sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-18 08:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d0da83bf2e1553208bd40b7d8da05b5d654ba3a5
netbird-docs/src/pages/manage/access-control/endpoint-detection-and-response/force-approval.mdx
mlsmaycon d0da83bf2e add force approval
2026-01-23 19:53:46 +01:00

118 lines
5.1 KiB
Plaintext
Raw Blame History

# Force Approve EDR-Rejected Peers
In some situations, you may need to grant network access to a peer that fails EDR or MDM compliance checks. NetBird provides a **force approval** mechanism that allows administrators to override EDR rejections on a per-peer basis.
## When to Use Force Approval
Force approval is useful in scenarios such as:
- **Temporary exceptions**: A device needs immediate network access while compliance issues are being resolved.
- **Testing and development**: Test devices that may not have EDR agents installed.
- **Legacy devices**: Older devices that cannot run the required EDR agent but still need limited network access.
- **False positives**: When the EDR platform incorrectly flags a compliant device.
<Note>
Force approval should be used sparingly and only when necessary. It bypasses security controls designed to protect your network.
</Note>
## How Force Approval Works
When you force approve a peer:
1. The peer immediately gains network access, regardless of its EDR compliance status.
2. The force approval remains active until:
- An administrator manually revokes it, OR
- The device becomes naturally compliant in the EDR system (force approval is automatically removed)
3. All force approval actions are logged in the [Activity Events](/manage/activity-events) for audit purposes.
## Force Approve a Peer
To force approve an EDR-rejected peer:
1. Navigate to the [Peers](https://app.netbird.io/peers) page in the NetBird dashboard
2. Locate the peer showing `Approval required` status
3. Click on the peer to open its details
4. Click the **Force Approve** button
5. Confirm the action in the dialog
<p>
<img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/force-approval/force-approve-button.png" alt="Force approve button" className="imagewrapper-big"/>
</p>
The peer will immediately gain network access and the `Approval required` status will be replaced with a `Force Approved` indicator.
## View Force-Approved Peers
To see all peers that have been force approved:
1. Navigate to the [Peers](https://app.netbird.io/peers) page
2. Use the filter to show only force-approved peers
Force-approved peers are visually distinguished from naturally compliant peers, making it easy to track which devices have administrative overrides in place.
## Revoke Force Approval
To revoke a force approval and return a peer to normal EDR validation:
1. Navigate to the [Peers](https://app.netbird.io/peers) page
2. Click on the force-approved peer
3. Click the **Revoke Force Approval** button
4. Confirm the action
<p>
<img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/force-approval/revoke-force-approval.png" alt="Revoke force approval" className="imagewrapper-big"/>
</p>
Once revoked, the peer will be subject to normal EDR compliance checks. If the device is still non-compliant, it will lose network access and show `Approval required` status again.
## Automatic Removal of Force Approval
Force approval is automatically removed when a device becomes naturally compliant in your EDR platform. This ensures that:
- Devices don't retain unnecessary administrative overrides
- Your security posture improves as devices become compliant
- You don't need to manually clean up force approvals
For example, if you force approve a peer because its EDR agent was temporarily offline, the force approval will be automatically removed once the agent reconnects and the device passes compliance checks.
## Activity Logging
All force approval actions are recorded in the activity log:
| Event | Description |
|-------|-------------|
| `Peer force approved by admin` | An administrator granted force approval to a peer |
| `Peer force approval revoked` | An administrator or the system removed force approval |
You can view these events in the [Activity Events](/manage/activity-events) page, including details about which administrator performed the action and the original rejection reason.
## API Access
Force approval can also be managed via the NetBird API:
```bash
# Force approve a peer
curl -X POST "https://api.netbird.io/api/integrations/edr/peers/{peerId}/force-approve" \
-H "Authorization: Token <your-api-token>"
# Revoke force approval
curl -X DELETE "https://api.netbird.io/api/integrations/edr/peers/{peerId}/force-approve" \
-H "Authorization: Token <your-api-token>"
# List all force-approved peers
curl -X GET "https://api.netbird.io/api/integrations/edr/peers/force-approved" \
-H "Authorization: Token <your-api-token>"
```
## Best Practices
- **Document exceptions**: Keep a record of why each force approval was granted.
- **Review regularly**: Periodically review force-approved peers and revoke approvals that are no longer needed.
- **Use time-limited access**: Consider revoking force approvals after a defined period.
- **Monitor activity**: Watch for unusual patterns in force approval usage.
- **Prefer compliance**: Always aim to bring devices into compliance rather than relying on force approvals.
<Note>
Force approval requires the `EDR Update` permission. Only users with appropriate roles can force approve or revoke approvals.
</Note>
Reference in New Issue View Git Blame Copy Permalink