{"slug":"restrict-device-access-with-crowdstrike-zta-scores","title":"Restrict device access with CrowdStrike ZTA scores","tags":["tailscale","access-control","devices"],"agent_summary":"Last validated: Jan 28, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Restrict device access with CrowdStrike ZTA scores\r\n\r\nLast validated: Jan 28, 2026\r\n\r\nThis integrationis available for [the Standard, Premium, and Enterprise plans](https://tailscale.com/pricing).\r\n\r\nCrowdStrike Falcon [Zero Trust Assessment](https://www.crowdstrike.com/press-releases/crowdstrike-extends-zero-trust-to-endpoint-devices) calculates a numeric trust score (from 0 to 100) for each device that runs a Falcon agent. Using that score as part of access rules in Tailscale can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.\r\n\r\nYou can achieve this with Tailscale's [device posture](https://tailscale.com/docs/features/device-posture) features:\r\n\r\n- CrowdStrike Falcon posture integration, which synchronizes Zero Trust Assessment scores from CrowdStrike to device posture attributes in Tailscale.\r\n- [Device Identity Collection](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity), which collects identifiers such as serial numbers and MAC addresses, used to match devices in Tailscale to devices in CrowdStrike.\r\n- [Posture conditions in access rules](https://tailscale.com/docs/features/device-posture#posture-conditions), which lets you configure access restrictions based on device attributes.\r\n\r\nThis guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure CrowdStrike Falcon posture integration.\r\n\r\n## [What is CrowdStrike Falcon posture integration?](https://tailscale.com/docs/integrations/crowdstrike-zta\\#what-is-crowdstrike-falcon-posture-integration)\r\n\r\nThe CrowdStrike Falcon integration syncs data between Falcon and Tailscale on a recurring schedule.\r\nDuring each sync, Tailscale performs the following actions:\r\n\r\n1. Fetches a list of hosts and their ZTA score from your Falcon account.\r\n2. Matches Falcon hosts to devices in your tailnet based on serial numbers.\r\n3. Writes the Falcon data to a device posture attribute on each matched device.\r\n\r\nThe integration writes the following device posture attribute to matched devices:\r\n\r\n| **Attribute key** | **Description** | **Allowed values** |\r\n| --- | --- | --- |\r\n| `falcon:ztaScore` | Falcon ZTA score for the device | `number` |\r\n\r\n## [Prerequisites](https://tailscale.com/docs/integrations/crowdstrike-zta\\#prerequisites)\r\n\r\nBefore you can set up the CrowdStrike Falcon integration, make sure you have:\r\n\r\n- [Device Identity Collection](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity) enabled, and devices in your tailnet are reporting identifiers.\r\n- A CrowdStrike Falcon account for which you have permission to create an API client.\r\n\r\n## [Create CrowdStrike Falcon API credentials](https://tailscale.com/docs/integrations/crowdstrike-zta\\#create-crowdstrike-falcon-api-credentials)\r\n\r\nTo authenticate your CrowdStrike Falcon account with Tailscale, you'll need to create a CrowdStrike Falcon API client.\r\nThe Falcon integration uses these to fetch a list of hosts and their ZTA score from Falcon.\r\n\r\nTo create a CrowdStrike Falcon API client:\r\n\r\n1. In Falcon, open **Support and resources** and then **API clients and keys**.\r\n\r\n2. Select **Create API client**.\r\n\r\n3. Add a name. For the **Hosts** scope add **Read**, and for the **Zero Trust** scope add **Read**.\r\n![Create API client: Client name: Tailscale integration. Scope 'Zero Trust Assessment - Read' is enabled.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fcrowdstrike-scopes.2e739e67.png&w=750&q=75)\r\n4. Select **Create**, then make sure to copy the displayed **Client ID** and **Client Secret**. These will be only displayed once.\r\n\r\n\r\nAlso make a note of the **Base URL** (for example, `https://api.us-2.crowdstrike.com`).\r\n\r\n## [Configure CrowdStrike Falcon posture integration](https://tailscale.com/docs/integrations/crowdstrike-zta\\#configure-crowdstrike-falcon-posture-integration)\r\n\r\nTo configure Tailscale to fetch the ZTA score for hosts from CrowdStrike Falcon:\r\n\r\n1. Open the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the Tailscale admin console.\r\n\r\n2. Under the **Device Posture Integrations** section, locate the CrowdStrike Falcon integration, then select **Connect**.\r\n\r\n3. Select your **CrowdStrike Cloud Region** (the **Base URL** from the API client).\r\n\r\n4. Enter your **Client ID** and **Client Secret**.