Add force approval docs

src/components/NavigationDocs.jsx

@@ -126,6 +126,7 @@ export const docsNavigation = [
                             { title: 'Microsoft Intune', href: '/manage/access-control/endpoint-detection-and-response/intune-mdm' },
                             { title: 'SentinelOne Singularity', href: '/manage/access-control/endpoint-detection-and-response/sentinelone-edr' },
                             { title: 'Huntress', href: '/manage/access-control/endpoint-detection-and-response/huntress-edr' },
+                            { title: 'Force Approval', href: '/manage/access-control/endpoint-detection-and-response/force-approval' },
                         ]
                     },
                 ]

src/pages/manage/access-control/endpoint-detection-and-response/crowdstrike-edr.mdx

@@ -86,3 +86,7 @@ with a `Approval required` mark in the peers list and won't be able to access th
     If you install the CrowdStrike agent on a peer after it joined the network, you will need to disconnect and reconnect
     this peer for the `Approval required` mark to disappear.
 </Note>
+
+## Managing Exceptions
+
+If you need to grant network access to a peer that fails CrowdStrike compliance checks, you can use the force approval feature. See [Force Approve EDR-Rejected Peers](/manage/access-control/endpoint-detection-and-response/force-approval) for details.

src/pages/manage/access-control/endpoint-detection-and-response/force-approval.mdx

@@ -0,0 +1,157 @@
+# Force Approve EDR-Rejected Peers
+
+In some situations, you may need to grant network access to a peer that fails EDR or MDM compliance checks. NetBird provides a **force approval** mechanism that allows administrators to override EDR rejections on a per-peer basis.
+
+## When to Use Force Approval
+
+Force approval is useful in scenarios such as:
+
+- **Temporary exceptions**: A device needs immediate network access while compliance issues are being resolved.
+- **Testing and development**: Test devices that may not have EDR agents installed.
+- **Legacy devices**: Older devices that cannot run the required EDR agent but still need limited network access.
+- **False positives**: When the EDR platform incorrectly flags a compliant device.
+
+<Note>
+    Force approval should be used sparingly and only when necessary. It bypasses security controls designed to protect your network.
+</Note>
+
+## How Force Approval Works
+
+When you force approve a peer:
+
+1. The peer immediately gains network access, regardless of its EDR compliance status.
+2. The force approval remains active until:
+   - An administrator manually revokes it, OR
+   - The device becomes naturally compliant in the EDR system (force approval is automatically removed)
+3. All force approval actions are logged in the [Activity Events](/manage/activity-events) for audit purposes.
+
+## Force Approve a Peer
+
+To force approve an EDR-rejected peer:
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page in the NetBird dashboard
+2. Locate the peer showing `Approval required` status
+3. Click on the peer to open its details
+4. Click the **Force Approve** button
+5. Confirm the action in the dialog
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/force-approval/force-approve-button.png" alt="Force approve button" className="imagewrapper-big"/>
+</p>
+
+The peer will immediately gain network access and the `Approval required` status will be replaced with a `Force Approved` indicator.
+
+## View Force-Approved Peers
+
+To see all peers that have been force approved:
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page
+2. Click the **Force Approved** filter button (shows a count badge with the number of force-approved peers)
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/force-approval/force-approved-filter.png" alt="Force approved filter button" className="imagewrapper-big"/>
+</p>
+
+The filter can be combined with connection status filters:
+- Click **Online** + **Force Approved** to see only online force-approved peers
+- Click **Offline** + **Force Approved** to see only offline force-approved peers
+
+Force-approved peers are visually distinguished from naturally compliant peers with a green "Force Approved" badge, making it easy to track which devices have administrative overrides in place.
+
+## Revoke Force Approval
+
+To revoke a force approval and return a peer to normal EDR validation:
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page
+2. Click on the force-approved peer
+3. Click the **Revoke Force Approval** button
+4. Confirm the action
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/force-approval/revoke-force-approval.png" alt="Revoke force approval" className="imagewrapper-big"/>
+</p>
+
+Once revoked, the peer will be subject to normal EDR compliance checks. If the device is still non-compliant, it will lose network access and show `Approval required` status again.
+
+## Batch Operations
+
+You can force approve or revoke force approval for multiple peers at once:
+
+### Batch Force Approve
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page
+2. Select multiple peers using the checkboxes (peers must have `Approval required` status)
+3. In the action bar that appears at the bottom, click the **Force Approve** button (shield icon)
+4. Confirm the action in the dialog
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/force-approval/batch-force-approve.png" alt="Batch force approve" className="imagewrapper-big"/>
+</p>
+
+The button shows a count of how many selected peers will be force approved.
+
+### Batch Revoke Force Approval
+
+1. Navigate to the [Peers](https://app.netbird.io/peers) page
+2. Select multiple force-approved peers using the checkboxes
+3. In the action bar that appears at the bottom, click the **Revoke Force Approval** button (shield-off icon)
+4. Confirm the action in the dialog
+
+<p>
+    <img src="/docs-static/img/manage/access-control/endpoint-detection-and-response/force-approval/batch-revoke-force-approval.png" alt="Batch revoke force approval" className="imagewrapper-big"/>
+</p>
+
+<Note>
+    Batch operation buttons only appear when you have an EDR integration enabled and have selected peers that can be force approved or have their force approval revoked.
+</Note>
+
+## Automatic Removal of Force Approval
+
+Force approval is automatically removed when a device becomes naturally compliant in your EDR platform. This ensures that:
+
+- Devices don't retain unnecessary administrative overrides
+- Your security posture improves as devices become compliant
+- You don't need to manually clean up force approvals
+
+For example, if you force approve a peer because its EDR agent was temporarily offline, the force approval will be automatically removed once the agent reconnects and the device passes compliance checks.
+
+## Activity Logging
+
+All force approval actions are recorded in the activity log:
+
+| Event | Description |
+|-------|-------------|
+| `Peer force approved by admin` | An administrator granted force approval to a peer |
+| `Peer force approval revoked` | An administrator or the system removed force approval |
+
+You can view these events in the [Activity Events](/manage/activity-events) page, including details about which administrator performed the action and the original rejection reason.
+
+## API Access
+
+Force approval can also be managed via the NetBird API:
+
+```bash
+# Force approve a peer
+curl -X POST "https://api.netbird.io/api/peers/{peer-id}/edr/force-approve" \
+  -H "Authorization: Token <your-api-token>"
+
+# Revoke force approval
+curl -X DELETE "https://api.netbird.io/api/peers/{peer-id}/edr/force-approve" \
+  -H "Authorization: Token <your-api-token>"
+
+# List all force-approved peers
+curl -X GET "https://api.netbird.io/api/peers/edr/force-approved" \
+  -H "Authorization: Token <your-api-token>"
+```
+
+## Best Practices
+
+- **Document exceptions**: Keep a record of why each force approval was granted.
+- **Review regularly**: Periodically review force-approved peers and revoke approvals that are no longer needed.
+- **Use time-limited access**: Consider revoking force approvals after a defined period.
+- **Monitor activity**: Watch for unusual patterns in force approval usage.
+- **Prefer compliance**: Always aim to bring devices into compliance rather than relying on force approvals.
+
+<Note>
+    Force approval requires the `EDR Update` permission. Only users with appropriate roles can force approve or revoke approvals.
+</Note>

