Restrict device access with Iru

Iru device posture integration is available for the Enterprise plan.

Iru is formerly known as Kandji. Several references to Kandji may still be found in instructions, code examples, and user interfaces.

Iru collects a series of signals from its agent installed on each device that can be used to determine the security posture of a device. Tailscale can fetch these signals from Iru and use them as device posture attributes in access rules, which can then be used by organizations to grant access to sensitive resources only to devices that have a high level of trust.

You can achieve this Tailscale's device posture management features:

Kandji posture integration, which synchronizes signals from Kandji to device posture attributes in Tailscale.
Device Identity Collection, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in Kandji.
Posture conditions in access rules, which enables configuration of access restrictions based on device attributes.

This guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure Kandji posture integration.

What is Kandji posture integration?

Kandji posture integration lets you connect your Tailscale network to Kandji. The integration runs periodically and copies signals from Kandji to device posture attributes.

When configured, it will periodically:

Fetch a list of devices recorded in your Kandji account, and their details.
Match Kandji devices with corresponding devices in your tailnet, based on the serial number associated with a device.
Write the data from each device into the following Tailscale device posture attributes:

Attribute key	Description	Allowed values
`kandji:mdmEnabled`	whether the device is enrolled in Iru (Kandji) MDM	`true`, `false`
`kandji:agentInstalled`	whether the Iru (Kandji) agent is present on the device	`true`, `false`

Prerequisites

Before you can set up the Kandji integration, make sure you have:

Device Identity Collection enabled, and devices in your tailnet are reporting identifiers.
A Kandji account for which you have permission to create an API token.

Create Kandji API Token

To authenticate your Kandji account with Tailscale, you'll need to create a Kandji API Token. The Kandji integration uses these to fetch a list of devices and their data from Kandji.

To create a Kandji API Token:

In Kandji, in the left-hand panel, select Settings.
From the top menu, select Access and select Add Token.
Add a name for the API token and select Create.
The API Token will be shown once, make sure to copy it for use later and select Next.
In the new dialog, select Configure to configure the permissions for the API token.
Under Prism, select Device Information (/api/v1/prism/device_information) and select Save in the right corner.
Under Access, make note of your organization's API URL, for example https://your-organization.api.kandji.io.

Configure Kandji posture integration

To configure Tailscale to fetch data about devices from Kandji:

Open the Device management page of the Tailscale admin console.
Under the Device Posture Integrations section, locate the Kandji integration, then select Connect.
Enter your Kandji API URL, the URL you use to access the Kandji console.
Enter your API Token.
Select Connect to Kandji.

Review the integration status

Next, check to ensure the Kandji integration has run successfully.

Go to the Device Posture Integrations section of the Device management page.
Locate the Kandji integration under the Integrations section.

After the Kandji integration runs successfully, it shows the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.

Integrations: Kandji: Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 3 Kandji devices

Check node attributes

After you set up the Kandji integration, you can confirm that Tailscale is writing the new node attributes for your Kandji devices from the Tailscale admin console.

Open the Machines page of the Tailscale admin console.
Select a device to inspect.
The node attributes for the device are in the Machine Details section. This should include the set of kandji: attributes listed previously.

View of the machine attributes in the Machines page.

You can also check device attributes using the Tailscale API.

Adjust Tailscale access rules

After you set up the Kandji posture integration, and your devices have device posture attributes that reflect their signals as reported by Kandji, you can use those device posture attributes as part of your posture rules.

For example, to only permit access to tag:production from devices that have an active Kandji agent, you can create a new posture and use it as part of a corresponding access rule:

"postures": {
  "posture:trusted": [
    "kandji:agentInstalled == true",
  ],
},
"grants": [
  {
    "src": ["autogroup:member"],
    "dst": ["tag:production"],
    "ip": ["*"],
    "srcPosture": ["posture:trusted"]
  }
]

You can use the visual policy editor to manage your tailnet policy file. Refer to the visual editor reference for guidance on using the visual editor.

Schedule

For each configured integration, Tailscale will aim to sync device posture attributes every 15 minutes, with a few exceptions:

Adding a new integration, or changing configuration of an existing one, will trigger an out-of-schedule sync.
If an integration fails due to authentication error (usually caused by invalid credentials), it will be paused for up to 24 hours.

Audit log events

The following audit log events are added for device posture.

Target	Action	Description
Integration	Create posture integration	A new posture integration was created
Integration	Update posture integration	A posture integration was updated
Integration	Removed posture integration	A posture integration was removed
Node	Update node attribute	Device posture attributes for a node were changed