---
title: Cloudflare One Changelog
image: https://developers.cloudflare.com/cf-twitter-card.png
---

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

Cloudflare One

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

May 12, 2025
1. ### [WARP client for macOS (version 2025.4.929.0)](https://developers.cloudflare.com/changelog/post/2025-05-12-warp-macos-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains two significant changes all customers should be aware of:  
   1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our [DoH IP addresses and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip).  
   2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks.  
**Changes and improvements**  
   * Fixed an issue where the managed network policies could incorrectly report network location beacons as missing.  
   * Improved DEX test error reporting.  
   * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.  
   * Improved captive portal detection.  
   * Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically.  
   * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs.  
   * DNS over HTTPS traffic is now included in the WARP tunnel by default.  
   * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.  
   * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.  
   * Fixed an issue where frequent network changes could cause WARP to become unresponsive.  
   * Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect.  
   * Fixed an issue causing WARP connection disruptions after network changes.  
**Known issues**  
   * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

May 12, 2025
1. ### [Case Sensitive Custom Word Lists](https://developers.cloudflare.com/changelog/post/2025-05-12-case-sensitive-cwl/)  
[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)  
You can now configure [custom word lists](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/#custom-wordlist) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical.  
![dlp](https://developers.cloudflare.com/_astro/case-sesitive-cwl.MPuOc_3r_220dca.webp)

May 08, 2025
1. ### [Open email links with Browser Isolation](https://developers.cloudflare.com/changelog/post/2025-05-15-open-links-browser-isolation/)  
[ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/)  
You can now safely open links in emails to view and investigate them.  
![Open links with Browser Isolation](https://developers.cloudflare.com/_astro/investigate-links.pYbpGkt5_Z1DQRHU.webp)  
From **Investigation**, go to **View details**, and look for the **Links identified** section. Next to each link, the Cloudflare dashboard will display an **Open in Browser Isolation** icon which allows your team to safely open the link in a clientless, isolated browser with no risk to the analyst or your environment. Refer to [Open links](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#open-links) to learn more about this feature.  
To use this feature, you must:  
   * Enable **Clientless Web Isolation** in your Zero Trust settings.  
   * Have **Browser Isolation (RBI)** seats assigned.  
For more details, refer to our [setup guide](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/).  
This feature is available across these Email security packages:  
   * **Advantage**  
   * **Enterprise**  
   * **Enterprise + PhishGuard**

May 07, 2025
1. ### [Send forensic copies to storage without DLP profiles](https://developers.cloudflare.com/changelog/post/2025-05-07-forensic-copy-update/)  
[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)  
You can now [send DLP forensic copies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-dlp-forensic-copies-to-logpush-destination) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases.  
By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs.  
![DLP](https://developers.cloudflare.com/_astro/forensic-copies-for-all.fxeFrCY4_Z1rCUy9.webp)

May 06, 2025
1. ### [UDP and ICMP Monitor Support for Private Load Balancing Endpoints](https://developers.cloudflare.com/changelog/post/2025-05-06-private-health-monitoring-methods/)  
[ Load Balancing ](https://developers.cloudflare.com/load-balancing/)  
Cloudflare Load Balancing now supports **UDP (Layer 4)** and **ICMP (Layer 3)** health monitors for **private endpoints**. This makes it simple to track the health and availability of internal services that don’t respond to HTTP, TCP, or other protocol probes.  
#### What you can do:  
   * Set up **ICMP ping monitors** to check if your private endpoints are reachable.  
   * Use **UDP monitors** for lightweight health checks on non-TCP workloads, such as DNS, VoIP, or custom UDP-based services.  
   * Gain better visibility and uptime guarantees for services running behind **Private Network Load Balancing**, without requiring public IP addresses.  
This enhancement is ideal for internal applications that rely on low-level protocols, especially when used in conjunction with [**Cloudflare Tunnel**](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), [**WARP**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/), and [**Magic WAN**](https://developers.cloudflare.com/cloudflare-wan/) to create a secure and observable private network.  
Learn more about [Private Network Load Balancing](https://developers.cloudflare.com/load-balancing/private-network/) or view the full list of [supported health monitor protocols](https://developers.cloudflare.com/load-balancing/monitors/#supported-protocols).

May 01, 2025
1. ### [Browser Isolation Overview page for Zero Trust](https://developers.cloudflare.com/changelog/post/2025-05-01-browser-isolation-overview-page/)  
[ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)  
A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) deployments, providing:  
   * **Streamlined Onboarding:** Easily set up and manage isolation policies from one location.  
   * **Quick Testing:** Validate [clientless web application isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) with ease.  
   * **Simplified Configuration:** Configure [isolated access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/isolate-application/) and policies efficiently.  
   * **Centralized Monitoring:** Track aggregate usage and blocked actions.  
This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively.  
![Browser Isolation Overview](https://developers.cloudflare.com/_astro/browser-isolation-overview.Ljd5ax_O_Z1SURww.webp)  
To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and find Browser Isolation in the side navigation bar.

