Each client supports the following set of parameters as part of their deployment, regardless of the deployment mechanism.
Required for full Cloudflare One features
Required field for DNS only policy enforcemet
This field is only required to enforce DNS policies when deploying the client in DoH-only mode.
Description. Instructs the client to direct all DNS queries to a specific policy location. This value is only necessary if deploying without a team name or in an organization with multiple policy locations.
Description. Allows you to choose the opertional mode of the client.
1dot1Gateway enforcement of DNS policies only through . All other traffic is handled by your devices default mechanisms
warp[default value] All traffic sent through via our encrypted tunnel. This mode is required for features such as HTTP policies, Browser Isolation, identity-based rules, or device posture.
true[default value] Screen visible.
Description. Allows the user to control the connected state of the application (main toggle switch).
false[default value] The user is able to turn switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
trueThe user is prevented from turning off the switch.
On new deployments, you must also include the
auto_connect parameter with at least a value of 0. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
Description. If switch has been turned off by user the client will automatically turn itself back on after the specified number of minutes. We recommend keeping this set to a very low value, usually just enough time for a user to login to hotel or airport wifi.
0Allow the switch to stay in the off position indefinitely until the user turns it back on.
1-1440Turn switch back on automatically after the specified number of minutes.
Description. When the WARP client is deployed via MDM, the in-app Send Feedback button is disabled by default. This parameter allows you to re-enable the button and direct it towards your organization.
https://support.example.comUse an https:// link to open your companies internal help site.
mailto:firstname.lastname@example.orgUse a mailto: link to open your default mail client.
Authentication with service tokens
auth_client_secret are required when using this authentication method.
Client ID from your service token.
Client Secret from your service token.
Frequently Asked Questions
What happens if I don't supply a Gateway DoH subdomain? If you specify an
organizationwe will automatically use the default location specified in Gateway.
How do I obtain logs in the event of an issue with client? The macOS and Windows clients installations each contain an application in their installed folders called warp-diag that can be used to obtain logs.