When this toggle is enabled, you can provide end users with an one-time password that will allow them to toggle off the WARP client in case they need to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).
When the toggle is disabled, one-time passwords will not be generated, and end users will not be able to toggle the client off when *Switch Locked is true.
You can also set a timeout to define how long the WARP client is allowed to be paused once the end user disables it. Once the time is up, the WARP client will automatically reconnect.
When you want to allow a user to disable the WARP client:
- Log in to the Zero Trust Dashboard and ensure the Admin override toggle is enabled.
- Retrieve the 7-digit override code for their device by navigating to My Team > Devices > Connected devices, clicking on View for the desired device, and scrolling down to User details.
- Copy the code and share it with the end user for them to enter on their device.
Users will then need to open the WARP client on their devices, navigate to Preferences > Advanced > Enter code, and enter the override code in the pop-up window. The WARP client will now show as
Disconnected and will mention the time when it will automatically reconnect.
Device enrollment permissions
Cloudflare Zero Trust allows you to establish which users in your organization can enroll new devices or revoke access to connected devices. To do that, you can create a device enrollment rule on the Zero Trust dashboard:
- Navigate to Settings > WARP Client.
- In the Device enrollment permissions card, click Manage.
- In the rule builder, configure one or more rules to define who can enroll or revoke devices.
- Click Save.
Captive portal detection
Captive Portal detection is the ability for the WARP client to detect a third-party onboarding flow before Internet access is obtained. This is most frequent in places such as airports, cafes, and hotels.
When the toggle is enabled, the WARP client will automatically turn off when it detects a captive portal, and it will automatically turn on after the amount of time you specify in the card.
Lock WARP switch
Allows the user to turn off the WARP switch and disconnect the client.
Disabled— (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
Enabled— The user is prevented from turning off the switch. The WARP Agent will start in the connected state when this is enabled.
On new deployments, you must also include the
auto_connect parameter with at least a value of
0. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
Allow device to leave organization
When the toggle is enabled, users who manually logged in to their organization on WARP are prevented from leaving that organization. This disables the Logout from Zero Trust and Reset All Settings button in the WARP client interface. If the WARP client has been deployed with a management tool and a local policy exists, then this switch is bypassed and clients are always prevented from leaving.
When the toggle is enabled, users will receive update notifications when a new version of the client is available. Only turn this on if your users are local administrators with the ability to add/remove software from their device.
We recommend keeping this set to a very low value — usually just enough time for a user to log in to hotel or airport WiFi. If any value is specified, the default state the app will always be Connected (ex. after reboot, after initial install, etc.)
0— Allow the switch to stay in the off position indefinitely until the user turns it back on.
1440— Turn switch back on automatically after the specified number of minutes.
When the toggle is enabled, the Send Feedback button in the WARP client appears and will launch the URL specified. Example Support URL values are:
https://support.example.comUse an https:// link to open your companies internal help site.
mailto:[email protected]Use a mailto: link to open your default mail client.
- Gateway with WARP DNS and Device traffic is encrypted and processed by Gateway. This mode is required if you want to enable HTTP rules, Browser Isolation, Anti-Virus scanning and DLP.
- Gateway with DoH Enforcement of DNS policies only through DoH. All other traffic is handled by default mechanisms on your devices.
- Proxy Only Only traffic sent to the localhost proxy is encrypted by Gateway. This mode does not process DNS traffic.
Cloudflare Zero Trust allows you to perform one-click actions to accelerate Office 365 traffic. Navigate to Settings > Network on the Zero Trust dash and either:
- Create a Do Not Inspect policy that bypasses inspection for Office 365 traffic. This policy uses the , and in addition to that, it uses our own Cloudflare’s intelligence to determine which traffic is part of this app type.
- Exclude Office 365 Traffic by adding your application’s IP address as a split tunnel entry. This uses the .