Device enrollment permissions
Device enrollment permissions determine which users can connect new devices to your organization’s Cloudflare Zero Trust instance.
Set device enrollment permissions
- In , go to Settings > WARP Client.
- In Device enrollment permissions, select Manage.
- In the Rules tab, configure one or more to define who can join their device. For example, you could allow all users with a company email address:
Rule type Selector Value Include Emails ending in
- In the Authentication tab, select the users can authenticate with. If you have not integrated an identity provider, you can use the .
- Select Save.
Check for service token
Instead of requiring users to authenticate with their credentials, you can use a to enroll devices without any user interaction. Because users are not required to log in to an identity provider, identity-based policies cannot be enforced on these devices.
To enroll devices using a service token:
Copy the token’s Client ID and Client Secret.
Rule Action Rule type Selector Value Service Auth Include Service Token
auth_client_id: The Client ID of your service token.
auth_client_secret: The Client Secret of your service token.
When you deploy the WARP client with your MDM provider, WARP will automatically connect the device to your Zero Trust organization.
You can verify which devices have enrolled by going to My Team > Devices. Devices that enrolled using a service token (or any other Service Auth policy) will have the Email field show as
Check for mTLS certificate
To check for an mTLS certificate:
In Associated hostnames, enter your Zero Trust team domain:
Action Rule type Selector Value Allow Require Common Name