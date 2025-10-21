Device enrollment permissions determine which users can connect new devices to your organization's Cloudflare Zero Trust instance.

Set device enrollment permissions

Dashboard

Terraform (v5) In Zero Trust ↗ , go to Settings > WARP Client. In Device enrollment permissions, select Manage. In the Policies tab, configure one or more Access policies to define who can join their device. For example, you could allow all users with a company email address: Rule type Selector Value Include Emails ending in @company.com Note Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled. In the Login methods tab: a. Select the identity providers users can authenticate with. If you have not integrated an identity provider, you can use the one-time PIN. b. (Optional) If you plan to only allow access via a single IdP, turn on Instant Auth. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event. Select Save. Add the following permission to your cloudflare_api_token ↗: Access: Apps and Policies Write Create a reusable Access policy using the cloudflare_zero_trust_access_policy ↗ resource: resource "cloudflare_zero_trust_access_policy" "allow_company_emails" { account_id = var . cloudflare_account_id name = "Allow company emails" decision = "allow" include = [ { email_domain = { domain = "@example.com" } } ] } Use the cloudflare_zero_trust_access_application ↗ resource to create an application with type warp . resource "cloudflare_zero_trust_access_application" "device_enrollment" { account_id = var . cloudflare_account_id type = "warp" name = "Warp device enrollment" allowed_idps = [ cloudflare_zero_trust_access_identity_provider . microsoft_entra_id . id ] auto_redirect_to_identity = true app_launcher_visible = false policies = [ { id = cloudflare_zero_trust_access_policy.allow_company_emails.id precedence = 1 } ] }

Users can now enroll their device by logging in to your identity provider. To prevent users from logging out of your organization after they enroll, disable Allow devices to leave organization in your WARP client settings.

Example policies

Check for service token

Instead of requiring users to authenticate with their credentials, you can use a service token to enroll devices without any user interaction. Because users are not required to log in to an identity provider, identity-based policies cannot be enforced on these devices.

To enroll devices using a service token:

When you deploy the WARP client with your MDM provider, WARP will automatically connect the device to your Zero Trust organization.

You can verify which devices have enrolled by going to My Team > Devices. Devices that enrolled using a service token (or any other Service Auth policy) will have the Email field show as non_identity@<team-name>.cloudflareaccess.com .

Check for mTLS certificate

Enterprise customers can enforce mutual TLS authentication during device enrollment.

Certificate requirements The CA certificate can be from a publicly trusted CA or self-signed.

In the certificate Basic Constraints , the attribute CA must be set to TRUE .

The certificate must use one of the signature algorithms listed below: Allowed signature algorithms x509.SHA1WithRSA x509.SHA256WithRSA x509.SHA384WithRSA x509.SHA512WithRSA x509.ECDSAWithSHA1 x509.ECDSAWithSHA256 x509.ECDSAWithSHA384 x509.ECDSAWithSHA512

To check for an mTLS certificate:

Dashboard

Terraform (v5) In Zero Trust ↗, go to Access > Service auth > Mutual TLS. Select Add mTLS Certificate. Enter any name for the root CA. In Certificate content, paste the contents of your root CA. If the client certificate is directly signed by the root CA, you only need to upload the root. If the client certificate is signed by an intermediate certificate, you must upload the entire CA chain (intermediate and root). For example: -----BEGIN CERTIFICATE----- <intermediate.pem> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <rootCA.pem> -----END CERTIFICATE----- In Associated hostnames, enter your Zero Trust team domain : <team-name>.cloudflareaccess.com In your device enrollment permissions, add a Common Name or Valid Certificate rule. For example, the following policy requires a client certificate with a specific common name: Action Rule type Selector Value Allow Require Common Name <CERT-COMMON-NAME> On your device, add the client certificate to the system keychain. Add the following permissions to your cloudflare_api_token ↗: Access: Mutual TLS Certificates Write

Access: Apps and Policies Write Use the cloudflare_zero_trust_access_mtls_certificate ↗ resource to add an mTLS certificate to your account: resource "cloudflare_zero_trust_access_mtls_certificate" "example_mtls_cert" { account_id = var . cloudflare_account_id name = "WARP enrollment mTLS cert" certificate = <<EOT -----BEGIN CERTIFICATE----- xxxx xxxx -----END CERTIFICATE----- EOT associated_hostnames = [ "your-team-name.cloudflareaccess.com" ] } Create the following Access policy: resource "cloudflare_zero_trust_access_policy" "warp_enrollment_mtls" { account_id = var . cloudflare_account_id name = "Allow employees with mTLS cert" decision = "allow" include = [ { email_domain = { domain = "@example.com" } } ] require = [ { common_name = { common_name = "Common name 1" } }, { common_name = { common_name = "Common name 2" } } ] } Add the policy to your cloudflared_zero_trust_access_application for WARP. On your device, add the client certificate to the system keychain.

When users log in to your Zero Trust organization from the WARP client, their device must present a valid client certificate in order to connect.