Get started
Login
© 2024

Deploy Tailscale with Microsoft Intune

You can use the Microsoft Intune mobile device management (MDM) solution to deploy Tailscale in your organization. You can configure a number of system policies, and you can then use Microsoft Intune to deploy these policies across devices in your organization. Tailscale system policies via Microsoft Intune are supported on Windows, macOS, iOS, tvOS, and Android.

If you need help deploying Tailscale using Microsoft Intune, or would like to suggest any feature enhancements, contact our support or sales teams.

Follow the steps in this document to get started. On macOS and iOS, you'll learn how to create a configuration profile containing a system policy that displays the name of your organization in the Tailscale client as an example. You'll then deploy it to a set of devices already enrolled in Microsoft Intune. On Android, you'll learn how to distribute Tailscale and enforce restrictions already available in the Tailscale app by defining a custom configuration.

Create, upload, and deploy a Tailscale configuration profile for macOS/iOS/iPadOS

To get started with Tailscale and Microsoft Intune, you'll first need to determine which system policies you wish to impose on your devices. Once you know which system policies to impose and the value for each, you'll then need to create an Apple configuration profile (.mobileconfig file) to define them, and upload the profile to the Microsoft Intune admin center.

  1. Paste the contents of our configuration profile template, which provides preset values for the ManagedByOrganizationName and IPAddressCopiedAlertSuppressed policies into a new XML file called Tailscale.mobileconfig. This XML file with the .mobileconfig extension will become your configuration profile.
  2. Log in to the Microsoft Intune admin center.
  3. In the sidebar, select Devices, then choose Configuration profiles under the Policy section.
  4. A list of currently configured profiles will appear. Select the Create menu item, then choose New Policy from the dropdown menu that will appear.
  5. Select the platform you're looking to configure using the Platform dropdown menu. This will be either macOS or iOS/iPadOS.
  6. Choose Templates as the Profile type.
  7. Select the Custom template, and confirm with the Create button at the bottom of the templates list.
  8. Set a descriptive name and an optional description for the policy. For instance, Tailscale macOS system policies.
    Set name and description for a custom configuration profile.
  9. In the following Configuration settings step, enter a name for the policy that will be displayed to users, and upload the .mobileconfig previously created. Use the Device deployment channel if asked. Select Next to continue.
    Upload the .mobileconfig file previously created.
  10. Select the correct assignments in the Assignments tab. You can use the Add all users shortcut if you wish to deploy the configuration profile to all users and groups in your organization. Alternatively, select users and groups to deploy the policies to.
    Select users and groups to assign the policy.
  11. Select Next to continue to the Review step. If everything checks out, select Create to deploy the policy.

The steps above are valid for both macOS and iOS deployments. If you have both macOS and iOS devices in your organization, you'll simply have to follow the instructions twice. Creating two separate .mobileconfig files using the proper application bundle identifier for each platform, and then choose the right platform when asked by the Intune admin center.

Once you have followed these steps, Microsoft Intune will begin deploying the profile to all the users and groups you selected. After rebooting the device, each enrolled client should display the organization name in the Tailscale client menu as set in the sample configuration profile used.

Create, upload, and deploy a Tailscale configuration profile for Windows

To get started with Tailscale and Microsoft Intune, you'll first need to determine which system policies you wish to impose on your devices. Once you know which system policies to impose and the value for each, we recommend using the provided Tailscale ADMX file to import policies for a Tailscale configuration profile to be used with Microsoft Intune. ADMX files are a way to define group policies in Windows.

  1. Download the Tailscale ADMX file and ADML file from the Tailscale repository.
  2. Log in to the Microsoft Intune admin center.
  3. In the sidebar, select Devices, then choose Configuration profiles under the Policy section.
    View of the configuration profiles.
  4. First, import the Tailscale ADMX file. Select Import ADMX, then select the Import button.
    Import the Tailscale ADMX file.
  5. Upload the Tailscale ADMX and Tailscale ADML file. Select Next, then Create. You can select Refresh to check the status of the upload and template's availability.
  6. Navigate back to Policies. A list of currently configured profiles will appear. Select the Create menu item, then choose New Policy from the dropdown menu that will appear.
  7. Select Windows 10 and later using the Platform dropdown menu.
  8. Choose Templates as the Profile type.
  9. Select Imported Administrative templates (Preview).
    Select Imported Administrative templates (Preview).
  10. Set a descriptive name and an optional description for the policy. For instance, Tailscale windows policies.
    Set name and description for a custom configuration profile.
  11. Now you will see the Tailscale setting available for configuration.
    The Tailscale setting is now available for configuration.
    When you select the Tailscale settings, you can browse through policies that you can use and set their values.
    Select the Tailscale settings to browse through available policies and set their values.
    Once you set a policy's value, the state of the policy should be shown in the Tailscale settings.
    View the state of a policy.
  12. Once you configure the policies you want to use, select Next to go to the Scope Tags section. You can assign a tag for the configuration profile if you have one. If you don't have any tags, select the Default option.
    Assign a tag to the configuration profile, or select the default.
  13. Choose Next, and select your assignments in the Assignments tab. You can choose Add all users to deploy the configuration profile to all users, or select specific users or groups of users.
    Select users and groups to assign the policy.
  14. Select Next and review your profile settings before selecting Create.
    Review your profile settings before selecting Create.

Once you have followed these steps, Microsoft Intune will begin deploying the profile to all the users and groups you selected. After rebooting the device, each enrolled client should display the organization name in the Tailscale client menu as per the sample configuration profile used. For more documentation on importing ADMX files, check the Microsoft Intune documentation.

Deploy Tailscale for Android using Microsoft Intune

Configuring Microsoft Intune to deploy Tailscale is done in two steps. You'll begin by adding the Tailscale app as a Managed Google Play application. Then, you can optionally decide to deploy system policies using an Android managed configuration. This will allow you to configure the Tailscale Android client to fit the needs of your organization.

Before continuing, ensure that all Android devices you wish to deploy Tailscale to are already properly enrolled in Intune. Because we are going to add Tailscale as a Managed Google Play app, you will also need to connect your Intune account to your Managed Google Play account. For more details on the account connection process, refer to the documentation published by Microsoft in Connect your Intune account to your Managed Google Play account.

Adding the Tailscale app to Microsoft Intune

  1. Log in to the Microsoft Intune admin center.
  2. Navigate to Apps > All apps > Add, then select Managed Google Play app.
  3. Search for Tailscale and confirm.
  4. You might want to assign Tailscale to a group of users, so that Tailscale will be deployed automatically to these users' devices.

Deploying Tailscale system policies on Android using Intune

Once Tailscale has been configured as a deployed app in Intune, you can optionally configure a set of system policies that will be enforced on the enrolled Android devices.

  1. Log in to the Microsoft Intune admin center.
  2. Navigate to Apps > App configuration policies > Add > Managed devices.
  3. Pick a descriptive name for the policy, such as Tailscale System Policies. Choose Android as the platform.
  4. Select Associated app to display a list of configured applications. If you followed the previous steps, this list should include Tailscale. Select it to continue.
  5. Choose Configuration settings, then Use configuration designer, and then select Add to pick from the list of available system policies.
  6. Enter your preferred system policy values.
  7. Select OK to save the configuration.