Each client supports the following set of parameters as part of their deployment, regardless of the deployment mechanism.
Required for full Cloudflare Zero Trust features
Required for DNS-only policy enforcement
This field is only required to enforce DNS policies when deploying the client in DoH-only mode.
Instructs the client to direct all DNS queries to a specific policy location. This value is only necessary if deploying without a team name or in an organization with multiple policy locations.
Allows you to choose the operational mode of the client.
1dot1— Gateway enforcement of DNS policies only through . All other traffic is handled by your device’s default mechanisms.
warp— (default) All traffic sent through via our encrypted tunnel. This mode is required for features such as HTTP policies, Browser Isolation, identity-based rules, and device posture.
New service modes such as Proxy only are not supported as a value and must be configured in the Zero Trust dashboard.
false— Screens hidden.
true— (default) Screens visible.
Allows the user to turn off the WARP switch and disconnect the client.
false— (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
true— The user is prevented from turning off the switch. The WARP client will automatically start in the connected state.
On new deployments, you must also include the
auto_connect parameter with at least a value of
0. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
If switch has been turned off by user, the client will automatically turn itself back on after the specified number of minutes. We recommend keeping this set to a very low value — usually just enough time for a user to log in to hotel or airport WiFi. If any value is specified for
auto_connect the default state of the WARP client will always be Connected (for example, after the initial install or a reboot).
0— Allow the switch to stay in the off position indefinitely until the user turns it back on.
1440— Turn switch back on automatically after the specified number of minutes.
When the WARP client is deployed via MDM, the in-app Send Feedback button is disabled by default. This parameter allows you to re-enable the button and direct feedback towards your organization.
https://<support.example.com>— Use an
https://link to open your company’s internal help site.
mailto:<[email protected]>— Use a
mailto:link to open your default mail client.
Authentication with service tokens
Instead of requiring users to authenticate with their credentials, you can deploy the WARP client with a . Before you can authenticate clients using the service token, you must add a new rule to your that includes the token, with the Rule action set to
auth_client_secret are required when using this authentication method.
Client ID from your service token.
Client Secret from your service token.
Frequently Asked Questions
What happens if I don’t supply a Gateway DoH subdomain? If you specify an
organization, we will automatically use the default location specified in Gateway.
How do I obtain logs in the event of an issue with client? The macOS and Windows clients installations each contain an application in their installed folders called
warp-diagthat can be used to obtain logs.