{"slug":"restrict-device-access-with-1password-extended-access-management-xam","title":"Restrict device access with 1Password Extended Access Management (XAM)","tags":["tailscale","access-control","devices"],"agent_summary":"Last validated: Jan 28, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Restrict device access with 1Password Extended Access Management (XAM)\r\n\r\nLast validated: Jan 28, 2026\r\n\r\nThis integrationis available for [the Standard, Premium, and Enterprise plans](https://tailscale.com/pricing).\r\n\r\n[1Password Extended Access Management](https://1password.com/xam) (previously, [Kolide](https://kolide.com/)) collects a series of signals from its agent installed on each device that can be used to determine the security posture of a device. Tailscale can fetch these signals from XAM and use them as device posture attributes in access rules, which can then be used by organizations to grant access to sensitive resources only to devices that have a high level of trust.\r\n\r\nYou can achieve this Tailscale's [device posture management](https://tailscale.com/docs/features/device-posture) features:\r\n\r\n- [Device Identity Collection](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity), which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in XAM.\r\n- XAM posture integration, which synchronizes signals from XAM to device posture attributes in Tailscale.\r\n- [Posture conditions in access rules](https://tailscale.com/docs/features/device-posture#device-posture-conditions), which lets you configure access restrictions based on device attributes.\r\n\r\nThis guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure XAM posture integration.\r\n\r\n## [What is 1Password XAM (Kolide) posture integration?](https://tailscale.com/docs/integrations/kolide\\#what-is-1password-xam-kolide-posture-integration)\r\n\r\nThe 1Password XAM (Kolide) integration syncs data between XAM and Tailscale on a recurring schedule.\r\nDuring each sync, Tailscale performs the following actions:\r\n\r\n1. Fetches a list of hosts and their reported data from your XAM account.\r\n2. Matches XAM devices to devices in your tailnet based on serial numbers.\r\n3. Writes the XAM data to device posture attributes on each matched device.\r\n\r\nThe integration writes the following device posture attributes to matched devices:\r\n\r\n| **Attribute key** | **Description** | **Allowed values** |\r\n| --- | --- | --- |\r\n| `kolide:authState` | Authorization status of the device | `Good`, `Notified`, `Will Block`, `Blocked` |\r\n\r\n## [Prerequisites](https://tailscale.com/docs/integrations/kolide\\#prerequisites)\r\n\r\nBefore you can set up the 1Password XAM (Kolide) integration, make sure you have:\r\n\r\n- [Device Identity Collection](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity) enabled, and devices in your tailnet are reporting identifiers.\r\n- A 1Password XAM (Kolide) account for which you have permission to create an API token.\r\n\r\n## [Create 1Password XAM (Kolide) API Key](https://tailscale.com/docs/integrations/kolide\\#create-1password-xam-kolide-api-key)\r\n\r\nTo authenticate your 1Password XAM (Kolide) account with Tailscale, you'll need to create a 1Password XAM (Kolide) API Key.\r\nThe 1Password XAM (Kolide) integration uses these to fetch a list of devices and their data from 1Password XAM (Kolide).\r\n\r\nTo create a 1Password XAM (Kolide) API Key:\r\n\r\n1. Select your user avatar in the upper-right corner of the [1Password XAM (Kolide) UI](https://app.kolide.com/).\r\n\r\n2. In the dropdown menu, select **Settings**.\r\n\r\n3. In the menu on the left, select **Developers**.\r\n\r\n4. In the sub-menu that appears, select **API Keys**.\r\n\r\n5. On the next screen, select **Create New Key**.\r\n\r\n6. In the modal that appears, provide a name for the Key and the name of a XAM administrator who will be responsible for the API Key's usage, and select **Save**.\r\n\r\n7. Once saved, the secret token is available in the table. Select the duplicate button to copy the token to your clipboard.\r\n\r\n\r\n## [Configure 1Password XAM (Kolide) posture integration](https://tailscale.com/docs/integrations/kolide\\#configure-1password-xam-kolide-posture-integration)\r\n\r\nTo configure Tailscale to fetch data about devices from 1Password XAM (Kolide):\r\n\r\n1. Open the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the Tailscale admin console.