I’m thinking where someone personally logs into their grandparents computer on their own tailnet to be able to Remote Desktop and later adds their work machine as a subnet router to make it easier to access intranet file shares without logging in and out.

I think this runs into the classic “mossad or not mossad” threat profile though. More along the lines of someone being thoughtless logging into their grandpas’ computer and then also giving themselves a subnet route to the company network for printing. But having no ACLs on grandpa

Simply explaining how allowing Tailscale into a company network without the ability to block personal tailnets is dangerous got my post deleted by the reddit mods because I was “explaining to exploit networks” but that just shows what a problem the current security vulnerability is without any MDM.

Much like Apple and Google allow cross platform detection of trackers for free, I think it’s fair (and financially beneficial to Tailscale) that Tailscale should allow all plans to block unapproved tailnets via MDM.

While it makes sense to lock many MDM controls behind a paywall it provides an insecure default where anyone who wants to adopt Tailscale will have to whitelist the app and defacto allow personal tailnets into their networks. Cheaper and easier to just ban Tailscale entirely.