---
title: Parameters
description: Explore parameters for deploying the Cloudflare One Client via MDM, including organization setup and device registration for Zero Trust.
image: https://developers.cloudflare.com/zt-preview.png
---
[Skip to content](#%5Ftop)
### Tags
[ XML ](https://developers.cloudflare.com/search/?tags=XML)[ Post-quantum ](https://developers.cloudflare.com/search/?tags=Post-quantum)
Was this helpful?
YesNo
[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose)
Copy page
# Parameters
Each Cloudflare One Client (formerly WARP) supports the following set of parameters as part of their deployment, regardless of the deployment mechanism.
Note
Most of the parameters listed below are also configurable in Cloudflare One under **Team & Resources** \> **Devices**. In the event of conflicting settings, the Cloudflare One Client will always give precedence to settings on the local device (for example, in your `mdm.xml` or `com.cloudflare.warp.plist` files).
## Required for full Cloudflare Zero Trust features
For the majority of Cloudflare Zero Trust features to work, you need to specify a team name. Examples of Cloudflare Zero Trust features which depend on the team name are [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/), and [device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/).
### `organization`
Instructs the client to register the device with your organization. Registration requires authentication via an [IdP](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) or [Service Auth](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/).
**Value Type:** `string`
**Value:** Your team name.
## Required for DNS-only policy enforcement
This field is used to enforce DNS policies when deploying the client in DoH-only mode.
### `gateway_unique_id`
Instructs the client to direct all DNS queries to a specific [Gateway DNS location](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/). This value is only necessary if deploying without a [team name](#organization) or in an organization with multiple DNS locations. If you do not supply a DoH subdomain, we will automatically use the default Gateway DNS location for your organization.
**Value Type:** `string`
**Value:** Your DoH subdomain.
## Organization parameters
You can use the following parameters to configure a specific Zero Trust organization.
### `auth_client_id`
Enrolls the device in your Zero Trust organization using a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/#create-a-service-token). Requires the `auth_client_secret` parameter.
**Value Type:** `string`
**Value:** Client ID of the service token.
Example configuration:
```
auth_client_id
88bf3b6d86161464f6509f7219099e57.access
auth_client_secret
bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5
```
Note
The service token must have _Service Auth_ [device enrollment permissions](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/device-enrollment/#check-for-service-token). Allow permissions will not work for service tokens.
### `auth_client_secret`
Enrolls the device in your Zero Trust organization using a [service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/#create-a-service-token). Requires the `auth_client_id` parameter.
**Value Type:** `string`
**Value:** Client Secret of the service token.
### `auto_connect`
If switch has been turned off by user, the client will automatically turn itself back on after the specified number of minutes. We recommend keeping this set to a very low value — usually just enough time for a user to log in to hotel or airport Wi-Fi. If any value is specified for `auto_connect` the default state of the Cloudflare One Client will always be Connected (for example, after the initial install or a reboot).
**Value Type:** `integer`
**Value:**
* `0` — Allow the switch to stay in the off position indefinitely until the user turns it back on.
* `1` to `1440` — Turn switch back on automatically after the specified number of minutes.
Note
This parameter replaces the old `enabled` property, which can no longer be used in conjunction with the new `switch_locked` and `auto_connect`. If you want to use these parameters, you must remove `enabled`.
### `display_name`
Identifies a Zero Trust organization in the Cloudflare One Client GUI when the client is deployed with [multiple organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/). Required if the `organization` parameter is specified within a [configs array](#configs).
**Value Type:** `string`
**Value:** Organization nickname shown to users in the Cloudflare One Client GUI (for example, `Test environment`).
### `enable_netbt`
NetBIOS over TCP/IP (NetBT) is a legacy feature in Windows primarily used for name resolution in some [rare scenarios](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#when-to-enable-netbt). The Cloudflare One Client disables NetBT on the tunnel interface by default for security reasons. If your organization still relies on legacy applications that require NetBT, you can override the default behavior and enable NetBT.
