Get started
Login
© 2024

Use Device Identity Collection

Device Identity Collection is available for the Personal, Personal Plus, and Enterprise plans.

Device Identity Collection collects identifiers such as serial numbers and MAC addresses from devices in your Tailscale network (known as a tailnet). It is required for device posture integrations like CrowdStrike Falcon, and can be useful for correlating your devices between Tailscale and other systems.

This document provides instructions on:

  • How to enable Device Identity Collection for your tailnet.
  • How to enable Device Identity Collection on machines in your tailnet.

Prerequisites

To configure the machines in your tailnet you will need either:

  • access to the machine to run the tailscale CLI; or
  • a Mobile Device Management (MDM) system.

Enabling Device Identity Collection for your tailnet

  1. Open the Device management page of the Tailscale admin console.
  2. Under the Device Posture Integrations section, select the toggle under Device Identity Collection.
Device Identity Collection: toggle 'disabled'

Enabling Device Identity Collection for devices in your tailnet

Devices in your tailnet need to be individually opted-in to reporting their identity.

Device identity collection was added in Tailscale 1.52.

There are two ways to opt-in a device to reporting its identity: by setting a system policy (for example, via an MDM), or via CLI.

Enabling Device Identity Collection via system policies

You can opt a device in to identity reporting by setting the policy key PostureChecking to always. This lets you opt-in devices using an MDM or configuration management system. Note that the Tailscale client needs to be restarted for this change to take effect. For more information on setting system policies, refer to Customize Tailscale using system policies.

Using system policies is the recommended way to enable device identity collection on macOS and Windows. It takes priority over configuration set via CLI.

Enabling Device Identity Collection via the CLI

You can also opt-in a device by running the tailscale set CLI command on it and then reconnecting the client:

tailscale set --posture-checking=true
tailscale down
tailscale up

or

/Applications/Tailscale.app/Contents/MacOS/Tailscale set --posture-checking=true
/Applications/Tailscale.app/Contents/MacOS/Tailscale down
/Applications/Tailscale.app/Contents/MacOS/Tailscale up

(To learn how to access the tailscale CLI on macOS, see the CLI guide.)

Using the CLI command is the only way to opt-in a Linux device to identity collection.

View collection progress

In the Device Posture section of the Device management page, you will see a summary of serial number collection.

You can select Inspect to view which machines have a particular status, for example, to see machines that have not been opted in yet.

Device Identity Collection: toggle 'enabled'. 22 of 582 devices opted-in. 21 returned serial numbers (inspect link). 1 returned only invalid serial numbers (inspect link). 196 did not have posture collection enabled (inspect link). 364 are yet to be checked (inspect link). Monitor changes to device identities in the audit logs.

Check device identifiers

Viewing device identifiers is available for the Enterprise plan.

You can view identifiers for your devices on the Machine page of the admin console.

  1. Open the Machines page of the admin console.
  2. Select a machine you want to inspect.
  3. View the device identity and collection status in the Machine Details section.
Machine details: Serial number: IB2HQE3XWO

Device identity is also available from the device API.

By default, Device Identity Collection fetches device serial numbers. Some posture integrations, like CrowdStrike Falcon, can also use MAC addresses for device matching, which will be collected if required by such an integration.

Last updated Oct 22, 2024