Device authorization is a feature that allows Tailscale network administrators to review and approve new devices before they can join the network. This can be used to ensure only trusted devices, such as workplace-managed laptops and phones, can access a network.
This feature can be enabled from the Tailscale admin console. Look for “Device Authorization” in the general settings.
Once this setting is enabled, new devices that access your network will see a notification that their device is “awaiting approval.” Devices awaiting approval cannot send or receive traffic on your Tailscale network until they are authorized.
To authorize devices, navigate to the machines page of the admin console. At the top of the list you should see the device with a “needs authorization” badge beneath it.
You can review details about the device and user before deciding whether to authorize it. When you’re ready to authorize the device, click on the and select “Authorize” to allow the device to connect to your network.
After authorization, the device will immediately be able to connect. No restarts or toggling needed.
When you generate a new auth key, you can specify that the key should automatically authorize devices for which the auth key is used.
To do this, you must:
- Generate an auth key which is pre-authorized.
- Then, specify that auth key when authenticating a device. The device is automatically authorized.
You can generate an auth key with an ACL tag both via the admin console and via API.
In the admin console:
- Navigate to the auth keys settings in the admin console.
- Click “Generate auth key…”.
- Select “Pre-authorized”. This option is only available if device authorization is enabled for the tailnet.
- Click “Generate” to generate the auth key.