\r\n\r\n2. Under the **Device Posture Integrations** section, locate the 1Password XAM (Kolide) integration, then select **Connect**.\r\n\r\n3. Enter your **API Key**.\r\n![The configuration screen for connecting to 1Password XAM (Kolide) from the Tailscale admin console.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-integration.1827636e.png&w=1080&q=75)\r\n4. Select **Connect to 1Password XAM (Kolide)**.\r\n\r\n\r\n## [Review the integration status](https://tailscale.com/docs/integrations/kolide\\#review-the-integration-status)\r\n\r\nNext, check to ensure the 1Password XAM (Kolide) integration has run successfully.\r\n\r\n1. Go to the **Device Posture Integrations** section of the [Device management](https://login.tailscale.com/admin/settings/device-management) page.\r\n2. Locate the 1Password XAM (Kolide) integration under the **Integrations** section.\r\n\r\nAfter the 1Password XAM (Kolide) integration runs successfully, it shows the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.≈\r\n\r\n![Integrations: 1Password XAM (Kolide): Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 3 1Password XAM (Kolide) devices](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fintegration-status.9490b3d1.png&w=1200&q=75)\r\n\r\n## [Check node attributes](https://tailscale.com/docs/integrations/kolide\\#check-node-attributes)\r\n\r\nAfter you set up the 1Password XAM (Kolide) integration, you can confirm that Tailscale is writing the new node attributes for your 1Password XAM (Kolide) devices from the Tailscale admin console.\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the Tailscale admin console.\r\n2. Select a device to inspect.\r\n3. The node attributes for the device are in the **Machine Details** section. This should include the set of `kolide:` attributes listed previously.\r\n\r\n![View of the machine attributes in the Machines page.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fmachine-attributes.149a9639.png&w=640&q=75)\r\n\r\nYou can also check device attributes using the [Tailscale API](https://tailscale.com/api#tag/devices/GET/device/%7BdeviceId%7D/attributes).\r\n\r\n## [Adjust Tailscale access rules](https://tailscale.com/docs/integrations/kolide\\#adjust-tailscale-access-rules)\r\n\r\nAfter you set up the 1Password XAM (Kolide) posture integration, and your devices have device posture attributes that reflect their signals as reported by 1Password XAM (Kolide), you can use those device posture attributes as part of your posture rules.\r\n\r\nFor example, to only permit access to `tag:production` from devices that are reported as good by the 1Password XAM (Kolide) agent, you can create a new posture and use it as part of a corresponding access rule:\r\n\r\n```json\r\n\"postures\": {\r\n  \"posture:trusted\": [\\\r\n    \"kolide:authState != 'Blocked'\",\\\r\n  ],\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"autogroup:member\"],\\\r\n    \"dst\": [\"tag:production\"],\\\r\n    \"ip\": [\"*\"],\\\r\n    \"srcPosture\": [\"posture:trusted\"]\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n## [Schedule](https://tailscale.com/docs/integrations/kolide\\#schedule)\r\n\r\nFor each configured integration, Tailscale will aim to sync device posture\r\nattributes every 15 minutes, with a few exceptions:\r\n\r\n- Adding a new integration, or changing configuration of an existing one,\r\nwill trigger an out-of-schedule sync.\r\n- If an integration fails due to authentication error (usually caused by invalid\r\ncredentials), it will be paused for up to 24 hours.\r\n\r\n## [Audit log events](https://tailscale.com/docs/integrations/kolide\\#audit-log-events)\r\n\r\nThe following [audit log events](https://tailscale.com/docs/features/logging/audit-logging#events) are added for device posture.\r\n\r\n| **Target** | **Action** | **Description** |\r\n| --- | --- | --- |\r\n| Integration | Create posture integration | A new posture integration was created |\r\n| Integration | Update posture integration | A posture integration was updated |\r\n| Integration | Removed posture integration | A posture integration was removed |\r\n| Node | Update node attribute | Device posture attributes for a node were changed |\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Restrict device access with 1Password Extended Access Management (XAM)</h1>\n<p>Last validated: Jan 28, 2026</p>\n<p>This integrationis available for <a href=\"https://tailscale.com/pricing\">the Standard, Premium, and Enterprise plans</a>.