New Group and Access Policies Document and Initial Reorganization of Access Control Structure (#477)

* New Access Control and ReOrg * Enhance Access Control Documentation and Add New Resources - Updated `next.config.mjs` to include new redirects for access control documentation. - Added multiple images related to access control and endpoint detection and response. - Refactored links in various documentation files to point to the new access control structure. - Removed outdated documentation files and created new ones for managing access control and endpoint detection. - Introduced a new section for understanding posture checks and their implementation in access control. This commit aims to improve the organization and clarity of access control resources, aligning with the recent restructuring of documentation. * Remove outdated Intune MDM documentation and update links in access control resources. This commit enhances the organization of the documentation by eliminating obsolete files and ensuring all references to Microsoft Intune are correctly aligned with the new structure. * Fix typos in access control documentation for clarity and accuracy. Updated "Understnading" to "Understanding" and corrected "NerBird" to "NetBird" in relevant sections. * Fix typo in Access Control section * Fix formatting in posture checks documentation * Added a space in the Posture Checks reference for clarity.
2026-05-02 15:26:36 +00:00 · 2025-11-18 10:30:45 -08:00
parent 5cc53f4ec4
commit a8f91c38b1
99 changed files with 586 additions and 145 deletions
--- a/src/pages/manage/access-control/endpoint-detection-and-response/crowdstrike-edr.mdx
+++ b/src/pages/manage/access-control/endpoint-detection-and-response/crowdstrike-edr.mdx
@@ -0,0 +1,88 @@
+# Restrict Network Access with CrowdStrike Falcon®
+
+[CrowdStrike Falcon](https://www.crowdstrike.com/platform/) is a cloud-based endpoint protection platform that provides
+comprehensive visibility and threat detection capabilities. CrowdStrike Falcon agent runs on your devices (endpoints),
+collects, and analyzes endpoint data to detect and respond to threats in real-time. The agent's presence on endpoints and data
+it collects can be utilized to enforce access policies and limit network access according to the "health" status of the
+endpoints.
+
+The integration of NetBird with CrowdStrike Falcon provides organizations with network security controls that allow
+only IT-managed devices running CrowdStrike to access the network. Additionally, the integration uses [CrowdStrike's Zero Trust Assessment (ZTA) score](https://www.crowdstrike.com/press-releases/crowdstrike-extends-zero-trust-to-endpoint-devices/),
+enabling administrators to further limit network access based on the security posture of each device.
+
+CrowdStrike's Zero Trust Assessment (ZTA) score is a numerical representation of the security posture of a device with
+a value ranging from 0 to 100. The score is calculated based on various factors, including the device's security configuration,
+software vulnerabilities, and CrowdStrike's threat intelligence data. By integrating with CrowdStrike Falcon,
+NetBird can ensure that only devices with a high security posture can access the network.
+
+In this guide, we will walk you through the configuration steps to integrate CrowdStrike Falcon with NetBird and use ZTA score
+to allow network access to devices that meet a specified ZTA threshold.
+
+## Prerequisites
+
+Before you start creating and configuring a CrowdStrike integration, ensure that you have the following:
+- A CrowdStrike account with the permissions to create and manage API keys.
+  If you don't have the required permissions, ask your CrowdStrike administrator to grant them to you.
+
+## Create a CrowdStrike API Key
+
+- Navigate to the [API clients and keys](https://falcon.eu-1.crowdstrike.com/api-clients-and-keys/) page
+- Click `Create API client` at the top, right corner
+- Set Hosts - Read permission
+- Set Zero Trust Assessment - Read permission
+- Click `Create`
+- Copy the credentials. You will need these credentials when configuring an integration in NetBird.
+
+## Configure a CrowdStrike Integration in NetBird
+
+- Navigate to the [Integrations &raquo; EDR](https://app.netbird.io/integrations?tab=edr) tab in the NetBird dashboard
+- Click `Connect CrowdStrike` to start the configuration wizard
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/crowdstrike-edr/crowdstrike-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
+</p>
+
+- First, select the region of your CrowdStrike account
+<p>
+  <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/crowdstrike-edr/crowdstrike-region.png" alt="crowdstrike-region" className="imagewrapper"/>
+</p>
+  - Then enter the client ID and secret key you created in [Step 1](#step-1-create-a-crowd-strike-api-key) and click `Continue`
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/crowdstrike-edr/crowdstrike-credentials.png" alt="crowdstrike-credentials" className="imagewrapper"/>
+</p>
+- Select groups you want to apply the integration to 
+- If you would like to apply a ZTA threshold, then enable the [Zero Trust Assessment Score](https://www.crowdstrike.com/blog/tech-center/securing-private-applications-with-crowdstrike-zero-trust-assessment-and-aws-verified-access/) and set the desired limit, and click `Connect`.
