Cloudflare Docs
Learning Paths
Secure your Internet traffic and SaaS apps (Learning Path)
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Customize device profiles

  3 min read

A device profile defines WARP client settings for a specific set of devices in your organization. You can create multiple profiles and apply different settings based on the user’s identity, the device’s location, and other criteria.

For example, users in one identity provider group (signifying a specific office location) might have different routes that need to be excluded from their WARP tunnel, or some device types (like Linux) might need different DNS settings to accommodate local development services.

​​ Configure the default profile

Set your default device profile to be applicable to a majority of your userbase, or any user without known explicit considerations.

To customize the default settings:

  1. Go to Settings > WARP Client.
  2. Under Device settings, select the default profile and select Configure.
  3. Many users running Cloudflare Zero Trust to secure their organization have a default profile that resembles the following. Refer to WARP client settings for a description of each setting.
Captive portal detectionEnabled
Mode switchDisabledIf enabled, users have the option to switch to a DNS-only security mode and lose access to your private network.
Lock WARP switchEnabledShould be enabled unless users have an explicit reason to disable WARP, such as a conflicting VPN client on the device or other extenuating circumstances. If disabled for concerns about user experience, Auto Connect should be enabled and set on a short interval, like 10-15 minutes.
Allow device to leave organizationDisabled
Allow updatesDisabledUsually disabled on managed devices. If enabled, users who are local administrators on their device can update the WARP client on their own — this can introduce version consistency control issues if WARP versions are centrally managed by IT.
Auto connectEnabledTimeout is usually set between 10min - 30min.
Support URLEnabled
Service modeGateway with WARPProxies device traffic to Cloudflare according to your Split Tunnel rules.
Local Domain FallbackRefer to Resolve Private DNS.
Split TunnelsExclude IPs and domainsRefer to Define Split Tunnels settings.
Directly route Microsoft 365 trafficDisabledUsually disabled to allow inspection of Microsoft 365 traffic.
  1. Save the profile.
  2. Under Global settings,
    1. (Recommended) Enable Admin override code if you turned on Lock WARP switch.
    2. Enable Install CA to system certificate store if you want users to see a custom block page.
  1. Update the default device settings profile:
curl --request PATCH \{account_id}/devices/policy \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"allow_mode_switch": false,
"allow_updates": false,
"allowed_to_leave": false,
"auto_connect": 900,
"captive_portal": 180,
"disable_auto_fallback": true,
"exclude_office_ips": false,
"service_mode_v2": {
"mode": "warp"},
"support_url": "",
"switch_locked": true
  1. Update global settings:
curl --request PUT \{account_id}/devices/settings \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"disable_for_time": 3600,
"root_certificate_installation_enabled": true

​​ (Optional) Create an office profile

You can configure a device settings profile to take effect when the device is connected to a trusted network such as an office. For example, you may wish to allow users in the office to access applications directly rather than route traffic through Cloudflare.

For setup instructions, refer to Add a managed network.