{"slug":"restrict-device-access-with-fleet","title":"Restrict device access with Fleet","tags":["tailscale","access-control","devices"],"agent_summary":"Last validated: Jan 29, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Restrict device access with Fleet\r\n\r\nLast validated: Jan 29, 2026\r\n\r\nThis integrationis available for [the Standard, Premium, and Enterprise plans](https://tailscale.com/pricing).\r\n\r\n[Fleet Device Management](https://fleetdm.com/) collects a series of signals from its agent installed on each device that can be used to determine the security posture of a device.\r\n\r\nTailscale can fetch these signals from Fleet and use them as device posture attributes in access rules, which can then be used by organizations to grant access to sensitive resources only to devices that have a high level of trust.\r\n\r\nYou can achieve this with Tailscale's [device posture management](https://tailscale.com/docs/features/device-posture) features:\r\n\r\n- [Device Identity Collection](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity), which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in Fleet.\r\n- Fleet posture integration, which synchronizes signals from Fleet to device posture attributes in Tailscale.\r\n- [Posture conditions in access rules](https://tailscale.com/docs/features/device-posture#device-posture-conditions), which lets you configure access restrictions based on device attributes.\r\n\r\nThis guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure Fleet posture integration.\r\n\r\n## [What is Fleet posture integration?](https://tailscale.com/docs/integrations/fleet\\#what-is-fleet-posture-integration)\r\n\r\nThe Fleet integration syncs data between Fleet and Tailscale on a recurring schedule.\r\nDuring each sync, Tailscale performs the following actions:\r\n\r\n1. Fetches a list of hosts and their reported data from your Fleet account.\r\n2. Matches Fleet devices to devices in your tailnet based on serial numbers.\r\n3. Writes the Fleet data to device posture attributes on each matched device.\r\n\r\nThe integration writes the following device posture attributes to matched devices:\r\n\r\n| **Attribute key** | **Description** | **Allowed values** |\r\n| --- | --- | --- |\r\n| `fleet:present` | whether the device is managed by Fleet | `true`, `false` |\r\n| `fleetPolicy:{name}` | whether the device matches a Fleet policy | `true`, `false` |\r\n\r\n## [Prerequisites](https://tailscale.com/docs/integrations/fleet\\#prerequisites)\r\n\r\nBefore you can set up the Fleet integration, make sure you have:\r\n\r\n- [Device Identity Collection](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity) enabled, and devices in your tailnet are reporting identifiers.\r\n- A Fleet account for which you have permission to create an API token.\r\n\r\n## [Create Fleet API token](https://tailscale.com/docs/integrations/fleet\\#create-fleet-api-token)\r\n\r\nTo authenticate your Fleet account with Tailscale, you'll need to create a Fleet API-only user and API token.\r\nThe Fleet integration uses these to fetch a list of devices and their data from Fleet.\r\n\r\nYou can find instructions for creating a Fleet API-only user and API token [in the Fleet documentation](https://fleetdm.com/guides/fleetctl#using-fleetctl-with-an-api-only-user).\r\n\r\n## [Create Fleet policies](https://tailscale.com/docs/integrations/fleet\\#create-fleet-policies)\r\n\r\n[Fleet policies](https://fleetdm.com/securing/what-are-fleet-policies) let you monitor whether your devices meet specific security and compliance criteria.\r\nThese policies are specific to your Fleet account.\r\n\r\nThe Fleet integration can add [node attributes](https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs) to devices that are passing Fleet policies.\r\n\r\nTo enable adding these node attributes, add the string `Tailscale: fleetPolicy:{attributeName}` to your Fleet policy description.\r\nFor each Fleet policy a device passes, the Fleet integration will add a `fleetPolicy:{attributeName}` node attribute to that device.\r\n\r\nYou can check for the presence of a given Fleet policy in a device's node attributes in access rules, then adjust its access accordingly.\r\n\r\n![The Fleet configuration panel showing a policy which includes `Tailscale: fleetPolicy:builtinAntivirus` to set a `fleetPolicy:builtinAntivirus` node attribute on passing devices.