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/crowdstrike-edr/crowdstrike-groups-zta.png" alt="crowdstrike-groups-zta" className="imagewrapper"/>
+</p>
+
+<Note>
+    The EDR check will apply only to machines in the selected groups and will require a running CrowdStrike agent.
+</Note>
+<Note>
+    You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
+</Note>
+
+- Peers that have the CrowdStrike agent installed will be granted access to the network. Peers without the agent will appear
+with a `Approval required` mark in the peers list and won't be able to access the network until the agent is installed.
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/crowdstrike-edr/edr-approval-required.png" alt="edr-approval-required" className="imagewrapper-big"/>
+</p>
+
+- Optional. You can experiment and see how the integration works by hiding hosts in the CrowdStrike Host management console:
+    - Navigate to the [Host management](https://falcon.crowdstrike.com/host-management/hosts) page in the CrowdStrike console
+    - Select a host you want to hide
+    - Click `Actions` and then `Hide`
+    - The host will be moved to Trash (you can restore it later)
+    - After about a minute, the peer will be disconnected from the network and marked as `Approval required` in the NetBird dashboard.
+    - To restore the host in CrowdStrike, navigate to the Trash and click `Restore`
+
+<Note>
+    NetBird synchronizes the list of devices managed by the EDR platform via the API about every minute.
+    The changes might not be visible immediately.
+</Note>
+
+<Note>
+    If you install the CrowdStrike agent on a peer after it joined the network, you will need to disconnect and reconnect
+    this peer for the `Approval required` mark to disappear.
+</Note>
--- a/src/pages/manage/access-control/endpoint-detection-and-response/index.mdx
+++ b/src/pages/manage/access-control/endpoint-detection-and-response/index.mdx
@@ -0,0 +1,40 @@
+# Integrate NetBird with MDM & EDR Platforms
+
+![Endpoint Detection and Response](/docs-static/img/manage/access-control/endpoint-detection-and-response/edr-integrations.png)
+
+## What is EDR and MDM?
+Endpoint Detection and Response (EDR) is a cybersecurity technology designed to help organizations detect, investigate,
+and respond to threats on endpoint devices. An endpoint is any device that is connected to a network, such as laptops,
+desktops, smartphones, tablets, servers, and even some IoT (Internet of Things) devices.
+
+MDM stands for Mobile Device Management. It's a type of security software that
+enables organizations to monitor, manage, and secure their employees' mobile devices, including smartphones, tablets, and laptops,
+across various service providers and operating system.
+
+MDM focuses on managing and securing mobile devices, while EDR focuses on detecting and responding to threats on various
+endpoints, including desktops, laptops, and servers.
+
+## NetBird's EDR and MDM Integration
+With the rise of remote work, endpoints often operate outside the traditional corporate network perimeter,
+making them more vulnerable to attacks. EDR provides a layer of security that is not dependent on the physical location
+of the endpoint, thus extending protection to remote workers and their devices.
+
+NetBird integrates with major EDR and MDM platforms to restrict network access only to devices managed by the company's IT department.
+With the integration enabled, NetBird synchronizes the list of devices managed by the MDM or EDR platform via the API and
+checks the presence of the MDM or EDR agent on the device, blocking access to the network if the agent is not installed or
+not compliant with the organization's security policies.
+
+NetBird doesn't apply the MDM and EDR checks to all devices in the network. Instead, you can select specific groups of devices for
+the checks to apply.
+
+<Note>
+     This feature is only available in the cloud version of NetBird.
+</Note>
+
+## Supported EDR Platforms
+
+NetBird integrates with the following EDR platforms:
+
+* [CrowdStrike Falcon](/manage/access-control/endpoint-detection-and-response/crowdstrike-edr)
+* [Microsoft Intune](/manage/access-control/endpoint-detection-and-response/intune-mdm)
+* [SentinelOne Singularity](/manage/access-control/endpoint-detection-and-response/sentinelone-edr)
--- a/src/pages/manage/access-control/endpoint-detection-and-response/intune-mdm.mdx
+++ b/src/pages/manage/access-control/endpoint-detection-and-response/intune-mdm.mdx
@@ -0,0 +1,167 @@
+# Allow Only Intune-Managed Devices to Access Your Network
+
+<div className="videowrapper">
+    <iframe src="https://www.youtube.com/embed/W4DaE4Dj04o" allow="fullscreen;"></iframe>
+</div>
+
+<Note>
+    TLDR: Devices marked as "Non-compliant" in Intune will automatically lose access, ensuring strict adherence to your security policies.
