Device approval

Device approval is a feature that allows Tailscale network administrators to review and approve new devices before they can join the network. This can be used to ensure only trusted devices, such as workplace-managed laptops and phones, can access a network.

Enable device approval for your network

This feature can be enabled from the Device management page of the admin console.

Approve devices from the admin console

Once this setting is enabled, new devices that access your network will see a notification that their device is awaiting approval. Devices awaiting approval cannot send or receive traffic on your Tailscale network until they are approved.

To approve devices, navigate to the Machines page of the admin console. At the top of the list you should see the device with a Needs Approval badge beneath it.

You can review details about the device and user before deciding whether to approve it. When you’re ready to approve the device, click on the ellipsis icon and select Approve to allow the device to connect to your network.

After approval, the device will immediately be able to connect. No restarts or toggling needed.

Pre-approve devices with an auth key

When you generate a new auth key, you can specify that the key should automatically approve devices for which the auth key is used.

To do this, you must:

  1. Generate an auth key which is pre-approved.
  2. Then, specify that auth key when authenticating a device. The device is automatically approved.

Generate an auth key which is pre-authorized

You can generate an auth key with an ACL tag both via the admin console and via API.

In the admin console:

  1. Go to the Keys page in the admin console.
  2. In the Auth keys section, click Generate auth key.
  3. Select Pre-approved. This option is only available if device approval is enabled for the tailnet.
  4. Click Generate to generate the auth key.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2023 Tailscale Inc.

Privacy & Terms