Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Enforce device posture

With Cloudflare Zero Trust, you can configure Zero Trust policies that rely on additional signals from the WARP client or from third-party endpoint security providers. When device posture checks are configured, users can only connect to a protected application or network resource if they have a managed or healthy device.

​​ 1. Enable device posture checks

Setup instructions vary depending on the device posture attribute. Refer to the links below to view the setup guide for your provider.

​​ 2. Verify device posture checks

Before integrating a device posture check in a Gateway or Access policy, you should verify that the Pass/Fail result from the device matches your expectations.

  1. In the Zero Trust Dashboard, go to My Team > Devices.
  2. Find the device running the posture check and select View.
  3. Scroll down to WARP client posture checks and Service provider posture checks.
  4. Select a result to review details. You will see the value returned from the device, as well as the value required to pass the check.

Device posture results in the Zero Trust dashboard

​​ 3. Build a device posture policy

You can now use your device posture check in an Access policy or a Gateway network policy. In Access, the enabled device posture attributes will appear in the list of available selectors. In Gateway, the attributes will appear when you choose the Passed Device Posture Check selector.

​​ 4. Ensure traffic is going through WARP

WARP client and Service-to-service posture checks rely on traffic going through WARP to properly lookup posture information for a device. In your Split Tunnel configuration, ensure that the following domains are included in WARP:

  • The IdP used to authenticate to Cloudflare Zero Trust if posture check is part of an Access policy.
  • <your-team-name> if posture check is part of an Access policy.
  • The application protected by the Access or Gateway policy.