Enforce device posture
With Cloudflare Zero Trust, you can configure Zero Trust policies that rely on additional signals from the WARP client or from third-party endpoint security providers. When device posture checks are configured, users can only connect to a protected application or network resource if they have a managed or healthy device.
1. Enable device posture checks
Setup instructions vary depending on the device posture attribute. Refer to the links below to view the setup guide for your provider.
- are performed by the Cloudflare WARP client.
- are performed by third-party device posture providers.
- are only configurable for Access applications. These attributes cannot be used in Gateway policies.
2. Verify device posture checks
Before integrating a device posture check in a Gateway or Access policy, you should verify that the Pass/Fail result from the device matches your expectations.
- In the , go to My Team > Devices.
- Find the device running the posture check and select View.
- Scroll down to WARP client posture checks and Service provider posture checks.
- Select a result to review details. You will see the value returned from the device, as well as the value required to pass the check.
3. Build a device posture policy
You can now use your device posture check in an or a Gateway . In Access, the enabled device posture attributes will appear in the list of available . In Gateway, the attributes will appear when you choose the selector.
4. Ensure traffic is going through WARP
- The IdP used to authenticate to Cloudflare Zero Trust if posture check is part of an Access policy.
<your-team-name>.cloudflareaccess.comif posture check is part of an Access policy.
- The application protected by the Access or Gateway policy.
Policy enforcement rate
Because Gateway evaluates network and HTTP policies on every request, it maintains a local cache of posture results that is only updated every five minutes. Therefore, Gateway policies are subject to an additional five-minute delay. For example, if you set your polling frequency to 10 minutes, it may take up to 15 minutes for Gateway to detect posture changes on a device.
WARP client checks
By default, the WARP client polls the device for status changes every five minutes. If for some reason the new posture result does not update on Cloudflare’s edge, the previous result is considered valid for 24 hours. You can modify the polling
expiration duration using the .
Service provider checks
When setting up a , you will choose a polling frequency to determine how often Cloudflare will query the third-party API. The polling frequency also sets the expiration time for the device posture result.