\r\n![1. Configure a CrowdStrike OAuth client: CrowdStrike Cloud Region: US-2. Client ID and Client Secret are entered. 3. Enable device identity collection: Tailscale uses device identifiers such as serial number to link Falcon Hosts to Tailscale Machines. You already have Device Identity Collection enabled. Button: Connect to CrowdStrike Falcon.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-crowdstrike-falcon-integration.ed213580.png&w=1080&q=75)\r\n5. Select **Connect to CrowdStrike Falcon**.\r\n\r\n\r\n## [Review the integration status](https://tailscale.com/docs/integrations/crowdstrike-zta\\#review-the-integration-status)\r\n\r\nNext, check to ensure the CrowdStrike Falcon integration has run successfully.\r\n\r\n1. Go to the **Device Posture Integrations** section of the [Device management](https://login.tailscale.com/admin/settings/device-management) page.\r\n2. Locate the CrowdStrike Falcon integration under the **Integrations** section.\r\n\r\nAfter the CrowdStrike Falcon integration runs successfully, it shows the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.≈\r\n\r\n![Integrations: CrowdStrike Falcon: Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 3 CrowdStrike Falcon hosts.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fintegration-status.71ab0ae3.png&w=1200&q=75)\r\n\r\n## [Check node attributes](https://tailscale.com/docs/integrations/crowdstrike-zta\\#check-node-attributes)\r\n\r\nAfter you set up the CrowdStrike Falcon integration, you can confirm that Tailscale is writing the new node attribute for your CrowdStrike Falcon devices from the Tailscale admin console.\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the Tailscale admin console.\r\n2. Select a device to inspect.\r\n3. The node attributes for the device are in the **Machine Details** section. This should include the `falcon:ztaScore` attribute.\r\n\r\n![Attributes. falcon:ztaScore: 64. node:os: linux. node:osVersion: 5.19.0-46-generic. node:tsReleaseTrack: stable. node:tsVersion: 1.53.20.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fmachine-attributes.22472cd9.png&w=640&q=75)\r\n\r\nYou can also check device attributes using the [Tailscale API](https://tailscale.com/api#tag/devices/GET/device/%7BdeviceId%7D/attributes).\r\n\r\n## [Adjust Tailscale access rules](https://tailscale.com/docs/integrations/crowdstrike-zta\\#adjust-tailscale-access-rules)\r\n\r\nAfter you set up the CrowdStrike Falcon posture integration, and your devices have device posture attributes that reflect their signals as reported by CrowdStrike Falcon, you can use those device posture attributes as part of your posture rules.\r\n\r\nFor example, to only permit access to `tag:production` from devices that have a CrowdStrike ZTA score of 70 or higher, you can create a new posture and use it as part of a corresponding access rule:\r\n\r\n```json\r\n\"postures\": {\r\n  \"posture:trusted\": [\"falcon:ztaScore >= 70\"],\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"autogroup:member\"],\\\r\n    \"dst\": [\"tag:production\"],\\\r\n    \"ip\": [\"*\"],\\\r\n    \"srcPosture\": [\"posture:trusted\"]\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n## [Schedule](https://tailscale.com/docs/integrations/crowdstrike-zta\\#schedule)\r\n\r\nFor each configured integration, Tailscale will aim to sync device posture\r\nattributes every 15 minutes, with a few exceptions:\r\n\r\n- Adding a new integration, or changing configuration of an existing one,\r\nwill trigger an out-of-schedule sync.\r\n- If an integration fails due to authentication error (usually caused by invalid\r\ncredentials), it will be paused for up to 24 hours.\r\n\r\n## [Audit log events](https://tailscale.com/docs/integrations/crowdstrike-zta\\#audit-log-events)\r\n\r\nThe following [audit log events](https://tailscale.com/docs/features/logging/audit-logging#events) are added for device posture.\r\n\r\n| **Target** | **Action** | **Description** |\r\n| --- | --- | --- |\r\n| Integration | Create posture integration | A new posture integration was created |\r\n| Integration | Update posture integration | A posture integration was updated |\r\n| Integration | Removed posture integration | A posture integration was removed |\r\n| Node | Update node attribute | Device posture attributes for a node were changed |\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Restrict device access with CrowdStrike ZTA scores</h1>\n<p>Last validated: Jan 28, 2026</p>\n<p>This integrationis available for <a href=\"https://tailscale.com/pricing\">the Standard, Premium, and Enterprise plans</a>.