Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started
Login
© 2024

Device approval

Device approval is a feature that allows Tailscale network administrators to review and approve new devices before they can join your Tailscale network (known as a tailnet). Use device approval to ensure only trusted devices, such as workplace-managed laptops and phones, can access a network.

Device approval is available for all plans.

Enable device approval for your network

You must be an Owner, Admin, or IT admin of a tailnet in order to enable device approval.

Enable device approval from the Device management page of the admin console.

Enable device approval in the admin console.

Approve devices from the admin console

You must be an Owner, Admin, or IT admin of a tailnet in order to approve devices.

Once this setting is enabled, a new device that accesses your network will see a notification that the device is awaiting approval. A device awaiting approval cannot send or receive traffic on your Tailscale network until it is approved.

A notification informs the user that their device is awaiting approval.

To approve devices, open the Machines page of the admin console. At the top of the list you should see the device with a Needs approval badge beneath it.

A device needing approval displays the Needs approval badge.

You can review details about the device and user before deciding whether to approve it. When you’re ready to approve the device, select the ellipsis icon menu and select Approve to allow the device to connect to your network.

Approve the device to connect to your network.

After approval, the device will immediately be able to connect. No restarts or toggling needed.

Pre-approve devices with an auth key

When you generate a new auth key, you can specify that the key should automatically approve devices for which the auth key is used.

To do this, you must:

  1. Generate an auth key which is pre-approved.
  2. Then, specify that auth key when authenticating a device. The device is automatically approved.

Generate an auth key which is pre-authorized

You must be an Owner, Admin, IT admin, or Network admin of a tailnet in order to generate an auth key.

You can generate an auth key with an tag both via the admin console and via API.

In the admin console:

  1. Go to the Keys page in the admin console.
  2. In the Auth keys section, select Generate auth key.
  3. Select Pre-approved. This option is only available if device approval is enabled for the tailnet.
  4. Select Generate to generate the auth key.

Automate device approval

When using device approval, you can create a flow to automatically approve a device if it meets specific criteria, such as being on an internal device registry or passing a third-party posture check.

  1. Configure a webhook for nodeNeedsApproval.
  2. Upon receiving webhook messages, verify the node against the information that you need.
  3. Approve the device by sending a POST request to the device authorization API. For example:
curl "https://api.tailscale.com/api/v2/device/11055/authorized" \
-u "tskey-api-xxxxx:" \
--data-binary '{"authorized": true}'

You can also revoke the authorization for a device by calling the same API with {"authorized": false} as the payload.

Last updated Nov 18, 2024