+    Once a device returns to a "Compliant" status, access is restored.
+</Note>
+
+[Microsoft Intune](https://www.microsoft.com/en-us/security/business/endpoint-management/microsoft-intune) is a cloud-based endpoint management platform that enables organizations to manage devices, enforce security policies, and protect their networks. Intune agent presence on endpoints allows continuous collection and evaluation of device posture, which can then be used to enforce network access controls based on device compliance, security configuration, and enrollment status.
+
+The integration of NetBird with Microsoft Intune provides network security by ensuring only devices managed and compliant
+in Intune can access the protected network. This approach ensures only up-to-date and compliant Windows/macOS endpoints have access to critical network resources via NetBird and lets administrators enforce access restrictions based on compliance policies defined in Intune, such as device health, OS version, security baseline adherence, and more.
+
+In this guide, you'll learn how to integrate NetBird with Microsoft Intune and configure access controls to allow only Intune-managed/compliant devices onto your network.
+
+## Get Started with NetBird-Intune Integration
+
+- Navigate to the [Integrations &raquo; EDR](https://app.netbird.io/integrations?tab=edr) tab in the NetBird dashboard
+- Click `Connect Intune` to start the configuration wizard
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/getting-started.png" alt="NetBird Get Started Intune MDM" className="imagewrapper-big"/>
+</p>
+
+## Prerequisites
+
+Before starting the integration process, verify that you have the required permissions in Microsoft Intune.
+Specifically, you will need an Azure user account with at least one of these roles:
+
+* Application Administrator
+* Cloud Application Administrator
+* Global Administrator
+
+To check your permissions:
+
+* Log in to the [Azure portal](portal.azure.com).
+* Navigate to Manage Microsoft Intune and click `View`.
+* Expand the `Manage` tab and click on `Roles and administrators` in the left menu.
+* Look for your username and verify if you're assigned any of the above roles.
+
+![Intune Roles](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/lDyaAeV.png)
+
+If you don't have the required permissions, contact your Azure AD administrator to grant you the appropriate role before proceeding with the NetBird integration.
+
+## Create and Configure a Microsoft Entra ID Application for NetBird Integration
+
+Now that you have the required permissions, return to the NetBird dashboard. Click on the `Get Started` button to initiate the integration process.
+
+A new wizard screen will appear, offering step-by-step instructions for creating and configuring your Microsoft Entra ID application. To simplify the process, the wizard also provides quick-copy buttons for essential information:
+
+* Name
+* Account Type
+
+![NetBird Create Application](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/create-app.png)
+
+For convenience, click on [Azure Active Directory](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview) (step 1). That will open the Azure dashboard. Navigate to `App registrations` in the left menu and then click `+New registration` as indicated below:
+
+![Intune App Registration](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/Yxxktk6.png)
+
+Fill in the required information:
+
+![Intune Register an App](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/register-app.png)
+
+After entering all required information, click the `Register` button at the bottom of the form to finalize the application registration process.
+
+Upon successful registration, you'll be redirected to a confirmation screen similar to the following:
+
+![Intune App Registered](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/7WYZMW6.png)
+
+Copy and securely store the generated `Application (client) ID` and `Directory (tenant) ID` as you will need them shortly.
+
+## Configure API Permissions for NetBird-Intune Integration
+
+On the NetBird dashboard click the `Continue →` button. A new wizard screen will appear, this time, offering step-by-step instructions for setting up API permissions.
+
+![NetBird Add API Permissions](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/api-permissions.png)
+
+Back to Azure, in the `App registrations` screen, click on `Manage` in the left menu to expand it and then click on `API permissions`:
+
+![Intune API Permissions](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/V0aRf7f.png)
+
+Look for the `+ Add a permission` button, located near the top of the permissions list and click on it.
+
+![Intune API Permissions Screen](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/Qy9lDMF.png)
+
+A new pop-up window will appear, asking you to select an API. Click on `Microsoft Graph`.
+
+![Intune Microsoft Graph](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/tP7WqXO.png)
+
+On the next screen, click on the `Application permissions` button, which will let you select the appropriate permissions for NetBird to function correctly with your Microsoft Intune environment.
+
+![Intune Request API Permissions](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/zSkSGAm.png)
+
+To assign user permissions:
+
+* Locate the search bar at the top. Type `DeviceManagementManagedDevices.Read.All` into the search bar and press `Enter`.
+* In the search results, click on the `DeviceManagementManagedDevices` tab to expand it and view the available permissions.
