netbirdio
Additional Posture Checks
Hi. after comparing tailscale , headscale and other zero-trust solutions, i really like NetBird (self hosted) but since it is a zero-trust solution, the Posture checks needs to be enhances.
for example:
-
limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.
-
Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated
-
OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.
of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.
Hey @ez1976
Thank you for the feedback! Your points totally make sense:
limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.
We have it in a roadmap. You can enable the peer approval setting. It will force manual admin approvals to make sure the right ones are joining.
Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated
We are developing a process check that can be used to check whether a process runs on a machine. This is a simple version of a complete Jumpcloud integration that we will eventually support.
OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.
OS is already possible, check the Access Control -> Posture Checks -> Add Posture Check -> Operating System. You can specify OS versions. For Linux and Windows you can force a specific kernel version. https://netbird.io/knowledge-hub/open-source-zero-trust-networking
As for antivirus and EDr, we are currently working on Crowdstrike support. What do you have in mind here?
of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.
Makes sense!
P.S. Are you trying self-hosted or cloud NetBird?
I have the self hosted server installed and deployed. So far i love it
On Thu, Mar 21, 2024, 17:26 Misha Bragin @.***> wrote:
Hey @ez1976 https://github.com/ez1976
Thank you for the feedback! Your points totally make sense:
limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.
We have it in a roadmap. You can enable the peer approval setting. It will force manual admin approvals to make sure the right ones are joining.
image.png (view on web) https://github.com/netbirdio/netbird/assets/700848/157da6e4-71a6-4b7a-b74b-e05a208eee6d
Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated
We are developing a process check that can be used to check whether a process runs on a machine. This is a simple version of a complete Jumpcloud integration that we will eventually support.
OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.
OS is already possible, check the Access Control -> Posture Checks -> Add Posture Check -> Operating System. You can specify OS versions. For Linux and Windows you can force a specific kernel version.
of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.
Makes sense!
P.S. Are you trying self-hosted or cloud NetBird?
— Reply to this email directly, view it on GitHub https://github.com/netbirdio/netbird/issues/1741#issuecomment-2013125159, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANTDD37NCJOLVLYRH3SEPDYZMJ4VAVCNFSM6AAAAABFB2OCZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJTGEZDKMJVHE . You are receiving this because you were mentioned.Message ID: @.***>
Hey @ez1976
Thank you for the feedback! Your points totally make sense:
limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.
We have it in a roadmap. You can enable the peer approval setting. It will force manual admin approvals to make sure the right ones are joining.
Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated
We are developing a process check that can be used to check whether a process runs on a machine. This is a simple version of a complete Jumpcloud integration that we will eventually support.
OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.
OS is already possible, check the Access Control -> Posture Checks -> Add Posture Check -> Operating System. You can specify OS versions. For Linux and Windows you can force a specific kernel version. https://netbird.io/knowledge-hub/open-source-zero-trust-networking
As for antivirus and EDr, we are currently working on Crowdstrike support. What do you have in mind here?
of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.
Makes sense!
P.S. Are you trying self-hosted or cloud NetBird?
Thank you for the awesome work! I am on the same boat! Peer approval would be really useful in self-hosted deploys, but any form of limit to the number and type of peer a user can add will do the trick.
Thank you for your reply Since peer approval is only for cloud host , i have found a workaround: Since users are added per okta group, they can login with any machine
but since the API now allows me to get the serial number of the computer, i run a script every 10 minutes that exports a list of netbird peers, netbird users and via api, a list of computers on jumpcloud.
Then i compare each connected netbird client serial number to the expected computer in jumpcloud.
At first we just notified the users and IT now we actually block the rouge peer in netbird (i put them in a group that has no access to anywhere) and notify the user, IT and his manager.
I think it would be wise to integrate with other MDM To get the serial /antivirus / EDR or anything else that the admin wants to check against. It would be a lot easier for you guys to integrate a general MDM check via api (give the user the option to enter the api of the MDM and he should provide the filters and value mapping). That way you get fully integrated with a lot of MDMs and we get control which peers can log in with what (probably exception of IT or CEO that wants to connect from other devices).
Let me know if you want me to show you the script i made. Thanks
On Sun, Jun 9, 2024, 00:37 José Zadir Ferreira Neto < @.***> wrote:
Hey @ez1976 https://github.com/ez1976
Thank you for the feedback! Your points totally make sense:
limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.