</p>\n<p><a href=\"https://1password.com/xam\">1Password Extended Access Management</a> (previously, <a href=\"https://kolide.com/\">Kolide</a>) collects a series of signals from its agent installed on each device that can be used to determine the security posture of a device. Tailscale can fetch these signals from XAM and use them as device posture attributes in access rules, which can then be used by organizations to grant access to sensitive resources only to devices that have a high level of trust.</p>\n<p>You can achieve this Tailscale's <a href=\"https://tailscale.com/docs/features/device-posture\">device posture management</a> features:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">Device Identity Collection</a>, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in XAM.</li>\n<li>XAM posture integration, which synchronizes signals from XAM to device posture attributes in Tailscale.</li>\n<li><a href=\"https://tailscale.com/docs/features/device-posture#device-posture-conditions\">Posture conditions in access rules</a>, which lets you configure access restrictions based on device attributes.</li>\n</ul>\n<p>This guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure XAM posture integration.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/kolide#what-is-1password-xam-kolide-posture-integration\">What is 1Password XAM (Kolide) posture integration?</a></h2>\n<p>The 1Password XAM (Kolide) integration syncs data between XAM and Tailscale on a recurring schedule.\r\nDuring each sync, Tailscale performs the following actions:</p>\n<ol>\n<li>Fetches a list of hosts and their reported data from your XAM account.</li>\n<li>Matches XAM devices to devices in your tailnet based on serial numbers.</li>\n<li>Writes the XAM data to device posture attributes on each matched device.</li>\n</ol>\n<p>The integration writes the following device posture attributes to matched devices:</p>\n<p>| <strong>Attribute key</strong> | <strong>Description</strong> | <strong>Allowed values</strong> |\r\n| --- | --- | --- |\r\n| <code>kolide:authState</code> | Authorization status of the device | <code>Good</code>, <code>Notified</code>, <code>Will Block</code>, <code>Blocked</code> |</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/kolide#prerequisites\">Prerequisites</a></h2>\n<p>Before you can set up the 1Password XAM (Kolide) integration, make sure you have:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">Device Identity Collection</a> enabled, and devices in your tailnet are reporting identifiers.</li>\n<li>A 1Password XAM (Kolide) account for which you have permission to create an API token.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/kolide#create-1password-xam-kolide-api-key\">Create 1Password XAM (Kolide) API Key</a></h2>\n<p>To authenticate your 1Password XAM (Kolide) account with Tailscale, you'll need to create a 1Password XAM (Kolide) API Key.\r\nThe 1Password XAM (Kolide) integration uses these to fetch a list of devices and their data from 1Password XAM (Kolide).</p>\n<p>To create a 1Password XAM (Kolide) API Key:</p>\n<ol>\n<li>\n<p>Select your user avatar in the upper-right corner of the <a href=\"https://app.kolide.com/\">1Password XAM (Kolide) UI</a>.</p>\n</li>\n<li>\n<p>In the dropdown menu, select <strong>Settings</strong>.</p>\n</li>\n<li>\n<p>In the menu on the left, select <strong>Developers</strong>.</p>\n</li>\n<li>\n<p>In the sub-menu that appears, select <strong>API Keys</strong>.</p>\n</li>\n<li>\n<p>On the next screen, select <strong>Create New Key</strong>.</p>\n</li>\n<li>\n<p>In the modal that appears, provide a name for the Key and the name of a XAM administrator who will be responsible for the API Key's usage, and select <strong>Save</strong>.</p>\n</li>\n<li>\n<p>Once saved, the secret token is available in the table. Select the duplicate button to copy the token to your clipboard.</p>\n</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/integrations/kolide#configure-1password-xam-kolide-posture-integration\">Configure 1Password XAM (Kolide) posture integration</a></h2>\n<p>To configure Tailscale to fetch data about devices from 1Password XAM (Kolide):</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the Tailscale admin console.</p>\n</li>\n<li>\n<p>Under the <strong>Device Posture Integrations</strong> section, locate the 1Password XAM (Kolide) integration, then select <strong>Connect</strong>.