Add bypass docs (#577)

* Add force approval docs

* add force approval

* add filter and batch operation

* Rename force approval docs to bypass compliance

- Rename force-approval.mdx to bypass-compliance.mdx
- Update navigation title from "Force Approval" to "Bypass Compliance"
- Update all internal links to use new path
- Update image paths to /bypass-compliance/
- Update terminology in EDR integration docs

* add images

---------

Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>

src/components/NavigationDocs.jsx

@@ -170,6 +170,10 @@ export const docsNavigation = [
                 title: 'SentinelOne Singularity',
                 href: '/manage/access-control/endpoint-detection-and-response/sentinelone-edr',
               },
+              {
+                title: 'Bypass Compliance',
+                href: '/manage/access-control/endpoint-detection-and-response/bypass-compliance',
+              },
             ],
           },
         ],

src/pages/manage/access-control/endpoint-detection-and-response/bypass-compliance.mdx

@@ -0,0 +1,167 @@
+# Bypass Compliance for Non-Compliant Peers
+
+In some situations, you may need to grant network access to a peer that fails EDR or MDM compliance checks. NetBird provides a **compliance bypass** mechanism that allows administrators to override compliance rejections on a per-peer basis.
+
+## When to Use Compliance Bypass
+
+Compliance bypass is useful in scenarios such as:
+
+- **Temporary exceptions**: A device needs immediate network access while compliance issues are being resolved.
+- **Testing and development**: Test devices that may not have EDR agents installed.
+- **Legacy devices**: Older devices that cannot run the required EDR agent but still need limited network access.
+- **False positives**: When the EDR platform incorrectly flags a compliant device.
+
+<Note>
+    Compliance bypass should be used sparingly and only when necessary. It bypasses security controls designed to protect your network.
+</Note>
+
+## How Compliance Bypass Works
+
+When you bypass compliance for a peer:
+
+1. The peer immediately gains network access, regardless of its compliance status.
+2. The bypass remains active until:
+   - An administrator manually revokes it, OR
+   - The device becomes naturally compliant in the EDR system (bypass is automatically removed)
+3. All bypass actions are logged in the [Activity Events](/manage/activity-events) for audit purposes.
+
+## Bypass Compliance for a Peer
+
+To bypass compliance for a non-compliant peer:
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page in the NetBird dashboard
+2. Locate the peer showing `Non-compliant` status (red badge)
+3. Hover over the **Bypass** button to see which integration's compliance check will be bypassed
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/bypass-compliance/general-view.png" alt="Bypass view" className="imagewrapper-big"/>
+</p>
+4. Click the **Bypass** button and confirm the action in the dialog
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/bypass-compliance/bypass-button.png" alt="Bypass confirm button" className="imagewrapper"/>
+</p>
+
+The peer will immediately gain network access and the non-compliant status will be replaced with a green `Bypassed` badge.
+
+## View Bypassed Peers
+
+To see all peers that have compliance bypassed:
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page
+2. Click the **Bypassed** filter button (shows a count badge with the number of bypassed peers)
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/bypass-compliance/bypassed-filter.png" alt="Bypassed filter button" className="imagewrapper-big"/>
+</p>
+
+The filter can be combined with connection status filters:
+- Click **Online** + **Bypassed** to see only online bypassed peers
+- Click **Offline** + **Bypassed** to see only offline bypassed peers
+
+Hovering over the filter buttons shows helpful tooltips:
+- **Non-Compliant**: "Peers that failed compliance checks and need attention"
+- **Bypassed**: "Peers with compliance checks bypassed by an administrator"
+
+## Revoke Compliance Bypass
+
+To revoke a bypass and return a peer to normal compliance validation:
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page
+2. Click on the peer with bypassed compliance
+3. Click the **Revoke** button next to the "Bypassed" badge
+4. Confirm the action
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/bypass-compliance/revoke-bypass.png" alt="Revoke compliance bypass" className="imagewrapper"/>
+</p>
+
+Once revoked, the peer will be subject to normal compliance checks. If the device is still non-compliant, it will lose network access and show the `Non-compliant` status again.
+
+## Batch Operations
+
+You can bypass compliance or revoke bypass for multiple peers at once:
+
+### Batch Bypass
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page
+2. Select multiple peers using the checkboxes (peers must have non-compliant status)
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/bypass-compliance/batch-bypass.png" alt="Batch bypass" className="imagewrapper-big"/>
+</p>
+3. In the action bar that appears at the bottom, click the **Bypass Compliance** button (shield icon)
+4. Confirm the action in the dialog
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/bypass-compliance/batch-bypass-button.png" alt="Batch bypass confirm" className="imagewrapper"/>
+</p>
+
+The button shows a count of how many selected peers will have compliance bypassed.
+
+### Batch Revoke Bypass
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page
+2. Select multiple bypassed peers using the checkboxes
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/bypass-compliance/batch-revoke-bypass.png" alt="Batch revoke bypass" className="imagewrapper-big"/>
+</p>
+3. In the action bar that appears at the bottom, click the **Revoke Compliance Bypass** button (shield-off icon)
+4. Confirm the action in the dialog
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/bypass-compliance/batch-revoke-bypass-button.png" alt="Batch revoke bypass confirm" className="imagewrapper"/>
+</p>
+
+<Note>
+    Batch operation buttons only appear when you have an EDR integration enabled and have selected peers that can have compliance bypassed or revoked.
+</Note>
+
+## Automatic Removal of Bypass
+
+Compliance bypass is automatically removed when a device becomes naturally compliant in your EDR platform. This ensures that:
+
+- Devices don't retain unnecessary administrative overrides
+- Your security posture improves as devices become compliant
+- You don't need to manually clean up bypasses
+
+For example, if you bypass compliance for a peer because its EDR agent was temporarily offline, the bypass will be automatically removed once the agent reconnects and the device passes compliance checks.
+
+## Activity Logging
+
+All compliance bypass actions are recorded in the activity log:
+
+| Event | Description |
+|-------|-------------|
+| `Peer compliance bypassed by admin` | An administrator bypassed compliance for a peer |
+| `Peer compliance bypass revoked` | An administrator or the system removed the bypass |
+
+You can view these events in the [Activity Events](/manage/activity-events) page, including details about which administrator performed the action and the original rejection reason.
+
+## API Access
+
+Compliance bypass can also be managed via the NetBird API:
+
+```bash
+# Bypass compliance for a peer
+curl -X POST "https://api.netbird.io/api/peers/{peer-id}/edr/bypass" \
+  -H "Authorization: Token <your-api-token>"
+
+# Revoke compliance bypass
+curl -X DELETE "https://api.netbird.io/api/peers/{peer-id}/edr/bypass" \
+  -H "Authorization: Token <your-api-token>"
+
+# List all bypassed peers
+curl -X GET "https://api.netbird.io/api/peers/edr/bypassed" \
+  -H "Authorization: Token <your-api-token>"
+```
+
+## Best Practices
+
+- **Document exceptions**: Keep a record of why each compliance bypass was granted.
+- **Review regularly**: Periodically review bypassed peers and revoke bypasses that are no longer needed.
+- **Use time-limited access**: Consider revoking bypasses after a defined period.
+- **Monitor activity**: Watch for unusual patterns in bypass usage.
+- **Prefer compliance**: Always aim to bring devices into compliance rather than relying on bypasses.
+
+<Note>
+    Compliance bypass requires the `EDR Update` permission. Only users with appropriate roles can bypass compliance or revoke bypasses.
+</Note>

