One-time Auth Keys w MacOS

$ whereis tailscale => returns nothing on Mac OS (Big Sur).

How do I utilize one-time auth keys with Mac OS? Thanks!

Trying to answer my own question, it looks like this should work (I need another machine to test):

/Applications/ up --authkey [key]

The above doesn’t persist over a reboot – the Tailscale App is still waiting for me to log in.

Tailscale team: How does one utilize one-time keys with MacOS? Thanks

authkeys are mostly intended for use with Linux and Windows Server Core, where there isn’t a GUI.

If your goal is to authorize the Mac without leaving yourself logged in on its browser, an alternative: when it opens the browser, you don’t have to log in on the local device. If someone is able to copy the URL out to send to you, you can authenticate it on any other device you have. The Mac will then proceed to join the tailnet.

Goal is to avoid log-in process entirely, first in beta, second in broader deployment:

  1. Beta: family members on macs who back up to my server. Lord help me if I have to push them to get their own accounts; also not fun to use my credentials on their computers for login. Best of all is an ephemeral key, but how to deploy with the MacOS gui?..
  2. Broader - via Jamf. I’d like to just push Tailscale out to 30 users at a non-profit, again without them having to log in. We use Jumpcloud for PaaS, but JC and TS aren’t compatible at the moment.

What you describe with Auth URL works on Linux – I authenticated with a browser on another machine – but the process is different for the Mac App. Ultimately, after installing and rebooting and attempting to log in, you hit a login window… There is no Auth Key option here, nor does the underlying app give you any auth URL to paste / send to another machine.

At the top of this window where it says, if you click on it, is actually the full URL to log in:

If the family member can copy that URL to send to you, you can visit the URL in a browser on your own machine and it will authorize the family member’s Mac.

Regarding MDM deployment: authkeys can only be issued for admin Users, at least at present. There isn’t a way to issue 30 one-time authkeys for 30 non-Admin users and use them to provision 30 machines.

MDMs are instead usually used to install the software on the managed devices but expect the user to login using their own credentials the first time they log in to Tailscale.

On that same web page, all you need to do is add a box labeled, “Administrative Key” and you can solve both deployment problems!! Pretty please! (and thanks, too for the assist re: copy / send login URL)

I’m not looking to skirt any licensing with the larger deployment (MDM); merely looking for a way to test deployment with a larger group to see how it fits / where it breaks, and this group has been promised “one password” (Jumpcloud). Your console makes it so easy for me to issue either one-time or good-until-cancelled keys. Haven’t yet tried the Windows process, as our key users are all Mac. Thoughts most welcome.

There isn’t direct support for JumpCloud as an identity provider yet. The feature request is tracked in Add JumpCloud support · Issue #794 · tailscale/tailscale · GitHub. JumpCloud has said that they’ll be adding OIDC support (an authentication protocol which Tailscale uses with other auth providers), which will make the integration possible.

If JumpCloud is relying on Microsoft or Google as the source of accounts, Tailscale can authenticate with Microsoft/Google instead until JumpCloud support is available.

1 Like

Source is Jumpcloud, as they are ADaaS. I’ll keep an eye on that issue - thx.