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ffleet-policy-example.78950d53.png&w=1200&q=75)\r\n\r\n## [Configure Fleet posture integration](https://tailscale.com/docs/integrations/fleet\\#configure-fleet-posture-integration)\r\n\r\nTo configure Tailscale to fetch data about devices from Fleet:\r\n\r\n1. Open the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the Tailscale admin console.\r\n\r\n2. Under the **Device Posture Integrations** section, locate the Fleet integration, then select **Connect**.\r\n\r\n3. Enter your **Fleet URL** and **API Token**.\r\n![The configuration screen for connecting to Fleet from the Tailscale admin console.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-integration.3427fc8d.png&w=1080&q=75)\r\n4. Select **Connect to Fleet**.\r\n\r\n\r\n## [Review the integration status](https://tailscale.com/docs/integrations/fleet\\#review-the-integration-status)\r\n\r\nNext, check to ensure the Fleet integration has run successfully.\r\n\r\n1. Go to the **Device Posture Integrations** section of the [Device management](https://login.tailscale.com/admin/settings/device-management) page.\r\n2. Locate the Fleet integration under the **Integrations** section.\r\n\r\nAfter the Fleet integration runs successfully, it shows the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.\r\n\r\n![Integrations: Fleet: Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 4 Fleet hosts](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fintegration-status.02482eaf.png&w=1200&q=75)\r\n\r\n## [Check node attributes](https://tailscale.com/docs/integrations/fleet\\#check-node-attributes)\r\n\r\nAfter you set up the Fleet integration, you can confirm that Tailscale is writing the new node attributes for your Fleet devices from the Tailscale admin console.\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the Tailscale admin console.\r\n2. Select a device to inspect.\r\n3. Check the node attributes for the device in the **Machine Details** section. This section should include the set of `fleet:` and `fleetPolicy:` attributes listed previously.\r\n\r\n![View of the machine attributes in the Machines page.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fmachine-attributes.83f465cf.png&w=640&q=75)\r\n\r\nYou can also check device attributes using the [Tailscale API](https://tailscale.com/api#tag/devices/GET/device/%7BdeviceId%7D/attributes).\r\n\r\n## [Adjust Tailscale access rules](https://tailscale.com/docs/integrations/fleet\\#adjust-tailscale-access-rules)\r\n\r\nAfter you set up the Fleet posture integration, and your devices have device posture attributes that reflect their signals as reported by Fleet, you can use those device posture attributes as part of your posture rules.\r\n\r\nFor example, to only permit access to `tag:production` from devices that are managed by Fleet, you can create a new posture and use it as part of a corresponding access rule:\r\n\r\n```json\r\n\"postures\": {\r\n  \"posture:managed\": [\\\r\n    \"fleet:present\",\\\r\n  ],\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"autogroup:member\"],\\\r\n    \"dst\": [\"tag:production\"],\\\r\n    \"ip\": [\"*\"],\\\r\n    \"srcPosture\": [\"posture:managed\"]\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n## [Schedule](https://tailscale.com/docs/integrations/fleet\\#schedule)\r\n\r\nFor each configured integration, Tailscale will aim to sync device posture\r\nattributes every 15 minutes, with a few exceptions:\r\n\r\n- Adding a new integration, or changing configuration of an existing one,\r\nwill trigger an out-of-schedule sync.\r\n- If an integration fails due to authentication error (usually caused by invalid\r\ncredentials), it will be paused for up to 24 hours.\r\n\r\n## [Audit log events](https://tailscale.com/docs/integrations/fleet\\#audit-log-events)\r\n\r\nThe following [audit log events](https://tailscale.com/docs/features/logging/audit-logging#events) are added for device posture.\r\n\r\n| **Target** | **Action** | **Description** |\r\n| --- | --- | --- |\r\n| Integration | Create posture integration | A new posture integration was created |\r\n| Integration | Update posture integration | A posture integration was updated |\r\n| Integration | Removed posture integration | A posture integration was removed |\r\n| Node | Update node attribute | Device posture attributes for a node were changed |\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Restrict device access with Fleet</h1>\n<p>Last validated: Jan 29, 2026</p>\n<p>This integrationis available for <a href=\"https://tailscale.com/pricing\">the Standard, Premium, and Enterprise plans</a>.