Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Parameters

Each client supports the following set of parameters as part of their deployment, regardless of the deployment mechanism.

​​ Required for full Cloudflare Zero Trust features

For the majority of Cloudflare Zero Trust features to work, you need to specify a team name. Examples of Cloudflare Zero Trust features which depend on the team name are HTTP policies, Browser Isolation, and device posture.

​​ organization

Instructs the client to register the device with your organization. Registration requires authentication via an IdP or Service Auth.

Value Type: string

Value: Your team name.

​​ Required for DNS-only policy enforcement

This field is only required to enforce DNS policies when deploying the client in DoH-only mode.

​​ gateway_unique_id

Instructs the client to direct all DNS queries to a specific Gateway DNS location. This value is only necessary if deploying without a team name or in an organization with multiple DNS locations.

Value Type: string

Value: Your DoH subdomain.

​​ Optional fields

​​ service_mode

Allows you to choose the operational mode of the client.

Value Type: string

Value:

  • 1dot1 — Gateway enforcement of DNS policies only through DoH. All other traffic is handled by your device’s default mechanisms.
  • warp — (default) All traffic sent through Cloudflare Gateway via our encrypted tunnel. This mode is required for features such as HTTP policies, Browser Isolation, identity-based rules, and device posture.

New service modes such as Proxy only are not supported as a value and must be configured in the Zero Trust dashboard.

​​ onboarding

Controls the visibility of the onboarding screens that ask the user to review the privacy policy during an application’s first launch.

Value Type: boolean

Value:

  • false — Screens hidden.
  • true — (default) Screens visible.

​​ switch_locked

Allows the user to turn off the WARP switch and disconnect the client.

Value Type: boolean

Value:

  • false — (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
  • true — The user is prevented from turning off the switch. The WARP client will automatically start in the connected state.

On new deployments, you must also include the auto_connect parameter with at least a value of 0. This will prevent clients from being deployed in the off state without a way for users to manually enable them.

​​ auto_connect

If switch has been turned off by user, the client will automatically turn itself back on after the specified number of minutes. We recommend keeping this set to a very low value — usually just enough time for a user to log in to hotel or airport WiFi. If any value is specified for auto_connect the default state of the WARP client will always be Connected (for example, after the initial install or a reboot).

Value Type: integer

Value:

  • 0 — Allow the switch to stay in the off position indefinitely until the user turns it back on.
  • 1 to 1440 — Turn switch back on automatically after the specified number of minutes.

​​ support_url

When the WARP client is deployed via MDM, the in-app Send Feedback button is disabled by default. This parameter allows you to re-enable the button and direct feedback towards your organization.

Value Type: string

Value:

  • https://<support.example.com> — Use an https:// link to open your company’s internal help site.
  • mailto:<[email protected]> — Use a mailto: link to open your default mail client.

​​ override_api_endpoint

Overrides the IP address used by the WARP client to communicate with the client orchestration API. If you set this parameter, be sure to update your organization’s firewall to ensure the new IP is allowed through.

This functionality is intended for use with a Cloudflare China local network partner or any other third-party network partner that can maintain the integrity of network traffic. Most IT admins should not set this setting as it will redirect all API traffic to a new IP.

Value Type: string

Value: 1.2.3.4 — Redirect all client orchestration API calls to 1.2.3.4.

The string must be a valid IPv4 or IPv6 address, otherwise the WARP client will fail to parse the entire MDM file.

​​ override_doh_endpoint

Overrides the IP address used by the WARP client to resolve DNS queries via DNS over HTTPS (DoH). If you set this parameter, be sure to update your organization’s firewall to ensure the new IP is allowed through.

This functionality is intended for use with a Cloudflare China local network partner or any other third-party network partner that can maintain the integrity of network traffic. Most IT admins should not set this setting as it will redirect all DoH traffic to a new IP.

Value Type: string

Value: 1.2.3.4 — Redirect all DNS over HTTPS lookups to 1.2.3.4.

The string must be a valid IPv4 or IPv6 address, otherwise the WARP client will fail to parse the entire MDM file.

​​ override_warp_endpoint

Overrides the IP address and UDP port used by the WARP client to send traffic to Cloudflare’s edge. If you set this parameter, be sure to update your organization’s firewall to ensure the new IP is allowed through.

This functionality is intended for use with a Cloudflare China local network partner or any other third-party network partner that can maintain the integrity of network traffic. Most IT admins should not set this setting as it will redirect all WARP traffic to a new IP.

Value Type: string

Value: 1.2.3.4:500 — Redirect all WARP traffic to 1.2.3.4 on port 500.

The string must be a valid IPv4 or IPv6 socket address (containing the IP address and port number), otherwise the WARP client will fail to parse the entire MDM file.

​​ Authentication with service tokens

Instead of requiring users to authenticate with their credentials, you can deploy the WARP client with a service token. Before you can authenticate clients using the service token, you must add a new rule to your device enrollment permissions that includes the token, with the Rule action set to Service Auth.

Both auth_client_id and auth_client_secret are required when using this authentication method.

​​ auth_client_id

The automatically generated ID when you created your service token.

Value Type: string

Value: Client ID from your service token.

​​ auth_client_secret

The automatically generated secret when you created your service token.

Value Type: string

Value: Client Secret from your service token.

​​ Frequently Asked Questions

  • What happens if I don’t supply a Gateway DoH subdomain? If you specify an organization, we will automatically use the default DNS location specified in Gateway.

  • How do I obtain logs in the event of an issue with client? The macOS and Windows clients installations each contain an application in their installed folders called warp-diag that can be used to obtain logs.