Machine certificates and device management
The mechanism by which nodes can join a domain is enforced by machine certificates. When a new device tries to join the Tailscale network, we automatically generate a “machine cert” and register it with the Tailscale Coordination Server. If a device is removed using the admin panel, its certificate is revoked. Authorization and de-authorization take effect instantly (within less than one second) once a decision is made.
To keep Tailscale easy for new users, manual approval/rejection of machine certificates is disabled by default on new domains. Contact us to discuss enabling this option.
Further endpoint security features are available with machine keys for enterprise customers, including custom development and integrations with other systems. Contact us with your specific needs.