API Reference

Zero Trust

Devices

Policies

Custom

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Create a device settings profile

client.ZeroTrust.Devices.Policies.Custom.New(ctx, params) (*SettingsPolicy, error)

POST/accounts/{account_id}/devices/policy

Creates a device settings profile to be applied to certain devices matching the criteria.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Zero Trust Write

ParametersExpand Collapse

params DevicePolicyCustomNewParams

AccountID param.Field[string]

Path param

Match param.Field[string]

Body param: The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500

Name param.Field[string]

Body param: The name of the device settings profile.

maxLength100

Precedence param.Field[float64]

Body param: The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

AllowModeSwitch param.Field[bool]optional

Body param: Whether to allow the user to switch WARP between modes.

AllowUpdates param.Field[bool]optional

Body param: Whether to receive update notifications when a new version of the client is available.

AllowedToLeave param.Field[bool]optional

Body param: Whether to allow devices to leave the organization.

AutoConnect param.Field[float64]optional

Body param: The amount of time in seconds to reconnect after having been disabled.

CaptivePortal param.Field[float64]optional

Body param: Turn on the captive portal after the specified amount of time.

Description param.Field[string]optional

Body param: A description of the policy.

maxLength500

DisableAutoFallback param.Field[bool]optional

Body param: If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

Enabled param.Field[bool]optional

Body param: Whether the policy will be applied to matching devices.

Exclude param.Field[[]SplitTunnelExclude]optional

Body param: List of routes excluded in the WARP client’s tunnel. Both ‘exclude’ and ‘include’ cannot be set in the same request.

type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}

Address string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}

Host string

The domain name to exclude from the tunnel. If host is present, address must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

ExcludeOfficeIPs param.Field[bool]optional

Body param: Whether to add Microsoft IPs to Split Tunnel exclusions.

Include param.Field[[]SplitTunnelInclude]optional

Body param: List of routes included in the WARP client’s tunnel. Both ‘exclude’ and ‘include’ cannot be set in the same request.

type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}

Address string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}

Host string

The domain name to include in the tunnel. If host is present, address must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

LANAllowMinutes param.Field[float64]optional

Body param: The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

LANAllowSubnetSize param.Field[float64]optional

Body param: The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

RegisterInterfaceIPWithDNS param.Field[bool]optional

Body param: Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

SccmVpnBoundarySupport param.Field[bool]optional

Body param: Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

ServiceModeV2 param.Field[DevicePolicyCustomNewParamsServiceModeV2]optional

Body param

Mode stringoptional

The mode to run the WARP client under.

Port float64optional

The port number when used with proxy mode.

SupportURL param.Field[string]optional

Body param: The URL to launch when the Send Feedback button is clicked.

SwitchLocked param.Field[bool]optional

Body param: Whether to allow the user to turn off the WARP switch and disconnect the client.

TunnelProtocol param.Field[string]optional

Body param: Determines which tunnel protocol to use.

ReturnsExpand Collapse

type SettingsPolicy struct{…}

AllowModeSwitch booloptional

Whether to allow the user to switch WARP between modes.

AllowUpdates booloptional

Whether to receive update notifications when a new version of the client is available.

AllowedToLeave booloptional

Whether to allow devices to leave the organization.

AutoConnect float64optional

The amount of time in seconds to reconnect after having been disabled.

CaptivePortal float64optional

Turn on the captive portal after the specified amount of time.

Default booloptional

Whether the policy is the default policy for an account.

Description stringoptional

A description of the policy.

maxLength500

DisableAutoFallback booloptional

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

Enabled booloptional

Whether the policy will be applied to matching devices.

Exclude []SplitTunnelExcludeoptional

List of routes excluded in the WARP client’s tunnel.

One of the following:

type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}

Address string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}

Host string

The domain name to exclude from the tunnel. If host is present, address must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

ExcludeOfficeIPs booloptional

Whether to add Microsoft IPs to Split Tunnel exclusions.

FallbackDomains []FallbackDomainoptional

Suffix string

The domain suffix to match when resolving locally.

Description stringoptional

A description of the fallback domain, displayed in the client UI.

maxLength100

DNSServer []stringoptional

A list of IP addresses to handle domain resolution.

GatewayUniqueID stringoptional

Include []SplitTunnelIncludeoptional

List of routes included in the WARP client’s tunnel.

