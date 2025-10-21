A device profile defines WARP client settings for a specific set of devices in your organization. You can create multiple profiles and apply different settings based on the user's identity, the device's location, and other criteria.

For example, users in one identity provider group (signifying a specific office location) might have different routes that need to be excluded from their WARP tunnel, or some device types (like Linux) might need different DNS settings to accommodate local development services.

Create a new profile

Dashboard

API

Terraform (v5) In Zero Trust ↗ , go to Settings > WARP Client. In the Profile settings card, select Create profile. This will make a copy of the Default profile. Enter any name for the profile. Create rules to define the devices that will use this profile. Learn more about the available Selectors, Operators, and Values. Configure WARP settings for these devices. Note At this time, Split Tunnels and Local Domain Fallback can only be modified after you save the profile. Select Create profile. Your profile will appear in the Profile settings list. You can rearrange the profiles in the list according to your desired order of precedence. Send a POST request to the Devices API: Required API token permissions At least one of the following token permissions is required: Zero Trust Write Create a device settings profile curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /devices/policy" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " \ --json '{ "allow_mode_switch": false, "allow_updates": false, "allowed_to_leave": false, "auto_connect": 600, "captive_portal": 180, "description": "Example device profile recommended in the implementation documentation. For details, refer to https://developers.cloudflare.com/learning-paths/replace-vpn/configure-device-agent/device-profiles/", "disable_auto_fallback": true, "enabled": true, "exclude_office_ips": false, "match": "identity.email in {\"jdoe@example.com\"} or any(identity.groups.name[*] in {\"developers\" \"admin\"}) and os.name == \"windows\"", "name": "Example device profile", "precedence": 101, "service_mode_v2": { "mode": "warp" }, "support_url": "https://support.example.com", "switch_locked": true }' Add the following permission to your cloudflare_api_token ↗: Zero Trust Write Create a new profile using the cloudflare_zero_trust_device_custom_profile ↗ resource: resource "cloudflare_zero_trust_device_custom_profile" "example" { account_id = var . cloudflare_account_id name = "Example device profile" description = "Example device profile recommended in the implementation documentation. For details, refer to https://developers.cloudflare.com/learning-paths/replace-vpn/configure-device-agent/device-profiles/" allow_mode_switch = false allow_updates = false allowed_to_leave = false auto_connect = 600 captive_portal = 180 disable_auto_fallback = true enabled = true exclude_office_ips = false precedence = 101 service_mode_v2 = { mode = "warp" } support_url = "https://support.example.com" switch_locked = true tunnel_protocol = "wireguard" match = trimspace ( replace ( <<-EOT identity.email in {"jdoe@example.com"} or any(identity.groups.name[*] in {"developers" "admin"}) and os.name == "windows" EOT , "

" , " " )) }

Edit profile settings

In Zero Trust ↗, go to Settings > WARP Client. In the Profile settings card, find the profile you want to update and select Configure. Use selectors to add or adjust match rules, and modify WARP settings for this profile as needed. Note Changing any of the settings below will cause the WARP connection to restart. The user may experience a brief period of connectivity loss while the new settings are being applied. Service mode

Local Domain Fallback

Split Tunnels Select Save profile.

It may take up to 10 minutes for newly updated settings to propagate to devices.

Verify device profile

Via the dashboard

To verify the last active device profile for a specific device:

In Zero Trust ↗ , go to My Team > Devices. Under devices, find your device. Review the device profile under Last active device profile.

To verify the last active device profile for a user’s devices:

In Zero Trust ↗ , go to My Team > Users. Under User name, find the user you would like to investigate. Select Devices to see all devices used by the user. Find the device you want to investigate and verify the last active device profile for that device under the Device profile column.

Alternatively, you can use DEX remote captures to collect WARP diagnostic logs. The device profile UUID is shown in your detection report under Profile ID .

Via the CLI

To check which device profile and profile settings are currently on a device, open a terminal and run:

Terminal window warp-cli settings

The device profile UUID is shown in the Profile ID field.

Selectors

You can configure device profiles to match against the following selectors, or criteria. Identity-based selectors are only available if the user enrolled the device by logging in to an identity provider (IdP).

User email

Apply a device profile based on the user's email.

UI name API example value User email identity.email == "user-name@company.com"

User group emails

Apply a device profile based on an IdP group email address of which the user is configured as a member in the IdP.

UI name API example User group emails identity.groups.email == "contractors@company.com"

User group IDs

Apply a device profile based on an IdP group ID of which the user is configured as a member in the IdP.

UI name API example User group IDs identity.groups.id == "12jf495bhjd7893ml09o"

User group names

Apply a device profile based on an IdP group name of which the user is configured as a member in the IdP.

UI name API example User group names identity.groups.name == "\"finance\""

Operating system

Apply a device profile based on the operating system of the device.

UI name API example Operating system os.name in {\"windows\" \"mac\"}

Operating system version

Apply a device profile based on the OS version of the device.

UI name API example Operating system version os.version == \"1.2.0\"

Note The OS version must be specified as a valid Semver ↗. For example, if your device is running OS version 1.2 , you must enter 1.2.0 .

Managed network

Apply a device profile based on the managed network that the device is connected to.

UI name API example Managed network network == \"Austin office\"

SAML attributes

Apply a device profile based on an attribute name and value from a SAML IdP.

UI name API example SAML Attributes identity.saml_attributes == "\"group=finance\""

Service token

Apply a device profile based on the service token used to enroll the device.

UI name API example Service Token identity.service_token_uuid == \"f174e90a-fafe-4643-bbbc-4a0ed4fc8415\"

Comparison operators

Comparison operators determine how device profiles match a selector.

Operator Meaning is equals the defined value in matches at least one of the defined values

Logical operators

To evaluate multiple conditions in an expression, select a logical operator:

Operator Meaning And match all of the conditions in the expression Or match any of the conditions in the expression

Order of precedence

Cloudflare WARP evaluates device profiles dynamically based on a hierarchy. When a device connects, WARP checks the profiles from top to bottom as they appear in the dashboard. WARP follows the first match principle — once a device matches a profile, WARP stops evaluating and no subsequent profiles can override the decision.

The Default profile is always at the bottom of the list. It will only be applied if the device does not meet the criteria of any profile listed above it. If you make another custom profile the default, all settings will be copied over into the Default profile.

Administrators can create multiple profiles to apply different settings based on specific criteria such as user identity, location, or operating system. Understanding this top-to-bottom evaluation order is crucial for ensuring that the correct policies are applied to devices.