</p>\n<p>CrowdStrike Falcon <a href=\"https://www.crowdstrike.com/press-releases/crowdstrike-extends-zero-trust-to-endpoint-devices\">Zero Trust Assessment</a> calculates a numeric trust score (from 0 to 100) for each device that runs a Falcon agent. Using that score as part of access rules in Tailscale can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.</p>\n<p>You can achieve this with Tailscale's <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a> features:</p>\n<ul>\n<li>CrowdStrike Falcon posture integration, which synchronizes Zero Trust Assessment scores from CrowdStrike to device posture attributes in Tailscale.</li>\n<li><a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">Device Identity Collection</a>, which collects identifiers such as serial numbers and MAC addresses, used to match devices in Tailscale to devices in CrowdStrike.</li>\n<li><a href=\"https://tailscale.com/docs/features/device-posture#posture-conditions\">Posture conditions in access rules</a>, which lets you configure access restrictions based on device attributes.</li>\n</ul>\n<p>This guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure CrowdStrike Falcon posture integration.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta#what-is-crowdstrike-falcon-posture-integration\">What is CrowdStrike Falcon posture integration?</a></h2>\n<p>The CrowdStrike Falcon integration syncs data between Falcon and Tailscale on a recurring schedule.\r\nDuring each sync, Tailscale performs the following actions:</p>\n<ol>\n<li>Fetches a list of hosts and their ZTA score from your Falcon account.</li>\n<li>Matches Falcon hosts to devices in your tailnet based on serial numbers.</li>\n<li>Writes the Falcon data to a device posture attribute on each matched device.</li>\n</ol>\n<p>The integration writes the following device posture attribute to matched devices:</p>\n<p>| <strong>Attribute key</strong> | <strong>Description</strong> | <strong>Allowed values</strong> |\r\n| --- | --- | --- |\r\n| <code>falcon:ztaScore</code> | Falcon ZTA score for the device | <code>number</code> |</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta#prerequisites\">Prerequisites</a></h2>\n<p>Before you can set up the CrowdStrike Falcon integration, make sure you have:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">Device Identity Collection</a> enabled, and devices in your tailnet are reporting identifiers.</li>\n<li>A CrowdStrike Falcon account for which you have permission to create an API client.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta#create-crowdstrike-falcon-api-credentials\">Create CrowdStrike Falcon API credentials</a></h2>\n<p>To authenticate your CrowdStrike Falcon account with Tailscale, you'll need to create a CrowdStrike Falcon API client.\r\nThe Falcon integration uses these to fetch a list of hosts and their ZTA score from Falcon.</p>\n<p>To create a CrowdStrike Falcon API client:</p>\n<ol>\n<li>\n<p>In Falcon, open <strong>Support and resources</strong> and then <strong>API clients and keys</strong>.</p>\n</li>\n<li>\n<p>Select <strong>Create API client</strong>.</p>\n</li>\n<li>\n<p>Add a name. For the <strong>Hosts</strong> scope add <strong>Read</strong>, and for the <strong>Zero Trust</strong> scope add <strong>Read</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fcrowdstrike-scopes.2e739e67.png&#x26;w=750&#x26;q=75\" alt=\"Create API client: Client name: Tailscale integration. Scope &#x27;Zero Trust Assessment - Read&#x27; is enabled.\"></p>\n</li>\n<li>\n<p>Select <strong>Create</strong>, then make sure to copy the displayed <strong>Client ID</strong> and <strong>Client Secret</strong>. These will be only displayed once.</p>\n</li>\n</ol>\n<p>Also make a note of the <strong>Base URL</strong> (for example, <code>https://api.us-2.crowdstrike.com</code>).</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta#configure-crowdstrike-falcon-posture-integration\">Configure CrowdStrike Falcon posture integration</a></h2>\n<p>To configure Tailscale to fetch the ZTA score for hosts from CrowdStrike Falcon:</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the Tailscale admin console.</p>\n</li>\n<li>\n<p>Under the <strong>Device Posture Integrations</strong> section, locate the CrowdStrike Falcon integration, then select <strong>Connect</strong>.</p>\n</li>\n<li>\n<p>Select your <strong>CrowdStrike Cloud Region</strong> (the <strong>Base URL</strong> from the API client).