeed filtering appliances, InVentry / Sign In App, PaperCut MF, Paxton door access, Synology / QNAP NAS, hardware warranty lookup.

Pricing

Free for single schools. Built for MATs.

Community Edition is free forever. Paid tiers unlock more connectors, priority support, and trust-wide features.

Community
£0
Free forever
  • 5 connectors (your choice)
  • Local AI (Ollama)
  • CE dashboard
  • SLT view
  • Community support
StandardPopular
£149/yr
Per school
  • 10 connectors
  • Priority support
  • Email digest alerts
  • Teams alerts
Pro
£199/yr
Per school
  • Unlimited connectors
  • Cloud AI providers
  • Weekly AI health report
  • Teams bot + API access
Trust
£499/yr
Whole trust
  • Everything in Pro
  • MAT Hub dashboard
  • Unlimited schools
  • Dedicated support

Community

Help shape what we build next.

Sign in with your Microsoft account to suggest and upvote connectors and features. Your school’s priorities drive the roadmap.

Votes are authenticated via Microsoft account — one vote per person, no farming.

Your estate. Your network. Your data.

Groundskeeper runs on Windows Server 2022 with Python 3.12. Browse the source, read the docs, or download the latest release.

Download Latest Release Read the Docs