+* Click on the checkbox to select and enable the `DeviceManagementManagedDevices.Read.All` permission.
+
+![Intune UserReadAll](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/device-permissions.png)
+
+The `DeviceManagementManagedDevices.Read.All` permission allows NetBird to read the properties of all devices managed by Microsoft Intune in your organization.
+
+Once done, click the `Add permissions` button. You will see a few warnings:
+
+![Intune API Permissions Warnings](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/grant-permissions.png)
+
+Locate the `Grant admin consent for [Your Organization Name]` button (you’ll find it next to `+Add a permission` button). Click on it to grant the required permissions.
+
+A confirmation dialog will appear, asking you to verify this action. Review the permissions listed in the dialog and click `Yes` to confirm. Wait for the process to complete, this may take a few seconds.
+
+Once finished, the status of the permissions should change to `Granted for [Your Organization Name]`. Verify that all selected permissions now show a green checkmark, indicating they've been successfully granted:
+
+![Intune API Permissions Granted](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/granted-permissions.png)
+
+## Create a Client Secret for Secure NetBird-Intune Authentication
+
+Back to the NetBird dashboard, click the `Continue →` button. A new wizard screen will appear, showing instructions for generating a client secret in Entra ID.
+
+![NetBird Generate Client Secret](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/client-secret.png)
+
+On Azure, click on the `Certificates & secrets` button in the left menu to open the management page. Click on `+New client secret` as shown below. Choose an expiration time that suits your security needs and click the `Add` button.
+
+![EntraID Add a Client Secret](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/WIercn5.png)
+
+A new client secret will be generated and displayed on the screen. Copy and securely store the `Value` field immediately, as you will needed in the next step.
+
+![EntraID Client Secret Value](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/LimVmGI.png)
+
+## Enter Application ID and Directory ID in NetBird
+
+Paste the secret `Value` from the previous step into NetBird and click the `Continue →` button. A new wizard screen will appear, asking for the `Application (client) ID` and the `Directory (tenant) ID` credentials generated previously.
+
+Paste the values and click the `Continue →` button.
+
+![NetBird Application ID and Directory](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/client-id.png)
+
+## Choose Groups to require Intune Agent
+
+At this stage, specify one or more NetBird groups to which the check should apply. The check will require the peer to have a running Intune agent installed.
+
+
+![Intune Groups](/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/groups.png)
+
+<Note>
+    The MDM check will apply only to machines in the selected groups and will require a running Intune agent.
+</Note>
+<Note>
+    You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
+</Note>
+
+Peers that have the Intune agent installed and are compliant will be granted access to the network. Peers without the agent will appear
+with a `Approval required` mark in the peers list and won't be able to access the network until the agent is installed.
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/intune-mdm/edr-approval-required.png" alt="edr-approval-required" className="imagewrapper-big"/>
+</p>
+
+## Important Notes
+
+- Only Windows and macOS devices are supported; Linux, iOS, and Android are not eligible for this integration.
+- A device must have successfully synced with Intune within the last 24 hours otherwise, it will not be treated as compliant, regardless of its last known state.
+- Devices with a Intune compliance state of `Compliant` or `InGracePeriod` are accepted; all other states are rejected.
+- New devices or those that recently achieved compliance may need to be disconnected and reconnected to NetBird to propagate updated status.
+- NetBird regularly synchronizes with Intune every few minutes, so changes in compliance can take some time to reflect on the dashboard.
--- a/src/pages/manage/access-control/endpoint-detection-and-response/sentinelone-edr.mdx
+++ b/src/pages/manage/access-control/endpoint-detection-and-response/sentinelone-edr.mdx
@@ -0,0 +1,114 @@
+# Restrict Network Access with SentinelOne Singularity™
+
+[SentinelOne Singularity](https://www.sentinelone.com/platform/) is an autonomous cybersecurity platform that provides
+comprehensive endpoint protection, detection, and response capabilities. The SentinelOne agent runs on your devices (endpoints),
+collecting and analyzing endpoint data to detect and respond to threats in real-time. The agent's presence on endpoints and the
+security data it collects can be utilized to enforce access policies and limit network access according to the "health" status
+of the endpoints.
+
+The integration of NetBird with SentinelOne provides organizations with robust security controls that allow
+only IT-managed devices running SentinelOne to access the network. Additionally, the integration uses SentinelOne's threat
+detection capabilities, enabling administrators to further limit network access based on the security posture of each device.
+
+<div className="videowrapper">
+    <iframe src="https://www.youtube.com/embed/QVs0RhprVYM" allow="fullscreen;"></iframe>
+</div>
+
+SentinelOne's endpoint protection provides real-time threat detection and automated response capabilities. By integrating with
+SentinelOne Singularity, NetBird can ensure that only devices with active security monitoring and protection can access the network.
