Intune
This guide covers how to deploy the Cloudflare WARP client using Microsoft Intune.
Download the Cloudflare_WARP_<VERSION>.msi installer.
- Log in to your Microsoft Intune account.
- Go to Apps > All Apps > Add.
- In App type, select Line-of-business app from the drop-down menu. Select Select.
- Select Select app package file and upload the
Cloudflare_WARP_<VERSION>.msiinstaller you downloaded previously. - Select OK.
- In the Name field, we recommend entering the version number of the package being uploaded.
- In the Publisher field, we recommend entering
Cloudflare, Inc. - In the Command-line arguments field, enter a valid installation command. For example,
Refer to deployment parameters for a description of each argument./qn ORGANIZATION="your-team-name" SUPPORT_URL="http://support.example.com"
- Select Next.
- Add the users or groups who require Cloudflare WARP and select Next.
- Review your configuration and select Create.
Intune is now configured to deploy the WARP client.
Refer to the generic instructions for macOS.
Refer to the generic instructions for iOS.
Intune allows you to insert predefined variables ↗ into the XML configuration file. For example, you can set the unique_client_id key to {{deviceid}} for a device UUID posture check deployment.
Before proceeding with per-app VPN configuration, you must make sure Auto connect is disabled for your organization in the Cloudflare dashboard. To disable Auto connect:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Select Zero Trust > Settings > WARP Client.
- Go to Device Settings > select your profile and select Edit > toggle Auto Connect off.
To configure per-app VPN:
- Log in to Microsoft Intune admin center for your organization.
- Go to Devices > iOS/iPadOS Devices > Manage Devices > Configuration > select + Create > New Policy.
- Select Templates in the Profile Type dropdown menu, then select VPN as the Template Name and select Create.
- Give the configuration a name, and an optional description, if you desire, then select Next.
- Select Custom VPN from the Connection Type dropdown menu.
- Expand the Base VPN section.
- Give the VPN connection a name.
- Enter "1.1.1.1" as the VPN server address (this value is not actually used.)
- Set Username and password as the Authentication method.
- Enter "com.cloudflare.cloudflareoneagent" as the VPN identifier.
- Enter any Key and Value into the custom VPN attributes (Cloudflare One does not use these but Intunes requires at least one entry.)
- Expand the Automatic VPN section.
- Select Per-app VPN as the Type of automatic VPN.
- Select packet-tunnel as the Provider Type. Select Next.
- Add any Groups, Users, or Devices to which you want to distribute this configuration and select Next.
- Review the settings and select Create.
- Go to Apps > iOS/iPadOS Apps and select + Add.
- Select iOS store app from the App Type dropdown > Select.
- Select Search the App Store, then search for the app whose traffic you want to go through the VPN > select the desired app > Select.
- Review the selected app settings and select Next.
- Select + Add Group to add the group of users to which to distribute this app. Then select None underneath VPN.
- Select the configuration you just created from the VPN dropdown menu and select OK.
- Select Next, review the settings, then select Create.
- Repeat steps 10-16 for each app you want to use the VPN with.
To deploy WARP on Android devices:
-
Log in to your Microsoft Intune account.
-
Go to Apps > Android >Add.
-
In App type, select Managed Google Play app.
-
Add the Cloudflare One Agent app from the Google Play store. Its application ID is
com.cloudflare.cloudflareoneagent. -
Go to Apps > App Configuration policies > Add.
-
Select Managed devices.
-
In Name, enter
Cloudflare One Agent. -
For Platform, select Android Enterprise.
-
Choose your desired Profile Type.
-
For Targeted app, select Cloudflare One Agent. Select Next.
-
For Configuration settings format, select Enter JSON data. Enter your desired deployment parameters in the
managedPropertyfield. For example:{"kind": "androidenterprise#managedConfiguration","productId": "app:com.cloudflare.cloudflareoneagent","managedProperty": [{"key": "app_config_bundle_list","valueBundleArray": [{"managedProperty": [{"key": "organization","valueString": "your-team-name"},{"key": "display_name","valueString": "Production environment"},{"key": "service_mode","valueString": "warp"},{"key": "onboarding","valueBool": false},{"key": "support_url","valueString": "https://support.example.com/"}]},{"managedProperty": [{"key": "organization","valueString": "test-org"},{"key": "display_name","valueString": "Test environment"}]}]}]}Alternatively, if you do not want to copy and paste the JSON data, you can change Configuration settings format to Use configuration designer and manually configure each deployment parameter.