</p>\n<p><a href=\"https://fleetdm.com/\">Fleet Device Management</a> collects a series of signals from its agent installed on each device that can be used to determine the security posture of a device.</p>\n<p>Tailscale can fetch these signals from Fleet and use them as device posture attributes in access rules, which can then be used by organizations to grant access to sensitive resources only to devices that have a high level of trust.</p>\n<p>You can achieve this with Tailscale's <a href=\"https://tailscale.com/docs/features/device-posture\">device posture management</a> features:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">Device Identity Collection</a>, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in Fleet.</li>\n<li>Fleet posture integration, which synchronizes signals from Fleet to device posture attributes in Tailscale.</li>\n<li><a href=\"https://tailscale.com/docs/features/device-posture#device-posture-conditions\">Posture conditions in access rules</a>, which lets you configure access restrictions based on device attributes.</li>\n</ul>\n<p>This guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure Fleet posture integration.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#what-is-fleet-posture-integration\">What is Fleet posture integration?</a></h2>\n<p>The Fleet integration syncs data between Fleet and Tailscale on a recurring schedule.\r\nDuring each sync, Tailscale performs the following actions:</p>\n<ol>\n<li>Fetches a list of hosts and their reported data from your Fleet account.</li>\n<li>Matches Fleet devices to devices in your tailnet based on serial numbers.</li>\n<li>Writes the Fleet data to device posture attributes on each matched device.</li>\n</ol>\n<p>The integration writes the following device posture attributes to matched devices:</p>\n<p>| <strong>Attribute key</strong> | <strong>Description</strong> | <strong>Allowed values</strong> |\r\n| --- | --- | --- |\r\n| <code>fleet:present</code> | whether the device is managed by Fleet | <code>true</code>, <code>false</code> |\r\n| <code>fleetPolicy:{name}</code> | whether the device matches a Fleet policy | <code>true</code>, <code>false</code> |</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#prerequisites\">Prerequisites</a></h2>\n<p>Before you can set up the Fleet integration, make sure you have:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">Device Identity Collection</a> enabled, and devices in your tailnet are reporting identifiers.</li>\n<li>A Fleet account for which you have permission to create an API token.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#create-fleet-api-token\">Create Fleet API token</a></h2>\n<p>To authenticate your Fleet account with Tailscale, you'll need to create a Fleet API-only user and API token.\r\nThe Fleet integration uses these to fetch a list of devices and their data from Fleet.</p>\n<p>You can find instructions for creating a Fleet API-only user and API token <a href=\"https://fleetdm.com/guides/fleetctl#using-fleetctl-with-an-api-only-user\">in the Fleet documentation</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#create-fleet-policies\">Create Fleet policies</a></h2>\n<p><a href=\"https://fleetdm.com/securing/what-are-fleet-policies\">Fleet policies</a> let you monitor whether your devices meet specific security and compliance criteria.\r\nThese policies are specific to your Fleet account.</p>\n<p>The Fleet integration can add <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs\">node attributes</a> to devices that are passing Fleet policies.</p>\n<p>To enable adding these node attributes, add the string <code>Tailscale: fleetPolicy:{attributeName}</code> to your Fleet policy description.\r\nFor each Fleet policy a device passes, the Fleet integration will add a <code>fleetPolicy:{attributeName}</code> node attribute to that device.</p>\n<p>You can check for the presence of a given Fleet policy in a device's node attributes in access rules, then adjust its access accordingly.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ffleet-policy-example.78950d53.png&#x26;w=1200&#x26;q=75\" alt=\"The Fleet configuration panel showing a policy which includes Tailscale: fleetPolicy:builtinAntivirus to set a fleetPolicy:builtinAntivirus node attribute on passing devices.