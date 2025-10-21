Administrators can automate WARP registration on managed devices and minimize the number of clicks required from an end user.

During the default WARP enrollment process, end users typically need to complete several steps in order to login:

Review Terms and Conditions in the WARP client GUI and acknowledge your company's use of Cloudflare WARP. Select their identity provider from the Cloudflare Access login screen. Complete the authentication steps required by the identity provider. Interact with a browser popup requesting permission to launch the WARP client.

This guide covers how to eliminate steps 1, 2 and 4 from your WARP deployment.

Service token authentication If you are looking to eliminate all user interaction, you can enroll devices using service tokens. Because users are not required to log in to an identity provider, identity-based policies and logging will not be available on these devices.

On iOS and Android / ChromeOS, end users will still be asked questions required by their platform such as accepting notifications or installing the VPN Profile.

Turn off onboarding screens

To skip the Terms and Conditions screens that are usually presented to users, set the onboarding parameter to false in your MDM deployment file. Here is an example mdm.xml file:

< dict > < key > organization </ key > < string > your-team-name </ string > < key > onboarding </ key > < false /> </ dict >

Turn on Instant Auth

If you are only using one identity provider for device enrollment, turn on Instant Auth in your device enrollment permissions. This allow users to skip the Cloudflare Access login page and go directly to your SSO login event.

Allow browser to launch WARP

You can configure your browser to automatically launch the Cloudflare WARP application after a successful login and skip the Open Cloudflare WARP.app popup.

Chromium-based browsers

Chromium-based browsers such as Google Chrome and Microsoft Edge have a policy setting called AutoLaunchProtocolsFromOrigins ↗. This setting takes in two parameters: a protocol for the browser to launch and the origins that are allowed to launch it. For the browser to launch WARP, you need to set the protocol to com.cloudflare.warp and the origin to your Zero Trust team domain ( https://<your-team-name>.cloudflareaccess.com ).