One of the following:

type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}

Address string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}

Host string

The domain name to include in the tunnel. If host is present, address must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

LANAllowMinutes float64optional

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

LANAllowSubnetSize float64optional

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

Match stringoptional

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500

Name stringoptional

The name of the device settings profile.

maxLength100

PolicyID stringoptional

maxLength36

Precedence float64optional

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

RegisterInterfaceIPWithDNS booloptional

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

SccmVpnBoundarySupport booloptional

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

ServiceModeV2 SettingsPolicyServiceModeV2optional

Mode stringoptional

The mode to run the WARP client under.

Port float64optional

The port number when used with proxy mode.

SupportURL stringoptional

The URL to launch when the Send Feedback button is clicked.

SwitchLocked booloptional

Whether to allow the user to turn off the WARP switch and disconnect the client.

TargetTests []SettingsPolicyTargetTestoptional

ID stringoptional

The id of the DEX test targeting this policy.

Name stringoptional

The name of the DEX test targeting this policy.

TunnelProtocol stringoptional

Determines which tunnel protocol to use.

Create a device settings profile

Go

HTTP

TypeScript

Python

Go

Terraform

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/option"
  "github.com/cloudflare/cloudflare-go/zero_trust"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  settingsPolicy, err := client.ZeroTrust.Devices.Policies.Custom.New(context.TODO(), zero_trust.DevicePolicyCustomNewParams{
    AccountID: cloudflare.F("699d98642c564d2e855e9661899b7252"),
    Match: cloudflare.F(`identity.email == "test@cloudflare.com"`),
    Name: cloudflare.F("Allow Developers"),
    Precedence: cloudflare.F(100.000000),
  })
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", settingsPolicy.GatewayUniqueID)
}

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "allow_mode_switch": true,
    "allow_updates": true,
    "allowed_to_leave": true,
    "auto_connect": 0,
    "captive_portal": 180,
    "default": false,
    "description": "Policy for test teams.",
    "disable_auto_fallback": true,
    "enabled": true,
    "exclude": [
      {
        "address": "192.0.2.0/24",
        "description": "Exclude testing domains from the tunnel"
      }
    ],
    "exclude_office_ips": true,
    "fallback_domains": [
      {
        "suffix": "example.com",
        "description": "Domain bypass for local development",
        "dns_server": [
          "1.1.1.1"
        ]
      }
    ],
    "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
    "include": [
      {
        "address": "192.0.2.0/24",
        "description": "Include testing domains in the tunnel"
      }
    ],
    "lan_allow_minutes": 30,
    "lan_allow_subnet_size": 24,
    "match": "identity.email == \"test@cloudflare.com\"",
    "name": "Allow Developers",
    "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "precedence": 100,
    "register_interface_ip_with_dns": true,
    "sccm_vpn_boundary_support": false,
    "service_mode_v2": {
      "mode": "proxy",
      "port": 3000
    },
    "support_url": "https://1.1.1.1/help",
    "switch_locked": true,
    "target_tests": [
      {
        "id": "id",
        "name": "name"
      }
    ],
    "tunnel_protocol": "wireguard"
  },
  "success": true
}

Returns Examples

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "allow_mode_switch": true,
    "allow_updates": true,
    "allowed_to_leave": true,
    "auto_connect": 0,
    "captive_portal": 180,
    "default": false,
    "description": "Policy for test teams.",
    "disable_auto_fallback": true,
    "enabled": true,
    "exclude": [
      {
        "address": "192.0.2.0/24",
        "description": "Exclude testing domains from the tunnel"
      }
    ],
    "exclude_office_ips": true,
    "fallback_domains": [
      {
        "suffix": "example.com",
        "description": "Domain bypass for local development",
        "dns_server": [
          "1.1.1.1"
        ]
      }
    ],
    "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
    "include": [
      {
        "address": "192.0.2.0/24",
        "description": "Include testing domains in the tunnel"
      }
    ],
    "lan_allow_minutes": 30,
    "lan_allow_subnet_size": 24,
    "match": "identity.email == \"test@cloudflare.com\"",
    "name": "Allow Developers",
    "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "precedence": 100,
    "register_interface_ip_with_dns": true,
    "sccm_vpn_boundary_support": false,
    "service_mode_v2": {
      "mode": "proxy",
      "port": 3000
    },
    "support_url": "https://1.1.1.1/help",
    "switch_locked": true,
    "target_tests": [
      {
        "id": "id",
        "name": "name"
      }
    ],
    "tunnel_protocol": "wireguard"
  },
  "success": true
}