Restrict device access with 1Password Extended Access Management (XAM)

Device posture integration with 1Password Extended Access Management (XAM) is currently in beta.

XAM device posture integration is available for the Enterprise plan.

1Password Extended Access Management (previously, Kolide) collects a series of signals from its agent installed on each device that can be used to determine the security posture of a device. Tailscale can fetch these signals from XAM and use them as device posture attributes in access rules, which can then be used by organizations to grant access to sensitive resources only to devices that have a high level of trust.

This can be achieved using Tailscale's device posture management features:

Device Identity Collection, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in XAM.
XAM posture integration, which synchronizes signals from XAM to device posture attributes in Tailscale.
Posture conditions in access rules, which allows configuring access restrictions based on device attributes.

This document provides instructions on how to:

Enable Device Identity collection for your tailnet.
Configure XAM posture integration.

What is 1Password XAM (Kolide) posture integration?

1Password XAM (Kolide) posture integration lets you connect your Tailscale network to XAM. The integration runs periodically and copies signals from XAM to device posture attributes.

When configured, it will periodically:

Fetch a list of devices recorded in your XAM (Kolide) account, and the data reported.
Match XAM devices with corresponding devices in your tailnet, based on the serial numbers associated with a device.
Write the data from each device into the following Tailscale device posture attribute:

Attribute key	Description	Allowed values
`kolide:authState`	Authorization status of the device	`Good`, `Notified`, `Will Block`, `Blocked`

Prerequisites

Device Identity Collection is enabled, and devices on your tailnet are reporting identifiers
1Password XAM (Kolide) API Token

Create 1Password XAM (Kolide) API Key

Create a 1Password XAM (Kolide) API Key that will be used to fetch a list of devices and their data from XAM.

Select your user avatar in the upper-right corner of the 1Password XAM (Kolide) UI.
In the dropdown menu, select Settings.
In the menu on the left, select Developers.
In the sub-menu that appears, select API Keys.
On the next screen, select Create New Key.
In the modal that appears, provide a name for the Key and the name of a XAM administrator who will be responsible for the API Key’s usage, and select Save.
Once saved, the secret token is available in the table. Select the duplicate button to copy the token to your clipboard.

Configure 1Password XAM (Kolide) posture integration

Configure Tailscale to fetch the attributes from 1Password XAM (Kolide).

Open the Device management page of the Tailscale admin console.
Under the Device Posture Integrations section, select Connect next to the 1Password XAM (Kolide) integration.
Enter your API Key.
Select the Connect to 1Password XAM (Kolide) button.

View the integration status

Check that the integration has run successfully.

In the Device Posture Integrations section of the Device management page, configured integrations and their status will show under Integrations. The time of the most recent sync will display on this page. If an error occurs while synchronizing, it will display on this page.

Status of the 1Password XAM (Kolide) integration.

Check node attributes

After you configure 1Password XAM (Kolide) posture integration, you can confirm that the new attributes are being written for your Tailscale nodes via the Machines page of the admin console.

Open the Machines page of the Tailscale admin console.
Select a machine you want to inspect.
The attributes for the machine are in the Machine Details section. This should include the set of kolide: attributes listed previously.

View of the machine attributes in the Machines page.

You can also check node attributes via the Tailscale API.

Adjust Tailscale access rules

Once 1Password XAM (Kolide) posture integration is configured and your devices have device posture attributes that reflects their signals as reported by 1Password XAM (Kolide), you can use that device posture attribute as part of your posture rules.

For example, to only allow access to tag:production from devices that are reported as good by 1Password XAM (Kolide) agent, you can create a new posture and use it as part of a corresponding access rule:

"postures": {
  "posture:trusted": [
    "kolide:authState == 'Good'",
  ],
},
"acls": [
  {
    "action":     "accept",
    "src":        ["autogroup:member"],
    "srcPosture": ["posture:trusted"],
    "dst":        ["tag:production:*"],
  },
]

Schedule

For each configured integration, Tailscale will aim to sync device posture attributes every 15 minutes, with a few exceptions:

Adding a new integration, or changing configuration of an existing one, will trigger an out-of-schedule sync.
If an integration fails due to authentication error (usually caused by invalid credentials), it will be paused for up to 24 hours.

Audit log events

The following audit log events are added for device posture.

Target	Action	Description
Integration	Create posture integration	A new posture integration was created
Integration	Update posture integration	A posture integration was updated
Integration	Removed posture integration	A posture integration was removed
Node	Update node attribute	Device posture attributes for a node were changed