Skip to content

Connect WARP before Windows login

Feature availability

WARP modesZero Trust plans
All modesAll plans
SystemAvailabilityMinimum WARP version
Windows2024.6.415.0
macOS
Linux
iOS
Android
ChromeOS

With Cloudflare Zero Trust, you can use an on-premise Active Directory (or similar) server to validate a remote user's Windows login credentials. Before the user enters their Windows login information for the first time, the WARP client establishes a connection using a service token. This initial connection is not associated with a user identity. Once the user completes the Windows login, WARP switches to an identity-based session and applies the user registration to all future logins.

Prerequisites

1. Create a service token

  1. In Zero Trust, go to Access > Service Auth > Service Tokens.

  2. Select Create Service Token.

  3. Name the service token. The name allows you to easily identify events related to the token in the logs and to revoke the token individually.

  4. Choose a Service Token Duration. This sets the expiration date for the token.

  5. Select Generate token. You will see the generated Client ID and Client Secret for the service token, as well as their respective request headers.

  6. Copy the Client Secret.

2. Create a device enrollment policy

In your device enrollment permissions, create the following policy:

Rule ActionRule typeSelectorValue
Service AuthIncludeService Token<TOKEN-NAME>

2. (Optional) Restrict access during pre-login

Devices enrolled via a service token are identified by the email address non_identity@<team-name>.cloudflareaccess.com. Using this email address, you can apply specific device profile settings and Gateway network policies during the pre-login state. For example, you could provide access to only those resources necessary to complete the Windows login and/or device management activities.

Example device profile rule

SelectorOperatorValueLogic
User emailinnon_identity@<team-name>.cloudflareaccess.comAnd
Operating systemisWindows

Example Gateway network policy

SelectorOperatorValueLogic
Destination IPin listActive Directory serversAnd
User emailinnon_identity@<team-name>.cloudflareaccess.comAnd
Passed Device Posture ChecksinWindows 10 or higher (OS version)
Action
Allow

3. Configure the MDM file

To enable the Windows pre-login feature, an MDM file in the following format must be deployed on the device. In the following example, the pre_login key allows the device to connect using the service token, while configs contains your default Zero Trust configuration.

<dict>
<key>pre_login</key>
<dict>
<key>organization</key>
<string>mycompany</string>
<key>auth_client_id</key>
<string>TOKEN-ID</string>
<key>auth_client_secret</key>
<string>TOKEN-SECRET</string>
</dict>
<key>configs</key>
<array>
<dict>
<key>organization</key>
<string>mycompany</string>
<key>display_name</key>
<string>Default</string>
</dict>
</array>
</dict>

WARP will only apply the pre-login configuration when no other WARP registration exists and the user has not yet logged into Windows. When the pre-login configuration is in effect, the device will appear on My Team > Devices with the email non_identity@<team-name>.cloudflareaccess.com.

After the user logs into Windows, WARP will automatically switch to the default MDM configuration and prompt the user to authenticate with the IdP. Once authenticated, WARP registers and connects with the user identity. The My Team > Devices page will now show a new device associated with the user's email. This user registration will then be used for any subsequent connections, including before the next Windows user login.

Deleting the user registration would cause WARP to switch back to the pre-login configuration as soon as the user logs out of Windows.