{"slug":"restrict-device-access-with-sentinelone","title":"Restrict device access with SentinelOne","tags":["tailscale","access-control","devices"],"agent_summary":"Last validated: Jan 28, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Restrict device access with SentinelOne\r\n\r\nLast validated: Jan 28, 2026\r\n\r\nThis integrationis available for [the Standard, Premium, and Enterprise plans](https://tailscale.com/pricing).\r\n\r\nSentinelOne collects a series of signals from its agents that can be used to determine the security posture of a device. Tailscale can fetch these signals from SentinelOne and use them as device posture attributes in access rules, which can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.\r\n\r\nYou can achieve this Tailscale's [device posture management](https://tailscale.com/docs/features/device-posture) features:\r\n\r\n- SentinelOne posture integration, which synchronizes signals from SentinelOne to device posture attributes in Tailscale.\r\n- [Device Identity Collection](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity), which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in SentinelOne.\r\n- [Posture conditions in access rules](https://tailscale.com/docs/features/device-posture#device-posture-conditions), which lets you configure access restrictions based on device attributes.\r\n\r\nThis guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure SentinelOne posture integration.\r\n\r\n## [What is SentinelOne posture integration?](https://tailscale.com/docs/integrations/sentinelone\\#what-is-sentinelone-posture-integration)\r\n\r\nThe SentinelOne integration syncs data between SentinelOne and Tailscale on a recurring schedule.\r\nDuring each sync, Tailscale performs the following actions:\r\n\r\n1. Fetches a list of agents and their reported data from your SentinelOne account.\r\n2. Matches SentinelOne agents to devices in your tailnet based on serial numbers.\r\n3. Writes the SentinelOne data to device posture attributes on each matched device.\r\n\r\nThe integration writes the following device posture attributes to matched devices:\r\n\r\n| **Attribute key** | **Description** | **Allowed values** |\r\n| --- | --- | --- |\r\n| `sentinelOne:operationalState` | Operational state of the agent, the string `na` means that the agent has not been disabled or corrupted. This is the expected state. | `string` |\r\n| `sentinelOne:activeThreats` | Number of active threats detected by the agent | `number` |\r\n| `sentinelOne:agentVersion` | Version of the running SentinelOne agent | `version` |\r\n| `sentinelOne:encryptedApplications` | Whether the agent detects that the disk is encrypted | `true`, `false` |\r\n| `sentinelOne:firewallEnabled` | Whether the agent detects that the firewall is enabled | `true`, `false` |\r\n| `sentinelOne:infected` | Whether the agent detects that the device is infected | `true`, `false` |\r\n\r\n## [Prerequisites](https://tailscale.com/docs/integrations/sentinelone\\#prerequisites)\r\n\r\nBefore you can set up the SentinelOne integration, make sure you have:\r\n\r\n- [Device Identity Collection](https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity) enabled, and devices in your tailnet are reporting identifiers.\r\n- A SentinelOne account for which you have permission to create an API token.\r\n\r\n## [Create SentinelOne Service User and API Token](https://tailscale.com/docs/integrations/sentinelone\\#create-sentinelone-service-user-and-api-token)\r\n\r\nTo authenticate your SentinelOne account with Tailscale, you'll need to create a SentinelOne User and API token.\r\nThe SentinelOne integration uses these to fetch a list of agents and their data from SentinelOne.\r\n\r\nTo create a SentinelOne User and API token:\r\n\r\n1. In SentinelOne, in the left-hand panel, select **Settings**.\r\n\r\n2. From the top menu, select **Users** and then in the left-hand panel, select **Service Users**.\r\n\r\n3. Select **Actions** and then select **Create New Service User**.\r\n\r\n4. Add a name and expiration date for the Service User and select **Next**.\r\n![The SentinelOne Create New Service User dialog](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fsentinelone-serviceuser.87378a59.png&w=750&q=75)\r\n5. Choose the site or account that the Service User will have access to and select **Create**.\r\n\r\n6. The **API Token** will be shown once, make sure to copy it for use later.\r\n\r\n\r\nAlso make a note of the **Base URL** (for example, `https://example.sentinelone.net/`).\r\n\r\n## [Configure SentinelOne posture integration](https://tailscale.com/docs/integrations/sentinelone\\#configure-sentinelone-posture-integration)\r\n\r\nTo configure Tailscale to fetch data about agents from SentinelOne:\r\n\r\n1. Open the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the Tailscale admin console.