**Value Type:** `boolean`
**Value:**
* `false` — (default) Disables NetBT on the Cloudflare One Client tunnel interface.
* `true` — Enables NetBT on the Cloudflare One Client tunnel interface.
### `enable_pmtud`
[Path MTU Discovery (PMTUD)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/path-mtu-discovery/) allows the Cloudflare One Client to discover the largest packet size that can be sent over the current network and optimize connection performance.
**Value Type:** `boolean`
**Value:**
* `false` — (default) Disables PMTUD.
* `true` — Enables PMTUD on the Cloudflare One Client tunnel interface.
### `enable_post_quantum`
Feature availability
| [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) |
| ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- |
| Traffic and DNS mode Traffic only mode | All plans |
| System | Availability | Minimum WARP version |
| -------- | ------------ | -------------------- |
| Windows | ✅ | 2025.5.735.1 |
| macOS | ✅ | 2025.5.735.1 |
| Linux | ✅ | 2025.5.735.1 |
| iOS | ✅ | 1.10 |
| Android | ✅ | 2.4 |
| ChromeOS | ✅ | 2.4 |
The Cloudflare One Client uses [post-quantum cryptography](https://developers.cloudflare.com/ssl/post-quantum-cryptography/) to secure connections from the device to Cloudflare's network. Post-quantum cryptography requires the [MASQUE protocol](#warp%5Ftunnel%5Fprotocol) and is enabled by default on all devices using MASQUE.
**Value Type:** `boolean`
**Value:**
* `false` — Disables post-quantum key agreement.
* `true` — Enables post-quantum key agreement for all traffic through the WARP tunnel.
### `environment`
Feature availability
| [Client modes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans ↗](https://www.cloudflare.com/teams-pricing/) |
| ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- |
| All modes | All plans |
| System | Availability | Minimum WARP version |
| -------- | ------------ | -------------------- |
| Windows | ✅ | 2025.9.558.0 |
| macOS | ✅ | 2025.9.558.0 |
| Linux | ✅ | 2025.9.558.0 |
| iOS | ✅ | 1.12.0 |
| Android | ✅ | 2.5.1 |
| ChromeOS | ✅ | 2.5.1 |
Configures the Cloudflare One Client to connect to Cloudflare's FedRAMP High authorized environment.
**Value Type:** `string`
**Value:**
* `normal` — (default) The Cloudflare One Client connects to the standard API endpoints, IPs, and domains (like `.cloudflare-gateway.com`) and forwards traffic to Cloudflare data centers worldwide.
* `fedramp_high` — The Cloudflare One Client connects to FedRAMP-specific API endpoints, IPs, and domains (like `.fed.cloudflare-gateway.com`). Traffic is forwarded to FedRAMP High compliant data centers for processing. To configure the FedRAMP High environment, you must allow the [FedRAMP-specific endpoints, IPs, and domains](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/) through your firewall.
When using [multiple configurations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/) for the same organization, all configurations must specify the same `environment` value. A single organization cannot operate in both the normal and FedRAMP High environments. For example, if your FedRAMP High organization has multiple MDM configurations (such as production and staging), each configuration for that organization must include `environment` set to `fedramp_high`:
```
configs
organization
mycompany-gov
display_name
Production
environment
fedramp_high
organization
mycompany-gov
display_name
Staging
environment
fedramp_high
organization
test-org
display_name
Test
environment
normal
```
Explain Code
### `external_emergency_signal_fingerprint`
The SHA-256 fingerprint that the Cloudflare One Client will use to validate the [external\_emergency\_signal\_url](#external%5Femergency%5Fsignal%5Furl) HTTPS endpoint. Refer to [External Emergency Disconnect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect) for details on how to extract this fingerprint.
**Value Type:** `string`
**Value:** SHA-256 fingerprint of the HTTPS server certificate (for example, `DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662`)
### `external_emergency_signal_interval`
How often the Cloudflare One Client will poll [external\_emergency\_signal\_url](#external%5Femergency%5Fsignal%5Furl) for an [External Emergency Disconnect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/) signal.
