Machine certificates and device management
Note: manual and ruled-based approval/rejection of machine certificates is a feature that is currently disabled by default for new users in order to simplify the onboarding experience. Please contact firstname.lastname@example.org to discuss having it enabled on your domain.
Every IT security professional's nightmare is the user who gets a secure multi-factor authentication (MFA or 2FA) token from work, then brings it home and uses it to log into their sensitive servers from a malware-infested out-of-date Windows XP computer.
To reduce the risk of malware attacks, you can configure your Tailscale domain to only allow access for authorized machine types. You can also configure your policy so that some services (such as a Microsoft Exchange server) will permit connections from less secure machines, like a user's home PC, while other services (such as a highly sensitive file server or database) have tighter restrictions.
You can even configure your security policy so that a corporate-controlled machine is allowed to access certain services (such as an internal identity/SSO provider) when no user has yet logged in.
How does it work?
The mechanism by which policy is enforced is called machine certificates. When a new device tries to join the Tailscale network, we automatically generate a "machine cert" and register it with the Tailscale Coordination Server. Then, a security policy determines whether to trust that cert.
Here are a few different types of machine policy you can configure:
New machines can show up in a dashboard visible by the IT department, who can accept or reject each one.
A user could approve their a new machine for their account, by authorizing it using one of their existing machines.
You can restrict machine authorization based on operating system and version, patch levels, group policies, and which software is installed.
You can automatically de-authorize machines when they come out of compliance (for example, if a virus scanner is uninstalled or their operating system is too old).
Authorization and de-authorization take effect instantly (within less than one second) once a decision is made.