# Force Approve EDR-Rejected Peers

In some situations, you may need to grant network access to a peer that fails EDR or MDM compliance checks. NetBird provides a **force approval** mechanism that allows administrators to override EDR rejections on a per-peer basis.

## When to Use Force Approval

Force approval is useful in scenarios such as:

- **Temporary exceptions**: A device needs immediate network access while compliance issues are being resolved.
- **Testing and development**: Test devices that may not have EDR agents installed.
- **Legacy devices**: Older devices that cannot run the required EDR agent but still need limited network access.
- **False positives**: When the EDR platform incorrectly flags a compliant device.

<Note>
    Force approval should be used sparingly and only when necessary. It bypasses security controls designed to protect your network.
</Note>

## How Force Approval Works

When you force approve a peer:

1. The peer immediately gains network access, regardless of its EDR compliance status.
2. The force approval remains active until:
   - An administrator manually revokes it, OR
   - The device becomes naturally compliant in the EDR system (force approval is automatically removed)
3. All force approval actions are logged in the [Activity Events](/manage/activity-events) for audit purposes.

## Force Approve a Peer

To force approve an EDR-rejected peer:

1. Navigate to the [Peers](https://app.netbird.io/peers) page in the NetBird dashboard
2. Locate the peer showing `Approval required` status
3. Click on the peer to open its details
4. Click the **Force Approve** button
5. Confirm the action in the dialog

<p>
    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/force-approval/force-approve-button.png" alt="Force approve button" className="imagewrapper-big"/>
</p>

The peer will immediately gain network access and the `Approval required` status will be replaced with a `Force Approved` indicator.

## View Force-Approved Peers

To see all peers that have been force approved:

1. Navigate to the [Peers](https://app.netbird.io/peers) page
2. Use the filter to show only force-approved peers

Force-approved peers are visually distinguished from naturally compliant peers, making it easy to track which devices have administrative overrides in place.

## Revoke Force Approval

To revoke a force approval and return a peer to normal EDR validation:

1. Navigate to the [Peers](https://app.netbird.io/peers) page
2. Click on the force-approved peer
3. Click the **Revoke Force Approval** button
4. Confirm the action

<p>
    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/force-approval/revoke-force-approval.png" alt="Revoke force approval" className="imagewrapper-big"/>
</p>

Once revoked, the peer will be subject to normal EDR compliance checks. If the device is still non-compliant, it will lose network access and show `Approval required` status again.

## Automatic Removal of Force Approval

Force approval is automatically removed when a device becomes naturally compliant in your EDR platform. This ensures that:

- Devices don't retain unnecessary administrative overrides
- Your security posture improves as devices become compliant
- You don't need to manually clean up force approvals

For example, if you force approve a peer because its EDR agent was temporarily offline, the force approval will be automatically removed once the agent reconnects and the device passes compliance checks.

## Activity Logging

All force approval actions are recorded in the activity log:

| Event | Description |
|-------|-------------|
| `Peer force approved by admin` | An administrator granted force approval to a peer |
| `Peer force approval revoked` | An administrator or the system removed force approval |

You can view these events in the [Activity Events](/manage/activity-events) page, including details about which administrator performed the action and the original rejection reason.

## API Access

Force approval can also be managed via the NetBird API:

```bash
# Force approve a peer
curl -X POST "https://api.netbird.io/api/integrations/edr/peers/{peerId}/force-approve" \
  -H "Authorization: Token <your-api-token>"

# Revoke force approval
curl -X DELETE "https://api.netbird.io/api/integrations/edr/peers/{peerId}/force-approve" \
  -H "Authorization: Token <your-api-token>"

# List all force-approved peers
curl -X GET "https://api.netbird.io/api/integrations/edr/peers/force-approved" \
  -H "Authorization: Token <your-api-token>"
```

## Best Practices

- **Document exceptions**: Keep a record of why each force approval was granted.
- **Review regularly**: Periodically review force-approved peers and revoke approvals that are no longer needed.
- **Use time-limited access**: Consider revoking force approvals after a defined period.
- **Monitor activity**: Watch for unusual patterns in force approval usage.
- **Prefer compliance**: Always aim to bring devices into compliance rather than relying on force approvals.

<Note>
    Force approval requires the `EDR Update` permission. Only users with appropriate roles can force approve or revoke approvals.
</Note>