We have it in a roadmap. You can enable the peer approval setting. It will force manual admin approvals to make sure the right ones are joining.
Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated
We are developing a process check that can be used to check whether a process runs on a machine. This is a simple version of a complete Jumpcloud integration that we will eventually support.
OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.
OS is already possible, check the Access Control -> Posture Checks -> Add Posture Check -> Operating System. You can specify OS versions. For Linux and Windows you can force a specific kernel version. https://netbird.io/knowledge-hub/open-source-zero-trust-networking
As for antivirus and EDr, we are currently working on Crowdstrike support. What do you have in mind here?
of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.
Makes sense!
P.S. Are you trying self-hosted or cloud NetBird?
Thank you for the owsome work! I am on the same boat! Peer approval would be really useful in self-hosted deploys, but any form of limit to the number and type of peer a user can add will do the trick.
— Reply to this email directly, view it on GitHub https://github.com/netbirdio/netbird/issues/1741#issuecomment-2156226688, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANTDDYM5HETXN32J5QMLH3ZGOITZAVCNFSM6AAAAABFB2OCZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJWGIZDMNRYHA . You are receiving this because you were mentioned.Message ID: @.***>
you should add ways to check for registry keys. or event logs. or process status (in more detail)
We would love to have a sentinelone integration or the ability to implement an API to do this. Like Cloudflare has device posture checks for example
I agree, Intune and other MDM integration to check if the device is joined or otherwise compliant would be nice as well.
Well i have created custom tasks that not only check if the computer's serial number is in the mdm, but if the computer name is the same and more important, if it had been connected to the mdm in the past 3-7 days.
I had issues were the mdm was installed but the user decided to disable the service so the serial and computer name were correct but the mdm was not running.
Had even a user installed a fake windows service with the same service name as the mdm.
So now if the laptip hasnt been online on the mdm in the last few days, it logs and remove all netbird groups so it has only "all" (which doesnt lead to anywhere). But at the same 5 minute checks, if the laptops with no groups has returned to the mdm, i then delete the user from the netbird management, which disconnect him and force him to relogin (which sets the user, computer and groups from the idp).
Also removal and restore of the permission is notified via slack to the user and IT
On Tue, May 27, 2025, 02:32 Thomas Dang @.***> wrote:
litobro left a comment (netbirdio/netbird#1741) https://github.com/netbirdio/netbird/issues/1741#issuecomment-2910867852
I agree, Intune and other MDM integration to check if the device is joined or otherwise compliant would be nice as well.
— Reply to this email directly, view it on GitHub https://github.com/netbirdio/netbird/issues/1741#issuecomment-2910867852, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANTDDYS3ONZTS4IVQ2H3EL3AO6CTAVCNFSM6AAAAAB3MP2ZXKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSMJQHA3DOOBVGI . You are receiving this because you were mentioned.Message ID: @.***>
I'd argue that if you're granting local administrator to users, we're talking about completely different classes of problem/feature request here.
For a centrally managed corporate ZTNA/VPN alternative, I think a good start is being able to posture devices based on compliance policies polled/retrieved from MDM, and checking whether a device is enrolled in MDM.
That should cover the majority of use cases for enterprise scale deployments.
yes i agree. but users will be users - they will always find a way to work harder in order to work less. i had a user that installed the same MDM on his home computer just so the process of the MDM will be found by netbird.
On Tue, May 27, 2025 at 8:14 AM Thomas Dang @.***> wrote:
litobro left a comment (netbirdio/netbird#1741) https://github.com/netbirdio/netbird/issues/1741#issuecomment-2911418867
I'd argue that if you're granting local administrator to users, we're talking about completely different classes of problem/feature request here.
For a centrally managed corporate ZTNA/VPN alternative, I think a good start is being able to posture devices based on compliance policies polled/retrieved from MDM, and checking whether a device is enrolled in MDM.
That should cover the majority of use cases for enterprise scale deployments.
— Reply to this email directly, view it on GitHub https://github.com/netbirdio/netbird/issues/1741#issuecomment-2911418867, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANTDD642OOFPKRFK24JRT33AQGFDAVCNFSM6AAAAAB3MP2ZXKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSMJRGQYTQOBWG4 . You are receiving this because you were mentioned.Message ID: @.***>
Are you planning also in the roadmap to check that the process defined in the posture check is the legitimate one? Like that the executable running has been signed by a specific certificate authority? Or check the executable hash? Thanks