+
+In this guide, we will walk you through the configuration steps to integrate SentinelOne Singularity with NetBird and use
+endpoint security status to control network access for devices that meet your security requirements.
+
+## Prerequisites
+
+Before you start creating and configuring a SentinelOne integration, ensure that you have the following:
+- A SentinelOne account with the permissions to create and manage API tokens.
+  If you don't have the required permissions, ask your SentinelOne administrator to grant them to you.
+
+## Create a SentinelOne API Token
+
+- Navigate to your SentinelOne Management Console
+- Go to **Settings** &raquo; **Users** &raquo; **Service Users**
+- Click **Create Service User**
+- Fill in the form:
+  - **Name**: `NetBird Integration`
+  - **Description**: `API token for NetBird EDR integration` (optional)
+  - **Expiration Date**: Set your preferred expiration date
+- Click **Next**
+- Select Site and set **Scope** to **Viewer**
+- Click **Create User**
+- Copy the generated API token immediately (it will only be displayed once)
+- Note your SentinelOne console URL from your browser's address bar (e.g., `https://your-tenant.sentinelone.net`)
+
+<Note>
+Treat the API token securely and store it safely. You will need both the console URL and API token for the NetBird integration configuration.
+</Note>
+
+## Configure a SentinelOne Integration in NetBird
+
+- Navigate to the [Integrations &raquo; EDR](https://app.netbird.io/integrations?tab=edr) tab in the NetBird dashboard
+- Click **Connect SentinelOne** to start the configuration wizard
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/sentinelone/getting-started.png" alt="SentinelOne integration getting started" className="imagewrapper-big"/>
+</p>
+- Click the **Get Started** button to initiate the integration process
+- Enter your SentinelOne console URL (e.g., `https://your-tenant.sentinelone.net`) and click **Continue**
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/sentinelone/console-config.png" alt="SentinelOne console configuration" className="imagewrapper-big"/>
+</p>
+
+- Enter the API token you created in the previous step and click **Continue** to verify the connection
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/sentinelone/service-user.png" alt="SentinelOne service user configuration" className="imagewrapper-big"/>
+</p>
+
+- Select the **groups** you want to apply the integration to and click **Connect**
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/sentinelone/group-config.png" alt="SentinelOne group configuration" className="imagewrapper-big"/>
+</p>
+
+
+<Note>
+    The EDR check will apply only to peers in the selected groups and will require a running SentinelOne agent.
+    You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
+</Note>
+
+- Configure the compliance criteria that devices must meet to access your network. These security requirements ensure only healthy, properly configured devices can connect. Select the criteria that align with your organization's security policies:
+  - **Allowed Active Threats**: Maximum number of active threats allowed on a device. Default is set to `0` to block devices with any active threats.
+  - **Disk Encryption**: Requires disk encryption to be enabled on the device.
+  - **Firewall**: Requires the device firewall to be enabled and active.
+  - **Block Infected Devices**: Prevents network access for devices with confirmed active infections.
+  - **Network Connectivity**: Requires active network connection between the device and SentinelOne services.
+  - **Active Status**: Requires the SentinelOne agent to be active and reporting. The agent must be in operational state (not disabled, corrupted, or experiencing errors).
+  - **Latest Agent Version**: Requires the SentinelOne agent to be running the most current version.
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/sentinelone/compliance-config.png" alt="edr-integrations" className="imagewrapper-big"/>
+</p>
+
+
+- Configure the **SentinelOne Sync Window** (default is 24 hours). This setting determines which devices NetBird will consider for network access based on their recent activity in SentinelOne. Only devices that have been active and reporting to SentinelOne within this time window will be synchronized. These devices must then also meet the configured compliance criteria to gain network access.
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/sentinelone/sync-config.png" alt="edr-integrations" className="imagewrapper-big"/>
+</p>
+
+- Click **Connect** to complete the integration setup
+
+- Only peers that have the SentinelOne agent installed and meet all the configured compliance criteria will be granted access to the network. 
+  Peers without the SentinelOne agent or those that don't meet the compliance requirements will appear with an `Approval required` mark in the peers list and won't be able to access 
+  the network until they have the agent installed and satisfy all the specified security requirements.
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/sentinelone/edr-approval-required.png" alt="edr-approval-required" className="imagewrapper-big"/>
+</p>
+
+
+<Note>
+    NetBird matches the SentinelOne agent to the peer using the Serial Number of the device. You must ensure that each of your devices has a unique serial number.
+</Note>
+