Once you have configured the deployment parameters, select Next.
-
Assign users or groups to this policy and select Next.
-
Save the app configuration policy.
-
Assign users or groups to the application:
- Go to Apps > Android > Cloudflare One Agent > Manage Properties.
- Select Edit and add users or groups.
- Select Review + save > Save.
Intune will now deploy the Cloudflare One Agent to user devices.
Review the following steps to approve and deploy the Cloudflare One Agent application in Microsoft Intune and use a configuration policy to set up the per-app VPN. To use the per-app VPN, the admin must have linked the Microsoft Intune account with the Google-managed Play account. For more information, refer to Connect your Intune account to your managed Google Play account in the Microsoft documentation ↗.
- Log into the Microsoft Intune admin center.
- Go to Apps > All apps > select Add.
- In App type, select Managed Google Play.
- Search for Cloudflare One Agent > select the app > select Sync.
- Once the sync is successful, admin will see the Cloudflare One Agent app within the All apps view in the Microsoft Intune admin center.
To configure your Cloudflare One Agent app policy:
-
In the Microsoft Intune admin center, go to Apps > App configuration policies > select Add > Managed Devices.
-
Fill out the basic details of your configuration policy:
- Enter the Name of the profile. (For example: Cloudflare One Agent - configuration policy)
- Select the Platform as Android Enterprise.
- Select the desired Profile Type. (For example: Personally-Owned Work Profile Only)
- Select Cloudflare One Agent as the Targeted app.
- Select Next.
-
Fill out the settings for the configuration policy.
-
Select Configuration setting format as Enter JSON data.
-
Enter your desired deployment parameters in the
managedPropertyfield. For example:Terminal window {"kind": "androidenterprise#managedConfiguration","productId": "app:com.cloudflare.cloudflareoneagent","managedProperty": [{"key": "app_config_bundle_list","valueBundleArray": [{"managedProperty": [{"key": "organization","valueString": "${ORGANIZATION_NAME-1}"},{"key": "service_mode","valueString": "warp"},{"key": "onboarding","valueBool": true},{"key": "display_name","valueString": "${UNIQUE_DISPLAY_NAME-1}"},{"key": "warp_tunnel_protocol","valueString": "MASQUE"},{"key": "tunneled_apps","valueBundleArray" :[{"managedProperty": [{"key": "app_identifier","valueString": "com.android.chrome" # Application package name/unique bundle identifier for the Chrome app browser},{"key": "is_browser","valueBool": true}]},{"managedProperty": [{"key": "app_identifier","valueString": "com.google.android.gm" # Application package name/unique bundle identifier for the Gmail app},{"key": "is_browser","valueBool": false # Default value is false, if a user does not define `is_browser` property our app would not treat `app_identifier` package name as a browser.}]}]}]},{"managedProperty": [{"key": "organization","valueString": "${ORGANIZATION_NAME-1}"},{"key": "service_mode","valueString": "warp"},{"key": "display_name","valueString": "${UNIQUE_DISPLAY_NAME-2}"},{"key": "warp_tunnel_protocol","valueString": "wireguard"}]}]}]}Refer to Per-app VPN parameters to learn more about the MDM parameters introduced to support the per-app VPN for Android devices.
-
After you have configured the deployment parameters, click Next.
-
-
Fill out the assignments for the configuration policy. The admin can
IncludeorExcludespecific groups of users to this policy. After you finish, select Next. -
Review the policy and select Create.
- Go to Apps > All Apps > select Cloudflare One Agent.
- Under Manage, select Properties and near Assignments, select Edit.
- Add the groups of users in the assignments > select Review + Save > select Save.
Intune will now deploy the Cloudflare One Agent application on a user's device with the managed parameters.