\r\n\r\n2. Under the **Device Posture Integrations** section, locate the SentinelOne integration, then select **Connect**.\r\n\r\n3. Enter your **SentinelOne URL**, the URL you use to access the SentinelOne console.\r\n\r\n4. Enter your **API Token**.\r\n![The configuration screen for connecting to SentinelOne from the Tailscale admin console.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-sentinelone-integration.cdc52b97.png&w=1080&q=75)\r\n5. Select **Connect to SentinelOne**.\r\n\r\n\r\n## [Review the integration status](https://tailscale.com/docs/integrations/sentinelone\\#review-the-integration-status)\r\n\r\nNext, check to ensure the SentinelOne integration has run successfully.\r\n\r\n1. Go to the **Device Posture Integrations** section of the [Device management](https://login.tailscale.com/admin/settings/device-management) page.\r\n2. Locate the SentinelOne integration under the **Integrations** section.\r\n\r\nAfter the SentinelOne integration runs successfully, it shows the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.≈\r\n\r\n![Integrations: SentinelOne: Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 3 SentinelOne agents.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fintegration-status.647474fc.png&w=1200&q=75)\r\n\r\n## [Check node attributes](https://tailscale.com/docs/integrations/sentinelone\\#check-node-attributes)\r\n\r\nAfter you set up the SentinelOne integration, you can confirm that Tailscale is writing the new node attributes for your SentinelOne devices from the Tailscale admin console.\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the Tailscale admin console.\r\n2. Select a device to inspect.\r\n3. The node attributes for the device are in the **Machine Details** section. This should include the set of `sentinelOne:` attributes listed previously.\r\n\r\n![View of the machine attributes in the Machines page.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fmachine-attributes.8486b6e1.png&w=640&q=75)\r\n\r\nYou can also check device attributes using the [Tailscale API](https://tailscale.com/api#tag/devices/GET/device/%7BdeviceId%7D/attributes).\r\n\r\n## [Adjust Tailscale access rules](https://tailscale.com/docs/integrations/sentinelone\\#adjust-tailscale-access-rules)\r\n\r\nAfter you set up the SentinelOne posture integration, and your devices have device posture attributes that reflect their signals as reported by SentinelOne, you can use those device posture attributes as part of your posture rules.\r\n\r\nFor example, to only permit access to `tag:production` from devices that have an active SentinelOne agent, a good operational state, and have zero active threats, you can create a new posture and use it as part of a corresponding access rule:\r\n\r\n```json\r\n\"postures\": {\r\n  \"posture:trusted\": [\\\r\n    \"sentinelOne:operationalState == 'na'\",\\\r\n    \"sentinelOne:activeThreats == 0\",\\\r\n  ],\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"autogroup:member\"],\\\r\n    \"dst\": [\"tag:production\"],\\\r\n    \"ip\": [\"*\"],\\\r\n    \"srcPosture\": [\"posture:trusted\"]\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n## [Schedule](https://tailscale.com/docs/integrations/sentinelone\\#schedule)\r\n\r\nFor each configured integration, Tailscale will aim to sync device posture\r\nattributes every 15 minutes, with a few exceptions:\r\n\r\n- Adding a new integration, or changing configuration of an existing one,\r\nwill trigger an out-of-schedule sync.\r\n- If an integration fails due to authentication error (usually caused by invalid\r\ncredentials), it will be paused for up to 24 hours.\r\n\r\n## [Limitations](https://tailscale.com/docs/integrations/sentinelone\\#limitations)\r\n\r\n- We have observed that SentinelOne does not report serial numbers for some machines running Linux. Without serial number details, Tailscale will not be able to populate device posture attributes for such machines.\r\n\r\n## [Audit log events](https://tailscale.com/docs/integrations/sentinelone\\#audit-log-events)\r\n\r\nThe following [audit log events](https://tailscale.com/docs/features/logging/audit-logging#events) are added for device posture.\r\n\r\n| **Target** | **Action** | **Description** |\r\n| --- | --- | --- |\r\n| Integration | Create posture integration | A new posture integration was created |\r\n| Integration | Update posture integration | A posture integration was updated |\r\n| Integration | Removed posture integration | A posture integration was removed |\r\n| Node | Update node attribute | Device posture attributes for a node were changed |\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Restrict device access with SentinelOne</h1>\n<p>Last validated: Jan 28, 2026</p>\n<p>This integrationis available for <a href=\"https://tailscale.com/pricing\">the Standard, Premium, and Enterprise plans</a>.