src/pages/manage/access-control/endpoint-detection-and-response/crowdstrike-edr.mdx

@@ -86,3 +86,7 @@ with a `Approval required` mark in the peers list and won't be able to access th
     If you install the CrowdStrike agent on a peer after it joined the network, you will need to disconnect and reconnect
     this peer for the `Approval required` mark to disappear.
 </Note>
+
+## Managing Exceptions
+
+If you need to grant network access to a peer that fails CrowdStrike compliance checks, you can bypass compliance for that peer. See [Bypass Compliance for Non-Compliant Peers](/manage/access-control/endpoint-detection-and-response/bypass-compliance) for details.

src/pages/manage/access-control/endpoint-detection-and-response/huntress-edr.mdx

@@ -88,4 +88,8 @@ Treat the API credentials securely and store them safely. You will need both the
 
 <Note>
     NetBird matches the Huntress agent to the peer using the Serial Number of the device. You must ensure that each of your devices has a unique serial number.
-</Note>
+</Note>
+
+## Managing Exceptions
+
+If you need to grant network access to a peer that fails Huntress compliance checks, you can bypass compliance for that peer. See [Bypass Compliance for Non-Compliant Peers](/manage/access-control/endpoint-detection-and-response/bypass-compliance) for details.

src/pages/manage/access-control/endpoint-detection-and-response/index.mdx

@@ -40,3 +40,9 @@ NetBird integrates with the following EDR and MDM platforms:
 * [Huntress](/manage/access-control/endpoint-detection-and-response/huntress-edr)
 * [Microsoft Intune](/manage/access-control/endpoint-detection-and-response/intune-mdm)
 * [SentinelOne Singularity](/manage/access-control/endpoint-detection-and-response/sentinelone-edr)
+
+## Managing Exceptions
+
+In some cases, you may need to grant network access to devices that don't meet EDR compliance requirements. NetBird provides a compliance bypass mechanism for these scenarios:
+
+* [Bypass Compliance for Non-Compliant Peers](/manage/access-control/endpoint-detection-and-response/bypass-compliance)

src/pages/manage/access-control/endpoint-detection-and-response/intune-mdm.mdx

@@ -163,3 +163,7 @@ with a `Approval required` mark in the peers list and won't be able to access th
 - Devices with a Intune compliance state of `Compliant` or `InGracePeriod` are accepted; all other states are rejected.
 - New devices or those that recently achieved compliance may need to be disconnected and reconnected to NetBird to propagate updated status.
 - NetBird regularly synchronizes with Intune every few minutes, so changes in compliance can take some time to reflect on the dashboard.
+
+## Managing Exceptions
+
+If you need to grant network access to a peer that fails Intune compliance checks, you can bypass compliance for that peer. See [Bypass Compliance for Non-Compliant Peers](/manage/access-control/endpoint-detection-and-response/bypass-compliance) for details.

src/pages/manage/access-control/endpoint-detection-and-response/sentinelone-edr.mdx

@@ -110,3 +110,7 @@ Treat the API token securely and store it safely. You will need both the console
     NetBird matches the SentinelOne agent to the peer using the Serial Number of the device. You must ensure that each of your devices has a unique serial number.
 </Note>
 
+## Managing Exceptions
+
+If you need to grant network access to a peer that fails SentinelOne compliance checks, you can bypass compliance for that peer. See [Bypass Compliance for Non-Compliant Peers](/manage/access-control/endpoint-detection-and-response/bypass-compliance) for details.
+