\"></p>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#configure-fleet-posture-integration\">Configure Fleet posture integration</a></h2>\n<p>To configure Tailscale to fetch data about devices from Fleet:</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the Tailscale admin console.</p>\n</li>\n<li>\n<p>Under the <strong>Device Posture Integrations</strong> section, locate the Fleet integration, then select <strong>Connect</strong>.</p>\n</li>\n<li>\n<p>Enter your <strong>Fleet URL</strong> and <strong>API Token</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-integration.3427fc8d.png&#x26;w=1080&#x26;q=75\" alt=\"The configuration screen for connecting to Fleet from the Tailscale admin console.\"></p>\n</li>\n<li>\n<p>Select <strong>Connect to Fleet</strong>.</p>\n</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#review-the-integration-status\">Review the integration status</a></h2>\n<p>Next, check to ensure the Fleet integration has run successfully.</p>\n<ol>\n<li>Go to the <strong>Device Posture Integrations</strong> section of the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page.</li>\n<li>Locate the Fleet integration under the <strong>Integrations</strong> section.</li>\n</ol>\n<p>After the Fleet integration runs successfully, it shows the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fintegration-status.02482eaf.png&#x26;w=1200&#x26;q=75\" alt=\"Integrations: Fleet: Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 4 Fleet hosts\"></p>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#check-node-attributes\">Check node attributes</a></h2>\n<p>After you set up the Fleet integration, you can confirm that Tailscale is writing the new node attributes for your Fleet devices from the Tailscale admin console.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the Tailscale admin console.</li>\n<li>Select a device to inspect.</li>\n<li>Check the node attributes for the device in the <strong>Machine Details</strong> section. This section should include the set of <code>fleet:</code> and <code>fleetPolicy:</code> attributes listed previously.</li>\n</ol>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fmachine-attributes.83f465cf.png&#x26;w=640&#x26;q=75\" alt=\"View of the machine attributes in the Machines page.\"></p>\n<p>You can also check device attributes using the <a href=\"https://tailscale.com/api#tag/devices/GET/device/%7BdeviceId%7D/attributes\">Tailscale API</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#adjust-tailscale-access-rules\">Adjust Tailscale access rules</a></h2>\n<p>After you set up the Fleet posture integration, and your devices have device posture attributes that reflect their signals as reported by Fleet, you can use those device posture attributes as part of your posture rules.</p>\n<p>For example, to only permit access to <code>tag:production</code> from devices that are managed by Fleet, you can create a new posture and use it as part of a corresponding access rule:</p>\n<pre><code class=\"language-json\">\"postures\": {\r\n  \"posture:managed\": [\\\r\n    \"fleet:present\",\\\r\n  ],\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"autogroup:member\"],\\\r\n    \"dst\": [\"tag:production\"],\\\r\n    \"ip\": [\"*\"],\\\r\n    \"srcPosture\": [\"posture:managed\"]\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#schedule\">Schedule</a></h2>\n<p>For each configured integration, Tailscale will aim to sync device posture\r\nattributes every 15 minutes, with a few exceptions:</p>\n<ul>\n<li>Adding a new integration, or changing configuration of an existing one,\r\nwill trigger an out-of-schedule sync.</li>\n<li>If an integration fails due to authentication error (usually caused by invalid\r\ncredentials), it will be paused for up to 24 hours.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/fleet#audit-log-events\">Audit log events</a></h2>\n<p>The following <a href=\"https://tailscale.com/docs/features/logging/audit-logging#events\">audit log events</a> are added for device posture.</p>\n<p>| <strong>Target</strong> | <strong>Action</strong> | <strong>Description</strong> |\r\n| --- | --- | --- |\r\n| Integration | Create posture integration | A new posture integration was created |\r\n| Integration | Update posture integration | A posture integration was updated |\r\n| Integration | Removed posture integration | A posture integration was removed |\r\n| Node | Update node attribute | Device posture attributes for a node were changed |</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}