</p>\n</li>\n<li>\n<p>Enter your <strong>API Key</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-integration.1827636e.png&#x26;w=1080&#x26;q=75\" alt=\"The configuration screen for connecting to 1Password XAM (Kolide) from the Tailscale admin console.\"></p>\n</li>\n<li>\n<p>Select <strong>Connect to 1Password XAM (Kolide)</strong>.</p>\n</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/integrations/kolide#review-the-integration-status\">Review the integration status</a></h2>\n<p>Next, check to ensure the 1Password XAM (Kolide) integration has run successfully.</p>\n<ol>\n<li>Go to the <strong>Device Posture Integrations</strong> section of the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page.</li>\n<li>Locate the 1Password XAM (Kolide) integration under the <strong>Integrations</strong> section.</li>\n</ol>\n<p>After the 1Password XAM (Kolide) integration runs successfully, it shows the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.≈</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fintegration-status.9490b3d1.png&#x26;w=1200&#x26;q=75\" alt=\"Integrations: 1Password XAM (Kolide): Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 3 1Password XAM (Kolide) devices\"></p>\n<h2><a href=\"https://tailscale.com/docs/integrations/kolide#check-node-attributes\">Check node attributes</a></h2>\n<p>After you set up the 1Password XAM (Kolide) integration, you can confirm that Tailscale is writing the new node attributes for your 1Password XAM (Kolide) devices from the Tailscale admin console.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the Tailscale admin console.</li>\n<li>Select a device to inspect.</li>\n<li>The node attributes for the device are in the <strong>Machine Details</strong> section. This should include the set of <code>kolide:</code> attributes listed previously.</li>\n</ol>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fmachine-attributes.149a9639.png&#x26;w=640&#x26;q=75\" alt=\"View of the machine attributes in the Machines page.\"></p>\n<p>You can also check device attributes using the <a href=\"https://tailscale.com/api#tag/devices/GET/device/%7BdeviceId%7D/attributes\">Tailscale API</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/kolide#adjust-tailscale-access-rules\">Adjust Tailscale access rules</a></h2>\n<p>After you set up the 1Password XAM (Kolide) posture integration, and your devices have device posture attributes that reflect their signals as reported by 1Password XAM (Kolide), you can use those device posture attributes as part of your posture rules.</p>\n<p>For example, to only permit access to <code>tag:production</code> from devices that are reported as good by the 1Password XAM (Kolide) agent, you can create a new posture and use it as part of a corresponding access rule:</p>\n<pre><code class=\"language-json\">\"postures\": {\r\n  \"posture:trusted\": [\\\r\n    \"kolide:authState != 'Blocked'\",\\\r\n  ],\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"autogroup:member\"],\\\r\n    \"dst\": [\"tag:production\"],\\\r\n    \"ip\": [\"*\"],\\\r\n    \"srcPosture\": [\"posture:trusted\"]\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/kolide#schedule\">Schedule</a></h2>\n<p>For each configured integration, Tailscale will aim to sync device posture\r\nattributes every 15 minutes, with a few exceptions:</p>\n<ul>\n<li>Adding a new integration, or changing configuration of an existing one,\r\nwill trigger an out-of-schedule sync.</li>\n<li>If an integration fails due to authentication error (usually caused by invalid\r\ncredentials), it will be paused for up to 24 hours.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/kolide#audit-log-events\">Audit log events</a></h2>\n<p>The following <a href=\"https://tailscale.com/docs/features/logging/audit-logging#events\">audit log events</a> are added for device posture.</p>\n<p>| <strong>Target</strong> | <strong>Action</strong> | <strong>Description</strong> |\r\n| --- | --- | --- |\r\n| Integration | Create posture integration | A new posture integration was created |\r\n| Integration | Update posture integration | A posture integration was updated |\r\n| Integration | Removed posture integration | A posture integration was removed |\r\n| Node | Update node attribute | Device posture attributes for a node were changed |</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}