Apr 30, 2025
1. ### [Dark Mode for Zero Trust Dashboard](https://developers.cloudflare.com/changelog/post/2025-04-30-zero-trust-dashboard-dark-mode/)  
[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)  
The [Cloudflare Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) now supports Cloudflare's native dark mode for all accounts and plan types.  
Zero Trust Dashboard will automatically accept your user-level preferences for system settings, so if your Dashboard appearance is set to 'system' or 'dark', the Zero Trust dashboard will enter dark mode whenever the rest of your Cloudflare account does.  
![Zero Trust dashboard supports dark mode](https://developers.cloudflare.com/_astro/dark-mode.DfLeS20d_Z2kTwNR.webp)  
   * [ Zero Trust Dashboard ](#tab-panel-422)  
   * [ Core Dashboard ](#tab-panel-423)  
To update your view preference in the Zero Trust dashboard:  
   1. Log into the [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/).  
   2. Select your user icon.  
   3. Select **Dark Mode**.  
To update your view preference in the Core dashboard:  
   1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com).  
   2. Go to **My Profile**  
   3. For **Appearance**, choose **Dark**.

Apr 30, 2025
1. ### [Cloudflare One Appliance supports multiple DNS server IPs](https://developers.cloudflare.com/changelog/post/2025-04-30-appliance-multiple-dns-servers/)  
[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)  
Cloudflare One Appliance DHCP server settings now support specifying multiple DNS server IP addresses in the DHCP pool.  
Previously, customers could only configure a single DNS server per DHCP pool. With this update, you can specify multiple DNS servers to provide redundancy for clients at branch locations.  
For configuration details, refer to [DHCP server](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/network-options/dhcp/dhcp-server/).

Apr 28, 2025
1. ### [FQDN Filtering For Gateway Egress Policies](https://developers.cloudflare.com/changelog/post/2025-04-28-fdqn-filtering-egress-policies/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies.  
   * Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta.  
   * During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation.  
         * For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#limitations).  
![Egress by FQDN and Hostname](https://developers.cloudflare.com/_astro/Gateway-Egress-FQDN-Policy-preview.Civon5p8_Z2hcuQE.webp)  
This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path.

Apr 22, 2025
1. ### [WARP client for Windows (version 2025.4.589.1)](https://developers.cloudflare.com/changelog/post/2025-04-22-warp-windows-beta/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/).  
**Changes and improvements**  
   * Fixed an issue causing reconnection loops when captive portals are detected.  
   * Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names.  
   * Fixed an issue where managed network policies could incorrectly report network location beacons as missing.  
   * Improved error reporting for DEX tests.  
   * Improved WARP client UI high contrast mode.  
   * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.  
   * Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.  
   * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs.  
   * DNS over HTTPS traffic is now included in the WARP tunnel by default.  
   * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.  
   * Added a [Collect Captive Portal Diag](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics.  
   * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.  
   * Fixed an issue where frequent network changes could cause WARP to become unresponsive.  
**Known issues**  
   * DNS resolution may be broken when the following conditions are all true:  
         * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.  
         * A custom DNS server address is configured on the primary network adapter.  
         * The custom DNS server address on the primary network adapter is changed while WARP is connected.  
   To work around this issue, reconnect the WARP client by toggling off and back on.

Apr 22, 2025
1. ### [WARP client for macOS (version 2025.4.589.1)](https://developers.cloudflare.com/changelog/post/2025-04-22-warp-macos-beta/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/).  
**Changes and improvements**  
   * Fixed an issue where managed network policies could incorrectly report network location beacons as missing.  
   * Improved DEX test error reporting.  
   * Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.  
   * Improved captive portal detection.  
   * Added a TCP fallback for the MASQUE tunnel protocol to improve compatibility with networks on MASQUE.  
   * Added new IP addresses for [tunnel connectivity checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#connectivity-checks). If your organization uses a firewall or other policies you will need to exempt these IPs.  
   * DNS over HTTPS traffic is now included in the WARP tunnel by default.  
   * Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.  
   * Added a [Collect Captive Portal Diag](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/captive-portals/#get-captive-portal-logs) button in the client GUI to make it easier for users to collect captive portal debugging diagnostics.  
   * Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.  
   * Fixed an issue where frequent network changes could cause WARP to become unresponsive.  
**Known issues**  
   * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Apr 21, 2025
1. ### [Access bulk policy tester](https://developers.cloudflare.com/changelog/post/2025-04-21-access-bulk-policy-tester/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
The [Access bulk policy tester](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#test-all-policies-in-an-application) is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable).  
![Example policy tester](https://developers.cloudflare.com/_astro/example-policy-tester.DCY8hQvx_2nxAfs.webp)