</p>\n<p>SentinelOne collects a series of signals from its agents that can be used to determine the security posture of a device. Tailscale can fetch these signals from SentinelOne and use them as device posture attributes in access rules, which can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.</p>\n<p>You can achieve this Tailscale's <a href=\"https://tailscale.com/docs/features/device-posture\">device posture management</a> features:</p>\n<ul>\n<li>SentinelOne posture integration, which synchronizes signals from SentinelOne to device posture attributes in Tailscale.</li>\n<li><a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">Device Identity Collection</a>, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in SentinelOne.</li>\n<li><a href=\"https://tailscale.com/docs/features/device-posture#device-posture-conditions\">Posture conditions in access rules</a>, which lets you configure access restrictions based on device attributes.</li>\n</ul>\n<p>This guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure SentinelOne posture integration.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#what-is-sentinelone-posture-integration\">What is SentinelOne posture integration?</a></h2>\n<p>The SentinelOne integration syncs data between SentinelOne and Tailscale on a recurring schedule.\r\nDuring each sync, Tailscale performs the following actions:</p>\n<ol>\n<li>Fetches a list of agents and their reported data from your SentinelOne account.</li>\n<li>Matches SentinelOne agents to devices in your tailnet based on serial numbers.</li>\n<li>Writes the SentinelOne data to device posture attributes on each matched device.</li>\n</ol>\n<p>The integration writes the following device posture attributes to matched devices:</p>\n<p>| <strong>Attribute key</strong> | <strong>Description</strong> | <strong>Allowed values</strong> |\r\n| --- | --- | --- |\r\n| <code>sentinelOne:operationalState</code> | Operational state of the agent, the string <code>na</code> means that the agent has not been disabled or corrupted. This is the expected state. | <code>string</code> |\r\n| <code>sentinelOne:activeThreats</code> | Number of active threats detected by the agent | <code>number</code> |\r\n| <code>sentinelOne:agentVersion</code> | Version of the running SentinelOne agent | <code>version</code> |\r\n| <code>sentinelOne:encryptedApplications</code> | Whether the agent detects that the disk is encrypted | <code>true</code>, <code>false</code> |\r\n| <code>sentinelOne:firewallEnabled</code> | Whether the agent detects that the firewall is enabled | <code>true</code>, <code>false</code> |\r\n| <code>sentinelOne:infected</code> | Whether the agent detects that the device is infected | <code>true</code>, <code>false</code> |</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#prerequisites\">Prerequisites</a></h2>\n<p>Before you can set up the SentinelOne integration, make sure you have:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/manage-identity\">Device Identity Collection</a> enabled, and devices in your tailnet are reporting identifiers.</li>\n<li>A SentinelOne account for which you have permission to create an API token.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#create-sentinelone-service-user-and-api-token\">Create SentinelOne Service User and API Token</a></h2>\n<p>To authenticate your SentinelOne account with Tailscale, you'll need to create a SentinelOne User and API token.\r\nThe SentinelOne integration uses these to fetch a list of agents and their data from SentinelOne.</p>\n<p>To create a SentinelOne User and API token:</p>\n<ol>\n<li>\n<p>In SentinelOne, in the left-hand panel, select <strong>Settings</strong>.</p>\n</li>\n<li>\n<p>From the top menu, select <strong>Users</strong> and then in the left-hand panel, select <strong>Service Users</strong>.</p>\n</li>\n<li>\n<p>Select <strong>Actions</strong> and then select <strong>Create New Service User</strong>.</p>\n</li>\n<li>\n<p>Add a name and expiration date for the Service User and select <strong>Next</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fsentinelone-serviceuser.87378a59.png&#x26;w=750&#x26;q=75\" alt=\"The SentinelOne Create New Service User dialog\"></p>\n</li>\n<li>\n<p>Choose the site or account that the Service User will have access to and select <strong>Create</strong>.</p>\n</li>\n<li>\n<p>The <strong>API Token</strong> will be shown once, make sure to copy it for use later.</p>\n</li>\n</ol>\n<p>Also make a note of the <strong>Base URL</strong> (for example, <code>https://example.sentinelone.net/</code>).</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#configure-sentinelone-posture-integration\">Configure SentinelOne posture integration</a></h2>\n<p>To configure Tailscale to fetch data about agents from SentinelOne:</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the Tailscale admin console.