</p>\n</li>\n<li>\n<p>Enter your <strong>Client ID</strong> and <strong>Client Secret</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-crowdstrike-falcon-integration.ed213580.png&#x26;w=1080&#x26;q=75\" alt=\"1. Configure a CrowdStrike OAuth client: CrowdStrike Cloud Region: US-2. Client ID and Client Secret are entered. 3. Enable device identity collection: Tailscale uses device identifiers such as serial number to link Falcon Hosts to Tailscale Machines. You already have Device Identity Collection enabled. Button: Connect to CrowdStrike Falcon.\"></p>\n</li>\n<li>\n<p>Select <strong>Connect to CrowdStrike Falcon</strong>.</p>\n</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta#review-the-integration-status\">Review the integration status</a></h2>\n<p>Next, check to ensure the CrowdStrike Falcon integration has run successfully.</p>\n<ol>\n<li>Go to the <strong>Device Posture Integrations</strong> section of the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page.</li>\n<li>Locate the CrowdStrike Falcon integration under the <strong>Integrations</strong> section.</li>\n</ol>\n<p>After the CrowdStrike Falcon integration runs successfully, it shows the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.≈</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fintegration-status.71ab0ae3.png&#x26;w=1200&#x26;q=75\" alt=\"Integrations: CrowdStrike Falcon: Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 3 CrowdStrike Falcon hosts.\"></p>\n<h2><a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta#check-node-attributes\">Check node attributes</a></h2>\n<p>After you set up the CrowdStrike Falcon integration, you can confirm that Tailscale is writing the new node attribute for your CrowdStrike Falcon devices from the Tailscale admin console.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the Tailscale admin console.</li>\n<li>Select a device to inspect.</li>\n<li>The node attributes for the device are in the <strong>Machine Details</strong> section. This should include the <code>falcon:ztaScore</code> attribute.</li>\n</ol>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fmachine-attributes.22472cd9.png&#x26;w=640&#x26;q=75\" alt=\"Attributes. falcon:ztaScore: 64. node:os: linux. node:osVersion: 5.19.0-46-generic. node:tsReleaseTrack: stable. node:tsVersion: 1.53.20.\"></p>\n<p>You can also check device attributes using the <a href=\"https://tailscale.com/api#tag/devices/GET/device/%7BdeviceId%7D/attributes\">Tailscale API</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta#adjust-tailscale-access-rules\">Adjust Tailscale access rules</a></h2>\n<p>After you set up the CrowdStrike Falcon posture integration, and your devices have device posture attributes that reflect their signals as reported by CrowdStrike Falcon, you can use those device posture attributes as part of your posture rules.</p>\n<p>For example, to only permit access to <code>tag:production</code> from devices that have a CrowdStrike ZTA score of 70 or higher, you can create a new posture and use it as part of a corresponding access rule:</p>\n<pre><code class=\"language-json\">\"postures\": {\r\n  \"posture:trusted\": [\"falcon:ztaScore >= 70\"],\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"autogroup:member\"],\\\r\n    \"dst\": [\"tag:production\"],\\\r\n    \"ip\": [\"*\"],\\\r\n    \"srcPosture\": [\"posture:trusted\"]\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta#schedule\">Schedule</a></h2>\n<p>For each configured integration, Tailscale will aim to sync device posture\r\nattributes every 15 minutes, with a few exceptions:</p>\n<ul>\n<li>Adding a new integration, or changing configuration of an existing one,\r\nwill trigger an out-of-schedule sync.</li>\n<li>If an integration fails due to authentication error (usually caused by invalid\r\ncredentials), it will be paused for up to 24 hours.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/crowdstrike-zta#audit-log-events\">Audit log events</a></h2>\n<p>The following <a href=\"https://tailscale.com/docs/features/logging/audit-logging#events\">audit log events</a> are added for device posture.</p>\n<p>| <strong>Target</strong> | <strong>Action</strong> | <strong>Description</strong> |\r\n| --- | --- | --- |\r\n| Integration | Create posture integration | A new posture integration was created |\r\n| Integration | Update posture integration | A posture integration was updated |\r\n| Integration | Removed posture integration | A posture integration was removed |\r\n| Node | Update node attribute | Device posture attributes for a node were changed |</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}