Apr 14, 2025
1. ### [New predefined detection entry for ICD-11](https://developers.cloudflare.com/changelog/post/2025-04-14-icd11-support/)  
[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)  
You now have access to the World Health Organization (WHO) 2025 edition of the [International Classification of Diseases 11th Revision (ICD-11) ↗](https://www.who.int/news/item/14-02-2025-who-releases-2025-update-to-the-international-classification-of-diseases-%28icd-11%29) as a predefined detection entry. The new dataset can be found in the [Health Information](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#health-information) predefined profile.  
ICD-10 dataset remains available for use.

Apr 11, 2025
1. ### [HTTP redirect and custom block page redirect](https://developers.cloudflare.com/changelog/post/2025-04-11-http-redirect-custom-block-page-redirect/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
You can now use more flexible redirect capabilities in Cloudflare One with Gateway.  
   * A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters.  
   * For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL.  
Learn more in our documentation for [HTTP Redirect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page).

Apr 09, 2025
1. ### [Cloudflare Zero Trust SCIM User and Group Provisioning Logs](https://developers.cloudflare.com/changelog/post/2025-04-09-scim-provisioning-logs/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
[Cloudflare Zero Trust SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.  
SCIM logs can be found on the Zero Trust Dashboard under **Logs** \-> **SCIM provisioning**.  
![Example SCIM Logs](https://developers.cloudflare.com/_astro/example-scim-log.Bv5Zqckh_BY26C.webp)

Apr 08, 2025
1. ### [WARP client for Windows (version 2025.2.664.0)](https://developers.cloudflare.com/changelog/post/2025-04-08-warp-windows-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains a hotfix for captive portal detection for the 2025.2.600.0 release.  
**Changes and improvements**  
   * Fix to reduce the number of browser tabs opened during captive portal logins.  
**Known issues**  
   * DNS resolution may be broken when the following conditions are all true:  
         * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.  
         * A custom DNS server address is configured on the primary network adapter.  
         * The custom DNS server address on the primary network adapter is changed while WARP is connected.  
   To work around this issue, reconnect the WARP client by toggling off and back on.

Apr 08, 2025
1. ### [WARP client for macOS (version 2025.2.664.0)](https://developers.cloudflare.com/changelog/post/2025-04-08-warp-macos-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains a hotfix for captive portal detection and PF state tables for the 2025.2.600.0 release.  
**Changes and improvements**  
   * Fix to reduce the number of browser tabs opened during captive portal logins.  
   * Improvement to exclude local DNS traffic entries from PF state table to reduce risk of connectivity issues from exceeding table capacity.  
**Known issues**  
   * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

Apr 01, 2025
1. ### [CASB and Email security](https://developers.cloudflare.com/changelog/post/2025-04-01-casb-email-security/)  
[ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/)  
With Email security, you get two free CASB integrations.  
Use one SaaS integration for Email security to sync with your directory of users, take actions on delivered emails, automatically provide EMLs for reclassification requests for clean emails, discover CASB findings and more.  
With the other integration, you can have a separate SaaS integration for CASB findings for another SaaS provider.  
Refer to [Add an integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) to learn more about this feature.  
![CASB-EmailSecurity](https://developers.cloudflare.com/_astro/CASB-EmailSecurity.B1wd9be2_PR5LD.webp)  
This feature is available across these Email security packages:  
   * **Enterprise**  
   * **Enterprise + PhishGuard**

Mar 21, 2025
1. ### [Secure DNS Locations Management User Role](https://developers.cloudflare.com/changelog/post/2025-03-21-pdns-user-locations-role/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
We're excited to introduce the [**Cloudflare Zero Trust Secure DNS Locations Write role**](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations), designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions.  
Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions.  
**Secure DNS Location Requirements:**  
   * Mandate usage of [Bring your own DNS resolver IP addresses ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) if available on the account.  
   * Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint.  
You can assign the new role via Cloudflare Dashboard (`Manage Accounts > Members`) or via API. For more information, refer to the [Secure DNS Locations documentation ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations).

Mar 17, 2025
1. ### [Cloudflare One Agent for Android (version 2.4)](https://developers.cloudflare.com/changelog/post/2025-03-17-warp-ga-android/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the Android Cloudflare One Agent is now available in the [Google Play Store ↗](https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements.  
**Changes and improvements**  
   * Improved in-app error messages.  
   * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url).  
   * Fixed an issue preventing admin split tunnel settings taking priority for traffic from certain applications.