</p>\n</li>\n<li>\n<p>Under the <strong>Device Posture Integrations</strong> section, locate the SentinelOne integration, then select <strong>Connect</strong>.</p>\n</li>\n<li>\n<p>Enter your <strong>SentinelOne URL</strong>, the URL you use to access the SentinelOne console.</p>\n</li>\n<li>\n<p>Enter your <strong>API Token</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-sentinelone-integration.cdc52b97.png&#x26;w=1080&#x26;q=75\" alt=\"The configuration screen for connecting to SentinelOne from the Tailscale admin console.\"></p>\n</li>\n<li>\n<p>Select <strong>Connect to SentinelOne</strong>.</p>\n</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#review-the-integration-status\">Review the integration status</a></h2>\n<p>Next, check to ensure the SentinelOne integration has run successfully.</p>\n<ol>\n<li>Go to the <strong>Device Posture Integrations</strong> section of the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page.</li>\n<li>Locate the SentinelOne integration under the <strong>Integrations</strong> section.</li>\n</ol>\n<p>After the SentinelOne integration runs successfully, it shows the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.≈</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fintegration-status.647474fc.png&#x26;w=1200&#x26;q=75\" alt=\"Integrations: SentinelOne: Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 3 SentinelOne agents.\"></p>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#check-node-attributes\">Check node attributes</a></h2>\n<p>After you set up the SentinelOne integration, you can confirm that Tailscale is writing the new node attributes for your SentinelOne devices from the Tailscale admin console.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the Tailscale admin console.</li>\n<li>Select a device to inspect.</li>\n<li>The node attributes for the device are in the <strong>Machine Details</strong> section. This should include the set of <code>sentinelOne:</code> attributes listed previously.</li>\n</ol>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fmachine-attributes.8486b6e1.png&#x26;w=640&#x26;q=75\" alt=\"View of the machine attributes in the Machines page.\"></p>\n<p>You can also check device attributes using the <a href=\"https://tailscale.com/api#tag/devices/GET/device/%7BdeviceId%7D/attributes\">Tailscale API</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#adjust-tailscale-access-rules\">Adjust Tailscale access rules</a></h2>\n<p>After you set up the SentinelOne posture integration, and your devices have device posture attributes that reflect their signals as reported by SentinelOne, you can use those device posture attributes as part of your posture rules.</p>\n<p>For example, to only permit access to <code>tag:production</code> from devices that have an active SentinelOne agent, a good operational state, and have zero active threats, you can create a new posture and use it as part of a corresponding access rule:</p>\n<pre><code class=\"language-json\">\"postures\": {\r\n  \"posture:trusted\": [\\\r\n    \"sentinelOne:operationalState == 'na'\",\\\r\n    \"sentinelOne:activeThreats == 0\",\\\r\n  ],\r\n},\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"autogroup:member\"],\\\r\n    \"dst\": [\"tag:production\"],\\\r\n    \"ip\": [\"*\"],\\\r\n    \"srcPosture\": [\"posture:trusted\"]\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#schedule\">Schedule</a></h2>\n<p>For each configured integration, Tailscale will aim to sync device posture\r\nattributes every 15 minutes, with a few exceptions:</p>\n<ul>\n<li>Adding a new integration, or changing configuration of an existing one,\r\nwill trigger an out-of-schedule sync.</li>\n<li>If an integration fails due to authentication error (usually caused by invalid\r\ncredentials), it will be paused for up to 24 hours.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#limitations\">Limitations</a></h2>\n<ul>\n<li>We have observed that SentinelOne does not report serial numbers for some machines running Linux. Without serial number details, Tailscale will not be able to populate device posture attributes for such machines.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/sentinelone#audit-log-events\">Audit log events</a></h2>\n<p>The following <a href=\"https://tailscale.com/docs/features/logging/audit-logging#events\">audit log events</a> are added for device posture.</p>\n<p>| <strong>Target</strong> | <strong>Action</strong> | <strong>Description</strong> |\r\n| --- | --- | --- |\r\n| Integration | Create posture integration | A new posture integration was created |\r\n| Integration | Update posture integration | A posture integration was updated |\r\n| Integration | Removed posture integration | A posture integration was removed |\r\n| Node | Update node attribute | Device posture attributes for a node were changed |</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}