Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Devices

Policies

ModelsExpand Collapse
class DevicePolicyCertificates:
enabled: bool

The current status of the device policy certificate provisioning feature for WARP clients.

class FallbackDomain:
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

Optional[List[FallbackDomain]]
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

class SettingsPolicy:
allow_mode_switch: Optional[bool]

Whether to allow the user to switch WARP between modes.

allow_updates: Optional[bool]

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Optional[bool]

Whether to allow devices to leave the organization.

auto_connect: Optional[float]

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Optional[float]

Turn on the captive portal after the specified amount of time.

default: Optional[bool]

Whether the policy is the default policy for an account.

description: Optional[str]

A description of the policy.

maxLength500
disable_auto_fallback: Optional[bool]

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Optional[bool]

Whether the policy will be applied to matching devices.

exclude: Optional[List[SplitTunnelExclude]]

List of routes excluded in the WARP client’s tunnel.

One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
exclude_office_ips: Optional[bool]

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: Optional[List[FallbackDomain]]
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

gateway_unique_id: Optional[str]
include: Optional[List[SplitTunnelInclude]]

List of routes included in the WARP client’s tunnel.

One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
lan_allow_minutes: Optional[float]

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: Optional[float]

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: Optional[str]

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500
name: Optional[str]

The name of the device settings profile.

maxLength100
policy_id: Optional[str]
maxLength36
precedence: Optional[float]

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Optional[bool]

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Optional[bool]

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Optional[ServiceModeV2]
mode: Optional[str]

The mode to run the WARP client under.

port: Optional[float]

The port number when used with proxy mode.

support_url: Optional[str]

The URL to launch when the Send Feedback button is clicked.

switch_locked: Optional[bool]

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests: Optional[List[TargetTest]]
id: Optional[str]

The id of the DEX test targeting this policy.

name: Optional[str]

The name of the DEX test targeting this policy.

tunnel_protocol: Optional[str]

Determines which tunnel protocol to use.

One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

PoliciesDefault

Get the default device settings profile
zero_trust.devices.policies.default.get(DefaultGetParams**kwargs) -> DefaultGetResponse
GET/accounts/{account_id}/devices/policy
Update the default device settings profile
zero_trust.devices.policies.default.edit(DefaultEditParams**kwargs) -> DefaultEditResponse
PATCH/accounts/{account_id}/devices/policy
ModelsExpand Collapse
class DefaultGetResponse:
allow_mode_switch: Optional[bool]

Whether to allow the user to switch WARP between modes.

allow_updates: Optional[bool]

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Optional[bool]

Whether to allow devices to leave the organization.

auto_connect: Optional[float]

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Optional[float]

Turn on the captive portal after the specified amount of time.

default: Optional[bool]

Whether the policy will be applied to matching devices.

disable_auto_fallback: Optional[bool]

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Optional[bool]

Whether the policy will be applied to matching devices.

exclude: Optional[List[SplitTunnelExclude]]

List of routes excluded in the WARP client’s tunnel.

One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
exclude_office_ips: Optional[bool]

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: Optional[List[FallbackDomain]]
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

gateway_unique_id: Optional[str]
include: Optional[List[SplitTunnelInclude]]

List of routes included in the WARP client’s tunnel.

One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
policy_id: Optional[str]
maxLength36
register_interface_ip_with_dns: Optional[bool]

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Optional[bool]

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Optional[ServiceModeV2]
mode: Optional[str]

The mode to run the WARP client under.

port: Optional[float]

The port number when used with proxy mode.

support_url: Optional[str]

The URL to launch when the Send Feedback button is clicked.

switch_locked: Optional[bool]

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: Optional[str]

Determines which tunnel protocol to use.

class DefaultEditResponse:
allow_mode_switch: Optional[bool]

Whether to allow the user to switch WARP between modes.

allow_updates: Optional[bool]

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Optional[bool]

Whether to allow devices to leave the organization.

auto_connect: Optional[float]

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Optional[float]

Turn on the captive portal after the specified amount of time.

default: Optional[bool]

Whether the policy will be applied to matching devices.

disable_auto_fallback: Optional[bool]

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Optional[bool]

Whether the policy will be applied to matching devices.

exclude: Optional[List[SplitTunnelExclude]]

List of routes excluded in the WARP client’s tunnel.

One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
exclude_office_ips: Optional[bool]

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: Optional[List[FallbackDomain]]
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

gateway_unique_id: Optional[str]
include: Optional[List[SplitTunnelInclude]]

List of routes included in the WARP client’s tunnel.

