Block internet access until user authenticates
Feature availability
| Client modes | Zero Trust plans ↗ |
|---|---|
| All modes | All plans |
| System | Availability | Minimum WARP version |
|---|---|---|
| Windows | ✅ | 2026.5.0 |
| macOS | ❌ | |
| Linux | ❌ | |
| iOS | ❌ | |
| Android | ❌ | |
| ChromeOS | ❌ |
When no-auth-no-internet is enabled, the Cloudflare One Client locks down general internet traffic on the device whenever the device is in an unauthenticated state (i.e., without a valid device registration). During this lockdown, the client allows only the traffic required for the device to remain on the network and for the user to complete IdP authentication. Once the user signs in, normal connectivity resumes and your configured Gateway, Access, RBI, and DLP policies take effect.
When this feature is enabled, the authentication is done via in-app WebView2 browser instead of the default browser on the system.
The lockdown re-engages automatically any time the device transitions back to an unauthenticated state — for example, if the registration expires, another OS user that has never authenticated with the Cloudflare One Client logs in while in multi-user mode, or the user switches into a new organization.
- The Cloudflare One Client must be deployed via MDM.
- The device must have WebView2 available. By default, the WebView2 runtime should be present on all Windows versions that Cloudflare One Client supports.
To enable the feature, deploy an MDM file with the no_auth_no_internet top-level key set to true:
<dict> <key>no_auth_no_internet</key> <true/> <key>configs</key> <array> <dict> <key>organization</key> <string>your-team-name</string> <key>display_name</key> <string>Default</string> </dict> </array></dict>When the Cloudflare One Client reads this configuration and detects that no user is authenticated, it applies the firewall lockdown and prompts the user to authenticate. After successful authentication, the lockdown is completely lifted.
By default, the Cloudflare One Client permits traffic to RFC 1918 ↗ private address ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) while the device is locked down. This allows the device to reach on-premise resources such as a domain controller, an MDM server, or a local printer before the user authenticates.
To block RFC 1918 traffic during lockdown, set no_auth_no_internet_block_rfc_1918 to true:
<dict> <key>no_auth_no_internet</key> <true/> <key>no_auth_no_internet_block_rfc_1918</key> <true/> <key>configs</key> <array> <dict> <key>organization</key> <string>your-team-name</string> <key>display_name</key> <string>Default</string> </dict> </array></dict>- The lockdown is enforced only when there is an active interactive user session (for example, a user is logged in and the device is not locked).
- Since authentication now occurs in an embedded WebView2 window, IdP flows that depend on the user's default browser (for example, browser-specific extensions or password managers) may not work.
- Some Windows applications, including Copilot and Teams (personal), may retain internet access while the Cloudflare One Client authentication window is open.