src/pages/manage/access-control/endpoint-detection-and-response/huntress-edr.mdx

@@ -88,4 +88,8 @@ Treat the API credentials securely and store them safely. You will need both the
 
 <Note>
     NetBird matches the Huntress agent to the peer using the Serial Number of the device. You must ensure that each of your devices has a unique serial number.
-</Note>
+</Note>
+
+## Managing Exceptions
+
+If you need to grant network access to a peer that fails Huntress compliance checks, you can use the force approval feature. See [Force Approve EDR-Rejected Peers](/manage/access-control/endpoint-detection-and-response/force-approval) for details.

src/pages/manage/access-control/endpoint-detection-and-response/index.mdx

@@ -36,5 +36,12 @@ the checks to apply.
 NetBird integrates with the following EDR platforms:
 
 * [CrowdStrike Falcon](/manage/access-control/endpoint-detection-and-response/crowdstrike-edr)
+* [Huntress](/manage/access-control/endpoint-detection-and-response/huntress-edr)
 * [Microsoft Intune](/manage/access-control/endpoint-detection-and-response/intune-mdm)
 * [SentinelOne Singularity](/manage/access-control/endpoint-detection-and-response/sentinelone-edr)
+
+## Managing Exceptions
+
+In some cases, you may need to grant network access to devices that don't meet EDR compliance requirements. NetBird provides a force approval mechanism for these scenarios:
+
+* [Force Approve EDR-Rejected Peers](/manage/access-control/endpoint-detection-and-response/force-approval)

src/pages/manage/access-control/endpoint-detection-and-response/intune-mdm.mdx

@@ -163,3 +163,7 @@ with a `Approval required` mark in the peers list and won't be able to access th
 - Devices with a Intune compliance state of `Compliant` or `InGracePeriod` are accepted; all other states are rejected.
 - New devices or those that recently achieved compliance may need to be disconnected and reconnected to NetBird to propagate updated status.
 - NetBird regularly synchronizes with Intune every few minutes, so changes in compliance can take some time to reflect on the dashboard.
+
+## Managing Exceptions
+
+If you need to grant network access to a peer that fails Intune compliance checks, you can use the force approval feature. See [Force Approve EDR-Rejected Peers](/manage/access-control/endpoint-detection-and-response/force-approval) for details.

src/pages/manage/access-control/endpoint-detection-and-response/sentinelone-edr.mdx

@@ -110,3 +110,7 @@ Treat the API token securely and store it safely. You will need both the console
     NetBird matches the SentinelOne agent to the peer using the Serial Number of the device. You must ensure that each of your devices has a unique serial number.
 </Note>
 
+## Managing Exceptions
+
+If you need to grant network access to a peer that fails SentinelOne compliance checks, you can use the force approval feature. See [Force Approve EDR-Rejected Peers](/manage/access-control/endpoint-detection-and-response/force-approval) for details.
+