Use Device Identity Collection

Device identity collection is currently in beta. To try it, follow the steps below to enable it for your network using Tailscale 1.52 or later.
Device Identity Collection is available for the Personal and Enterprise plans.

Device Identity Collection collects identifiers (currently serial numbers) from devices in your Tailscale network (known as a tailnet). It is required for device posture integrations like Crowdstrike Falcon, and can be useful for correlating your devices between Tailscale and other systems.

This document provides instructions on:

  • How to enable Device Identity Collection for your tailnet.
  • How to enable Device Identity Collection on machines in your tailnet.

Prerequisites

To configure the machines on your tailnet you will need either:

  • access to the machine to run the tailscale CLI; or
  • a Mobile Device Management (MDM) system.

Enabling Device Identity Collection for your tailnet

  1. Open the Device management page of the Tailscale admin console.
  2. Under the Device Posture Integrations section, click the toggle under Device Identity Collection.
Device Identity Collection: toggle 'disabled'

Enabling Device Identity Collection for devices on your tailnet

Devices on your tailnet need to be individually opted-in to reporting their identity.

Device identity collection was added in Tailscale 1.52.

There are two ways to opt-in a device to reporting its identity: by setting a system policy (for example, via an MDM), or via CLI.

Enabling Device Identity Collection via system policies

You can opt a device in to identity reporting by setting the policy key PostureChecking to always. This allows you to opt-in devices using an MDM or configuration management system. Note that the Tailscale client needs to be restarted for this change to take effect. For more information on setting system policies, refer to Customize Tailscale using system policies.

Using system policies is the recommended way to enable device identity collection on macOS and Windows. It takes priority over configuration set via CLI.

Enabling Device Identity Collection via the CLI

You can also opt-in a device by running the tailscale set CLI command on it and then reconnecting the client:

Linux
sudo tailscale set --posture-checking=true
sudo tailscale down
sudo tailscale up
macOS
tailscale set --posture-checking=true
tailscale down
tailscale up

or

/Applications/Tailscale.app/Contents/MacOS/Tailscale set --posture-checking=true
/Applications/Tailscale.app/Contents/MacOS/Tailscale down
/Applications/Tailscale.app/Contents/MacOS/Tailscale up

(To learn how to access the tailscale CLI on macOS, see the CLI guide.)

Windows
tailscale set --posture-checking=true
tailscale down
tailscale up

Using the CLI command is the only way to opt-in a Linux device to identity collection.

View collection progress

In the Device Posture section of the Device management page, you will see a summary of serial number collection.

You can click Inspect to view which machines have a particular status, for example, to see machines that have not been opted in yet.

Device Identity Collection: toggle 'enabled'. 22 of 582 devices opted-in. 21 returned serial numbers (inspect link). 1 returned only invalid serial numbers (inspect link). 196 did not have posture collection enabled (inspect link). 364 are yet to be checked (inspect link). Monitor changes to device identities in the audit logs.

Check serial numbers

Viewing device serial numbers is available for the Enterprise plan.

You can view serial numbers and identity collection status for your devices on the Machine page of the admin console.

  1. Open the Machines page of the admin console.
  2. Select a machine you want to inspect.
  3. View the serial number and collection status in the Machine Details section.
Machine details: Serial number: IB2HQE3XWO

Serial numbers are also available via the device API.