Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Device profiles

A device profile defines WARP client settings for a specific set of devices in your organization. You can create multiple profiles and apply different settings based on the user’s identity, the device’s location, and other criteria.

For example, users in one identity provider group (signifying a specific office location) might have different routes that need to be excluded from their WARP tunnel, or some device types (like Linux) might need different DNS settings to accommodate local development services.

​​ Create a new profile

  1. In Zero Trust, go to Settings > WARP Client.
  2. In the Profile settings card, select Create profile. This will make a copy of the Default profile.
  3. Enter any name for the profile.
  4. Create rules to define the devices that will use this profile. Learn more about the available Selectors, Operators, and Values.
  5. Configure WARP settings for these devices.
  1. Select Create profile.

Your profile will appear in the Profile settings list. You can rearrange the profiles in the list according to your desired order of precedence.

Send a POST request to the Devices endpoint:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"allow_mode_switch": false,
"allow_updates": false,
"allowed_to_leave": false,
"auto_connect": 900,
"captive_portal": 180,
"description": "Cloudflare'\''s basic device settings profile, recommended in the implementation documentation. For details, refer to https://developers.cloudflare.com/learning-paths/replace-vpn/configure-device-agent/device-profiles/",
"disable_auto_fallback": true,
"enabled": true,
"exclude_office_ips": false,
"match": "identity.email == \"[email protected]\"",
"name": "Cloudflare basic device profile",
"precedence": 101,
"service_mode_v2": {
"mode": "warp"},
"support_url": "https://it.company.com/help",
"switch_locked": true
}'

​​ Edit profile settings

  1. In Zero Trust, go to Settings > WARP Client.

  2. In the Profile settings card, find the profile you want to update and select Configure.

  3. Modify WARP settings for this profile.

  4. Select Save profile.

The new settings will immediately propagate to devices that match this profile.

​​ Verify settings

To check WARP client settings on a specific device, open a terminal on the device and run:

$ warp-cli settings

​​ Selectors

SelectorDescriptionWARP mode required
User emailEmail address of a user
[email protected]
Gateway with WARP
User group emailsEmail address of an IdP group
[email protected]
Gateway with WARP
User group IDsID of an IdP group
12jf495bhjd7893ml09o
Gateway with WARP
User group namesName of an IdP group
developers
Gateway with WARP
Operating systemmacOSAny mode
Operating system versionOS version specified in Semver format
1.2.0
Any mode
Managed networkNetwork location of the deviceAny mode
SAML AttributesAttribute name and value from a SAML IdPGateway with WARP

​​ Comparison operators

OperatorMeaning
isequals the defined value
inmatches at least one of the defined values

​​ Logical operators

To evaluate multiple conditions in an expression, select a logical operator:

OperatorMeaning
Andmatch all of the conditions in the expression
Ormatch any of the conditions in the expression

​​ Order of precedence

Profiles are evaluated from top to bottom as shown in the UI and follows the first match principle — once a device matches a profile, evaluation stops and no subsequent profiles can override the decision.

The Default profile is always at the bottom of the list, meaning that it will only apply if the device does not match any of the previous profiles. If you make another custom profile the default, all settings will be copied over into the Default profile.