The mechanism by which nodes can join a domain is enforced by machine certificates. When a new device tries to join the Tailscale network, we automatically generate a “machine cert” and register it with the Tailscale Coordination Server. If a device is removed using the admin panel, its certificate is revoked. Authorization and de-authorization take effect instantly (within less than one second) once a decision is made.

To keep Tailscale easy for new users, manual approval/rejection of machine certificates is disabled by default on new domains. If you would like to manually approve machine certificates before a device can join your network, enable device approval in the admin console.

Further endpoint security features are available with machine keys for enterprise customers, including custom development and integrations with other systems. Contact us with your specific needs.