The mechanism by which nodes can join a domain is enforced by node keys. When a new device tries to join the Tailscale network, we automatically generate a “node key” and register it with the Tailscale Coordination Server. If a node is removed using the admin panel, its key is revoked. Authorization and de-authorization take effect instantly (within less than one second) once a decision is made.
To keep Tailscale easy for new users, manual approval/rejection of devices is disabled by default on new domains. If you would like to manually approve new devices before they can join your network, enable device approval in the admin console.
Further endpoint security features are available with node keys for enterprise customers, including custom development and integrations with other systems. Contact us with your specific needs.