**Value Type:** `integer`
**Value:** Polling frequency in seconds (minimum `30`, default `300`)
### `external_emergency_signal_url`
The HTTPS endpoint that the Cloudflare One Client will poll for an [External Emergency Disconnect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/external-disconnect/) signal.
**Value Type:** `string`
**Value:** `https://192.0.2.1:3333/status/disconnect`
The URL must use `https://` and use an IPv4 or IPv6 address as host (not a domain).
### `onboarding`
Controls the visibility of the onboarding screens that ask the user to review the privacy policy during an application's first launch.
**Value Type:** `boolean`
**Value:**
* `false` — Screens hidden.
* `true` — (default) Screens visible.
### `override_api_endpoint`
Overrides the [IP address](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#client-orchestration-api) used by the Cloudflare One Client to communicate with the client orchestration API. If you set this parameter, be sure to update your organization's firewall to ensure the new IP is allowed through.
This functionality is intended for use with a Cloudflare China local network partner or any other third-party network partner that can maintain the integrity of network traffic. Most IT admins should not set this setting as it will redirect all API traffic to a new IP.
**Value Type:** `string`
**Value:** `1.2.3.4` — Redirect all client orchestration API calls to `1.2.3.4`.
The string must be a valid IPv4 or IPv6 address, otherwise the Cloudflare One Client will fail to parse the entire MDM file.
### `override_doh_endpoint`
Note
Only supported in DNS only mode.[1](#user-content-fn-1)
Overrides the [IP address](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#doh-ip) used by the Cloudflare One Client to resolve DNS queries via DNS over HTTPS (DoH). If you set this parameter, be sure to update your organization's firewall to ensure the new IP is allowed through.
This functionality is intended for use with a Cloudflare China local network partner or any other third-party network partner that can maintain the integrity of network traffic. Most IT admins should not set this setting as it will redirect all DoH traffic to a new IP.
**Value Type:** `string`
**Value:** `1.2.3.4` — Redirect all DNS over HTTPS lookups to `1.2.3.4`.
The string must be a valid IPv4 or IPv6 address, otherwise the Cloudflare One Client will fail to parse the entire MDM file.
### `override_warp_endpoint`
Overrides the [IP address and UDP port](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/#warp-ingress-ip) used by the Cloudflare One Client to send traffic to Cloudflare's edge. If you set this parameter, be sure to update your organization's firewall to ensure the new IP is allowed through.
This functionality is intended for use with a Cloudflare China local network partner or any other third-party network partner that can maintain the integrity of network traffic. Most IT admins should not set this setting as it will redirect all Cloudflare One Client traffic to a new IP.
**Value Type:** `string`
**Value:** `203.0.113.0:500` — Redirect all Cloudflare One Client traffic to `203.0.113.0` on port `500`.
The string must be a valid IPv4 or IPv6 socket address (containing the IP address and port number), otherwise the Cloudflare One Client will fail to parse the entire MDM file.
### `service_mode`
Allows you to choose the operational mode of the client.
**Value Type:** `string`
**Value:**
* `warp` — (default) [Traffic and DNS mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default).
* `1dot1` — [DNS only mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode).
* `proxy` — [Local proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). Use the `proxy_port` parameter to specify the localhost SOCKS proxy port (between `0`\-`66535`). For example,
```
service_mode
proxy
proxy_port
44444
```
* `postureonly` — [Posture only mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#posture-only-mode).
* `tunnelonly` \- [Traffic only mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-only-mode).
### `support_url`
When the Cloudflare One Client is deployed via MDM, the in-app **Send Feedback** button is disabled by default. This parameter allows you to re-enable the button and direct feedback towards your organization.
**Value Type:** `string`
**Value:**
* `https://` — Use an `https://` link to open your company's internal help site.
* `mailto:` — Use a `mailto:` link to open your default mail client.