One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
policy_id: Optional[str]
maxLength36
register_interface_ip_with_dns: Optional[bool]

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Optional[bool]

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Optional[ServiceModeV2]
mode: Optional[str]

The mode to run the WARP client under.

port: Optional[float]

The port number when used with proxy mode.

support_url: Optional[str]

The URL to launch when the Send Feedback button is clicked.

switch_locked: Optional[bool]

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: Optional[str]

Determines which tunnel protocol to use.

PoliciesDefaultExcludes

Get the Split Tunnel exclude list
zero_trust.devices.policies.default.excludes.get(ExcludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]
GET/accounts/{account_id}/devices/policy/exclude
Set the Split Tunnel exclude list
zero_trust.devices.policies.default.excludes.update(ExcludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]
PUT/accounts/{account_id}/devices/policy/exclude

PoliciesDefaultIncludes

Get the Split Tunnel include list
zero_trust.devices.policies.default.includes.get(IncludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]
GET/accounts/{account_id}/devices/policy/include
Set the Split Tunnel include list
zero_trust.devices.policies.default.includes.update(IncludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]
PUT/accounts/{account_id}/devices/policy/include

PoliciesDefaultFallback Domains

Get your Local Domain Fallback list
zero_trust.devices.policies.default.fallback_domains.get(FallbackDomainGetParams**kwargs) -> SyncSinglePage[FallbackDomain]
GET/accounts/{account_id}/devices/policy/fallback_domains
Set your Local Domain Fallback list
zero_trust.devices.policies.default.fallback_domains.update(FallbackDomainUpdateParams**kwargs) -> SyncSinglePage[FallbackDomain]
PUT/accounts/{account_id}/devices/policy/fallback_domains

PoliciesDefaultCertificates

Get device certificate provisioning status
zero_trust.devices.policies.default.certificates.get(CertificateGetParams**kwargs) -> DevicePolicyCertificates
GET/zones/{zone_id}/devices/policy/certificates
Update device certificate provisioning status
zero_trust.devices.policies.default.certificates.edit(CertificateEditParams**kwargs) -> DevicePolicyCertificates
PATCH/zones/{zone_id}/devices/policy/certificates

PoliciesCustom

List device settings profiles
zero_trust.devices.policies.custom.list(CustomListParams**kwargs) -> SyncSinglePage[SettingsPolicy]
GET/accounts/{account_id}/devices/policies
Get device settings profile by ID
zero_trust.devices.policies.custom.get(strpolicy_id, CustomGetParams**kwargs) -> SettingsPolicy
GET/accounts/{account_id}/devices/policy/{policy_id}
Create a device settings profile
zero_trust.devices.policies.custom.create(CustomCreateParams**kwargs) -> SettingsPolicy
POST/accounts/{account_id}/devices/policy
Update a device settings profile
zero_trust.devices.policies.custom.edit(strpolicy_id, CustomEditParams**kwargs) -> SettingsPolicy
PATCH/accounts/{account_id}/devices/policy/{policy_id}
Delete a device settings profile
zero_trust.devices.policies.custom.delete(strpolicy_id, CustomDeleteParams**kwargs) -> SyncSinglePage[SettingsPolicy]
DELETE/accounts/{account_id}/devices/policy/{policy_id}

PoliciesCustomExcludes

Get the Split Tunnel exclude list for a device settings profile
zero_trust.devices.policies.custom.excludes.get(strpolicy_id, ExcludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]
GET/accounts/{account_id}/devices/policy/{policy_id}/exclude
Set the Split Tunnel exclude list for a device settings profile
zero_trust.devices.policies.custom.excludes.update(strpolicy_id, ExcludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]
PUT/accounts/{account_id}/devices/policy/{policy_id}/exclude

PoliciesCustomIncludes

Get the Split Tunnel include list for a device settings profile
zero_trust.devices.policies.custom.includes.get(strpolicy_id, IncludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]
GET/accounts/{account_id}/devices/policy/{policy_id}/include
Set the Split Tunnel include list for a device settings profile
zero_trust.devices.policies.custom.includes.update(strpolicy_id, IncludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]
PUT/accounts/{account_id}/devices/policy/{policy_id}/include

PoliciesCustomFallback Domains

Get the Local Domain Fallback list for a device settings profile
zero_trust.devices.policies.custom.fallback_domains.get(strpolicy_id, FallbackDomainGetParams**kwargs) -> SyncSinglePage[FallbackDomain]
GET/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains
Set the Local Domain Fallback list for a device settings profile
zero_trust.devices.policies.custom.fallback_domains.update(strpolicy_id, FallbackDomainUpdateParams**kwargs) -> SyncSinglePage[FallbackDomain]
PUT/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains