--- title: Jamf description: Learn how to deploy the Cloudflare One Client using Jamf. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ MacOS ](https://developers.cloudflare.com/search/?tags=MacOS) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/jamf.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Jamf This guide covers how to deploy the Cloudflare One Client (formerly WARP) using Jamf. ## macOS ### Prerequisites * A [Jamf Pro account ↗](https://www.jamf.com/products/jamf-pro/) * A Cloudflare account that has a [Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization) * macOS devices enrolled in Jamf ### 1\. Upload the Cloudflare One Client package 1. [Download](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/#macos) the `Cloudflare_WARP.pkg` file. 2. Log in to your [Jamf ↗](https://www.jamf.com/) account. 3. Go to **\*Settings** (gear icon). 4. Select **Computer Management** \> **Packages** \> **New**. 5. Upload the `Cloudflare_WARP_.pkg` file. 6. For **Display Name**, we recommend entering the version number of the package being uploaded. 7. Select **Save** to complete the upload. Repeat this step to update the Cloudflare One Client when a new release is available Every time a new Cloudflare One Client version is released, you must repeat this process and upload a new `.pkg` file for the new version. ### 2\. Create a Jamf policy 1. Go to **Computers** \> **Policies** \> **\+ New**. 2. Enter a **Display Name** such as `Cloudflare One Client`. 3. For **Triggers**, choose the events that will trigger a Cloudflare One Client deployment. We recommend selecting **Startup**, **Login**, **Enrollment Complete**, and **Recurring Check-in**. 4. Select **Packages** \> **Configure**. 5. Select **Add** next to the `Cloudflare_WARP_.pkg` file you previously uploaded. 6. Select **Save**. ### 3\. Add a Configuration Profile 1. Go to **Computers** \> **Configuration Profiles** \> **New**. 2. Enter a name for your new profile, such as `Cloudflare Zero Trust`. 3. Scroll through the **Options** list and select **Application & Custom Settings** \> **Upload**. 4. In **Preference Domain**, enter `com.cloudflare.warp`. 5. To configure the **Property List**: 1. [Create a plist file](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/#plist-file) with your desired deployment parameters. 2. Upload your `plist` file to Jamf and select **Save**. 6. (Recommended) Advanced security features require deploying a [user-side certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) so that devices can establish trust with Cloudflare when their traffic is inspected. To deploy a user-side certificate using Jamf: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), [generate and activate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/#generate-a-cloudflare-root-certificate) a Cloudflare root certificate. 2. [Download the Cloudflare root certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#download-a-cloudflare-root-certificate) in `.pem` format. 3. [Convert](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#convert-the-certificate) the certificate to `.cer` format. 4. In your Jamf configuration profile, scroll down the **Options** list and select **Certificate** \> **Configure**. 5. Enter a **Display name** for the certificate such as `Cloudflare root certificate`. 6. In the **Select Certificate Option** dropdown, select _Upload_. 7. Upload your `.cer` file and select **Save**. 7. Go to **Scope** to configure which devices in your organization will receive this profile. 8. Select **Save**. Jamf will now deploy the Cloudflare One Client to targeted macOS devices. After deploying the Cloudflare One Client, you can check its connection progress using the [Connectivity status](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/connectivity-status/) messages displayed in the Cloudflare One Client GUI. ## iOS The Cloudflare One Agent allows for an automated install via Jamf. ### Prerequisites Create an [XML file](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/#ios) with your custom deployment preferences. ### Configure Jamf for iOS 1. Log in to your [Jamf ↗](https://www.jamf.com/) account. 2. Go to **Devices** \> **Mobile Device Apps** \> **\+ New**. 3. Select _App store app or apps purchased in volume_ and select **Next**. 4. In the search box, enter `Cloudflare One Agent`. Select **Next**. 5. In the row for _Cloudflare One Agent by Cloudflare Inc._, select **Add**. To verify that it is the correct application, view it in the [App Store ↗](https://apps.apple.com/us/app/cloudflare-one-agent/id6443476492). 6. Go to **Scope** and specify the devices in your organization that will receive the application. 7. Go to **App Configuration** and copy/paste your XML file. 8. Select **Save**. Jamf is now configured to deploy the Cloudflare One Agent. After deploying the Cloudflare One Client, you can check its connection progress using the [Connectivity status](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/connectivity-status/) messages displayed in the Cloudflare One Client GUI. ### Per-app VPN Note Per-app VPN is supported on Cloudflare One Agent version `1.8` or greater for iOS. Before proceeding with per-app VPN configuration, you must make sure [Auto connect](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#auto-connect) is disabled in Zero Trust. To disable Auto connect: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Device profiles** \> **General profiles**. 2. Select your device profile and select **Edit**. 3. Turn off **Auto Connect**. To configure per-app VPN: 1. Log in to the Jamf dashboard for your organization. 2. Go to **Devices** \> **Configuration Policies** \> select **\+ New**. 3. Under **Options**, select **VPN**. Then: * Give the VPN a **Connection Name**. * Select _Per-App VPN_ from the **VPN Type** dropdown menu. * Check the box for **Automatically start Per-App VPN connection**. 4. Under Per-App VPN Connection Type, set the **Connection Type** to _Custom SSL_ via the dropdown menu. Then, enter `com.cloudflare.cloudflareoneagent` as the **Identifier**, `1.1.1.1` as the **Server**, and `com.cloudflare.cloudflareoneagent.worker` as the **Provider Bundle Identifier**. 5. Set the **Provider Type** to _Packet-Tunnel_ and select the checkboxes for **Include All Networks** and **Enable VPN on Demand**. 6. Go to the **Scope** tab and add the devices that will use the Per-App VPN. 7. Save the Configuration Profile. 8. Go to **Devices** \> **Mobile Device Apps** \> select **\+ New**. 9. As the **App Type**, select **App Store app or apps purchased in volume** and select **Next**. 10. In the search bar, enter the name of the app that you want to use the VPN for and select **Next**. Note Alternatively, if you already know the **Bundle Identifier** of the app you want to go through the VPN, select **Enter Manually**. 1. Find the app you are looking for in the search results and select **Add**. 2. Select your preferred **Distribution Method** and under **Per-App Networking**, select the VPN connection you just configured. 3. Repeat steps 8-12 for each app you want to use the VPN. Note To support re-authentication, you must include a third-party browser that Cloudflare One can use to re-authenticate the user. The following third-party browsers are supported: * Google Chrome * Firefox * Firefox Focus * Microsoft Edge * Brave * Opera Cloudflare One will continue to use a Safari window for initial authentication per-security best practices. Note Cloudflare One cannot apply split tunnel setting for a per app VPN. Included or excluded domains can be added to the Configuration Profile under Safelisted Domains and Blocklisted Domains sections respectively. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/team-and-resources/","name":"Team and resources"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/team-and-resources/devices/","name":"Devices"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/","name":"Cloudflare One Client"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/","name":"Deploy the Cloudflare One Client"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/","name":"Managed deployment"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/","name":"Partners"}},{"@type":"ListItem","position":9,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/jamf/","name":"Jamf"}}]} ```