### `switch_locked`
Allows the user to turn off the client switch and disconnect the Cloudflare One Client.
**Value Type:** `boolean`
**Value:**
* `false` — (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
* `true` — The user is prevented from turning off the switch. The Cloudflare One Client will automatically start in the connected state.
On new deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
Note
This parameter replaces the old `enabled` property, which can no longer be used in conjunction with the new `switch_locked` and `auto_connect`. If you want to use these parameters, you must remove `enabled`.
### `unique_client_id`
Note
Only valid for iOS and Android/ChromeOS.
Assigns a unique identifier to the device for the [device UUID posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/device-uuid).
**Value Type:** `string`
**Value:** UUID for the device (for example, `496c6124-db89-4735-bc4e-7f759109a6f1`).
### `warp_tunnel_protocol`
Configures the protocol used to route IP traffic from the device to Cloudflare Gateway. For more information, refer to [Device tunnel protocol](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-tunnel-protocol).
**Value Type:** `string`
**Value:**
* `masque` — (default) [MASQUE ↗](https://datatracker.ietf.org/wg/masque/about/) protocol
* `wireguard` — [WireGuard ↗](https://www.wireguard.com/) protocol
## Top-level parameters
Top-level parameters determine how the Cloudflare One Client manages device registrations.
### `configs`
Allows a user to [switch between Zero Trust organizations](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/switch-organizations/) in the Cloudflare One Client GUI. The `configs` array is also required when using another [top-level parameter](#top-level-parameters) such as `multi_user` or `pre_login`, even if only one organization is specified.
**Value Type:** `array`
**Value:** An array containing one or more Zero Trust organizations.
### `multi_user`
Enables multiple user registrations on a Windows device.
**Value Type:** `boolean`
**Value:**
* `false` — (default) Only one Cloudflare One Client registration is stored per device. After a user logs in to the Cloudflare One Client, their settings and identity will apply to all traffic from the device.
* `true` — Each Windows user has their own Cloudflare One Client registration. For more information, refer to [Multiple users on a Windows device](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/).
### `pre_login`
Allows the Cloudflare One Client to connect with a service token before a user completes the initial Windows login. For more information, refer to [Connect the Cloudflare One Client before Windows login](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-prelogin/).
## Per-app VPN parameters (Android)
[Per-app VPN ↗](https://support.google.com/work/android/answer/9213914?hl=en) parameters allow you to choose the Android apps that can send traffic through the WARP tunnel. Admins can configure these parameters via any MDM tool that supports deploying an Android app to managed devices or work profiles.
### `app_identifier`
An application package name/bundle identifier which uniquely identifies the app on the Google Play Store. This application will be tunneled through the Cloudflare One Client service.
**Value Type**: `string`
**Value**: The app identifier can be found in the ID query parameter of the specific app's Play Store URL. For example: in the case of `https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent`, the app identifier for the Cloudflare One Agent app is `com.cloudflare.cloudflareoneagent`.
### `is_browser`
An optional property. `is_browser` will help the Cloudflare One Agent application decide which browser to open instead of the default browser for specific features such as re-authentication and Gateway block notifications. If needed, admins should explicitly indicate that a given `tunneled_app` is a browser, rather than relying on automatic browser detection.
**Value Type**: `boolean`
**Value**: If the value is `true`, identifies the application defined in `app_identifier` as a browser. The default value is `false` and `is_browser` is an optional property.
## Footnotes
1. Traffic and DNS mode is supported in client version 2025.2.664.0 and below. In version 2025.4.589.1 and above, this parameter does not apply to Traffic and DNS mode because all DoH traffic goes inside of the WARP tunnel. [↩](#user-content-fnref-1)
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/team-and-resources/","name":"Team and resources"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/team-and-resources/devices/","name":"Devices"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/","name":"Cloudflare One Client"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/","name":"Deploy the Cloudflare One Client"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/","name":"Managed deployment"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/","name":"Parameters"}}]}
```