Mar 17, 2025
1. ### [Cloudflare One Agent for iOS (version 1.10)](https://developers.cloudflare.com/changelog/post/2025-03-17-warp-ga-ios/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the iOS Cloudflare One Agent is now available in the [iOS App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). This release includes a new feature allowing [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url) during enrollment, as well as fixes and minor improvements.  
**Changes and improvements**  
   * Improved in-app error messages.  
   * Improved mobile client login with support for [team name insertion by URL](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/#enroll-using-a-url).  
   * Bug fixes and performance improvements.

Mar 13, 2025
1. ### [Cloudflare IP Ranges List](https://developers.cloudflare.com/changelog/post/2025-03-13-new-managed-iplist/)  
[ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/)  
Magic Firewall now supports a new managed list of Cloudflare IP ranges. This list is available as an option when creating a Magic Firewall policy based on IP source/destination addresses. When selecting "is in list" or "is not in list", the option "**Cloudflare IP Ranges**" will appear in the dropdown menu.  
This list is based on the IPs listed in the Cloudflare [IP ranges ↗](https://www.cloudflare.com/en-gb/ips/). Updates to this managed list are applied automatically.  
![Cloudflare IPs Managed List](https://developers.cloudflare.com/_astro/cloudflare-ips.DetyOndL_10JG5B.webp)  
Note: IP Lists require a Cloudflare Advanced Network Firewall subscription. For more details about Cloudflare Network Firewall plans, refer to [Plans](https://developers.cloudflare.com/cloudflare-network-firewall/plans).

Mar 07, 2025
1. ### [Cloudflare One Agent now supports Endpoint Monitoring](https://developers.cloudflare.com/changelog/post/2025-03-07-cloudflare-one-device-health-monitoring/)  
[ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/)  
[Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device, network, and application performance across your Cloudflare SASE deployment. The latest release of the Cloudflare One agent (v2025.1.861) now includes device endpoint monitoring capabilities to provide deeper visibility into end-user device performance which can be analyzed directly from the dashboard.  
Device health metrics are now automatically collected, allowing administrators to:  
   * View the last network a user was connected to  
   * Monitor CPU and RAM utilization on devices  
   * Identify resource-intensive processes running on endpoints  
![Device endpoint monitoring dashboard](https://developers.cloudflare.com/_astro/cloudflare-one-agent-health-monitoring.XXtiRuOp_Z25TN9Q.webp)  
This feature complements existing DEX features like [synthetic application monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) and [network path visualization](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/traceroute/), creating a comprehensive troubleshooting workflow that connects application performance with device state.  
For more details refer to our [DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/) documentation.

Mar 04, 2025
1. ### [Gain visibility into user actions in Zero Trust Browser Isolation sessions](https://developers.cloudflare.com/changelog/post/2025-03-03-user-action-logging/)  
[ Browser Isolation ](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/)  
We're excited to announce that new logging capabilities for [Remote Browser Isolation (RBI)](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) through [Logpush](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/) are available in Beta starting today!  
With these enhanced logs, administrators can gain visibility into end user behavior in the remote browser and track blocked data extraction attempts, along with the websites that triggered them, in an isolated session.  
```  
{  
  "AccountID": "$ACCOUNT_ID",  
  "Decision": "block",  
  "DomainName": "www.example.com",  
  "Timestamp": "2025-02-27T23:15:06Z",  
  "Type": "copy",  
  "UserID": "$USER_ID"  
}  
```  
User Actions available:  
   * **Copy & Paste**  
   * **Downloads & Uploads**  
   * **Printing**  
Learn more about how to get started with Logpush in our [documentation](https://developers.cloudflare.com/logs/logpush/).

Mar 03, 2025
1. ### [New SAML and OIDC Fields and SAML transforms for Access for SaaS](https://developers.cloudflare.com/changelog/post/2025-03-03-saml-oidc-fields-saml-transformations/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
[Access for SaaS applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.  
**SAML and OIDC Field Additions**  
OIDC apps now include:  
   * Group Filtering via RegEx  
   * OIDC Claim mapping from an IdP  
   * OIDC token lifetime control  
   * Advanced OIDC auth flows including hybrid and implicit flows  
![OIDC field additions](https://developers.cloudflare.com/_astro/oidc-claims.2di8l9Lv_ZrD1mx.webp)  
SAML apps now include improved SAML attribute mapping from an IdP.  
![SAML field additions](https://developers.cloudflare.com/_astro/saml-attribute-statements.CW45j5Qi_1ydeSQ.webp)  
**SAML transformations**  
SAML identities sent to Access applications can be fully customized using JSONata expressions. This allows admins to configure the precise identity SAML statement sent to a SaaS application.  
![Configured SAML statement sent to application](https://developers.cloudflare.com/_astro/transformation-box.DyKn-DdN_2rtirg.webp)

[Search all changelog entries](https://developers.cloudflare.com/search/?contentType=Changelog+entry)