NetBird Client PoliciesGroup Policy template for NetBird client MDM-managed settings. Values are written under HKLM\Software\Policies\NetBird and consumed by the netbird daemon at startup and every 1-minute reload tick.NetBirdNetBird Client 0.40+Management URLURL of the NetBird management server. Format: https://host[:port]. When set, users cannot override this value via UI or CLI.Pre-shared keyWireGuard pre-shared key used as an additional symmetric secret on every peer-to-peer tunnel. Secret value.Disable auto-connectWhen enabled, the NetBird tunnel does not auto-connect at daemon startup. Equivalent to --disable-auto-connect.Disable client routesWhen enabled, this client will not consume routes advertised by routing peers. Equivalent to --disable-client-routes.Disable server routesWhen enabled, this client will not act as a routing peer for other clients. Equivalent to --disable-server-routes.Block inboundWhen enabled, the client firewall blocks all inbound peer traffic on the WireGuard interface. Equivalent to --block-inbound.Allow server SSHWhen enabled, this client accepts incoming SSH sessions via NetBird SSH. Equivalent to --allow-server-ssh.Enable RosenpassEnables Rosenpass post-quantum key exchange on WireGuard tunnels. Both peers must support it.Rosenpass permissiveWhen enabled, the client falls back to plain WireGuard if a peer does not support Rosenpass; otherwise it refuses the connection.WireGuard portUDP port used by the local WireGuard interface. Allowed range: 1-65535.Split tunnelRestrict the NetBird tunnel to or from a chosen list of application package names. Choose either the allow mode (only the listed apps route through NetBird) or the disallow mode (the listed apps bypass NetBird; everything else routes through). The mode is mutually exclusive — only one can be active at a time. Android-only at the daemon level; Windows/macOS/iOS clients ignore this policy.Allow only listed apps (everything else bypasses)Disallow listed apps (everything else routes)Disable update settingsWhen enabled, blocks every configuration change from the client UI and from the CLI (netbird up / login / setconfig). The Settings view stays viewable but read-only. Equivalent to --disable-update-settings.Disable profilesWhen enabled, the client UI/CLI cannot list, create, switch or remove NetBird connection profiles. Equivalent to --disable-profiles.Disable networksWhen enabled, the client UI/CLI cannot list, select or deselect NetBird networks (the corresponding daemon RPCs return Unavailable). Equivalent to --disable-networks.Disable metrics collectionWhen enabled, the client does not collect or report local usage metrics.https://api.netbird.io:443WireGuard UDP port:Mode: