Deploy Tailscale with Microsoft Intune

You can use the Microsoft Intune mobile device management (MDM) solution to deploy Tailscale in your organization. You can configure a number of system policies, and you can then use Microsoft Intune to deploy these policies across devices in your organization. Tailscale system policies via Microsoft Intune are supported on Windows, macOS, and iOS.

If you need help deploying Tailscale using Microsoft Intune, or would like to suggest any feature enhancements, contact our support or sales teams.

Follow the steps in this document to get started. You’ll create a configuration profile containing a system policy that displays the name of your organization in the Tailscale client as an example. You’ll then deploy it to a set of devices already enrolled in Microsoft Intune.

Create, upload, and deploy a Tailscale configuration profile for macOS/iOS/iPadOS

To get started with Tailscale and Microsoft Intune, you’ll first need to determine which system policies you wish to impose on your devices. Once you know which system policies to impose and the value for each, you’ll then need to create an Apple configuration profile (.mobileconfig file) to define them, and upload the profile to the Microsoft Intune admin center.

  1. Paste the contents of our configuration profile template, which provides preset values for the ManagedByOrganizationName and IPAddressCopiedAlertSuppressed policies into a new XML file called Tailscale.mobileconfig. This XML file with the .mobileconfig extension will become your configuration profile.
  2. Log in to the Microsoft Intune admin center.
  3. In the sidebar, select Devices, then choose Configuration profiles under the Policy section.
  4. A list of currently configured profiles will appear. Select the Create menu item, then choose New Policy from the dropdown menu that will appear.
  5. Select the platform you’re looking to configure using the Platform dropdown menu. This will be either macOS or iOS/iPadOS.
  6. Choose Templates as the Profile type.
  7. Select the Custom template, and confirm with the Create button at the bottom of the templates list.
  8. Set a descriptive name and an optional description for the policy. For instance, Tailscale macOS system policies.
  9. In the following Configuration settings step, enter a name for the policy that will be displayed to users, and upload the .mobileconfig previously created. Use the Device deployment channel if asked. Select Next to continue.
  10. Select the correct assignments in the Assignments tab. You can use the Add all users shortcut if you wish to deploy the configuration profile to all users and groups in your organization. Alternatively, select users and groups to deploy the policies to.
  11. Select Next to continue to the Review step. If everything checks out, select Create to deploy the policy.

The steps above are valid for both macOS and iOS deployments. If you have both macOS and iOS devices in your organization, you’ll simply have to follow the instructions twice. Creating two separate .mobileconfig files using the proper application bundle identifier for each platform, and then choose the right platform when asked by the Intune admin center.

Once you have followed these steps, Microsoft Intune will begin deploying the profile to all the users and groups you selected. After rebooting the device, each enrolled client should display the organization name in the Tailscale client menu as set in the sample configuration profile used.

Create, upload, and deploy a Tailscale configuration profile for Windows

To get started with Tailscale and Microsoft Intune, you’ll first need to determine which system policies you wish to impose on your devices. Once you know which system policies to impose and the value for each, we recommend using the provided Tailscale ADMX file to import policies for a Tailscale configuration profile to be used with Microsoft Intune. ADMX files are a way to define group policies in Windows.

  1. Download the Tailscale ADMX file and ADML file from the Tailscale repository.
  2. Log in to the Microsoft Intune admin center.
  3. In the sidebar, select Devices, then choose Configuration profiles under the Policy section.
  4. First, import the Tailscale ADMX file. Select Import ADMX, then click the Import button.
  5. Upload the Tailscale ADMX and Tailscale ADML file. Click Next, then Create. You can click Refresh to check the status of the upload and template’s availability.
  6. Navigate back to Policies. A list of currently configured profiles will appear. Select the Create menu item, then choose New Policy from the dropdown menu that will appear.
  7. Select Windows 10 and later using the Platform dropdown menu.
  8. Choose Templates as the Profile type.
  9. Select Imported Administrative templates (Preview).
  10. Set a descriptive name and an optional description for the policy. For instance, Tailscale windows policies.
  11. Now you will see the Tailscale setting available for configuration.
    When you click the Tailscale settings, you can browse through policies that you can use and set their values.
    Once you set a policy’s value, the state of the policy should be shown in the Tailscale settings.
  12. Once you configure the policies you want to use, click Next to the Scope Tags section. You can assign a tag for the configuration profile if you have one. If you don’t have any tags, select the Default option.
  13. Choose Next, and select your assignments in the Assignments tab. You can choose Add all users to deploy the configuration profile to all users, or select specific users or groups of users.
  14. Click Next and review your profile settings before selecting Create.

Once you have followed these steps, Microsoft Intune will begin deploying the profile to all the users and groups you selected. After rebooting the device, each enrolled client should display the organization name in the Tailscale client menu as per the sample configuration profile used. For more documentation on importing ADMX files, check the Microsoft Intune documentation.