Parameters
Each client supports the following set of parameters as part of their deployment, regardless of the deployment mechanism.
For the majority of Cloudflare Zero Trust features to work, you need to specify a team name. Examples of Cloudflare Zero Trust features which depend on the team name are HTTP policies, Browser Isolation, and device posture.
Instructs the client to register the device with your organization. Registration requires authentication via an IdP or Service Auth.
Value Type: string
Value: Your team name.
This field is used to enforce DNS policies when deploying the client in DoH-only mode.
Instructs the client to direct all DNS queries to a specific Gateway DNS location. This value is only necessary if deploying without a team name or in an organization with multiple DNS locations. If you do not supply a DoH subdomain, we will automatically use the default Gateway DNS location for your organization.
Value Type: string
Value: Your DoH subdomain.
You can use the following parameters to configure a specific Zero Trust organization.
Enrolls the device in your Zero Trust organization using a service token.
Requires the auth_client_secret parameter.
Value Type: string
Value: Client ID of the service token.
Example configuration:
<key>auth_client_id</key><string>88bf3b6d86161464f6509f7219099e57.access</string><key>auth_client_secret</key><string>bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5</string>Enrolls the device in your Zero Trust organization using a service token.
Requires the auth_client_id parameter.
Value Type: string
Value: Client Secret of the service token.
If switch has been turned off by user, the client will automatically turn itself back on after the specified number of minutes. We recommend keeping this set to a very low value — usually just enough time for a user to log in to hotel or airport Wi-Fi. If any value is specified for auto_connect the default state of the WARP client will always be Connected (for example, after the initial install or a reboot).
Value Type: integer
Value:
0— Allow the switch to stay in the off position indefinitely until the user turns it back on.1to1440— Turn switch back on automatically after the specified number of minutes.
Identifies a Zero Trust organization in the WARP GUI when WARP is deployed with multiple organizations. Required if the organization parameter is specified within a configs array.
Value Type: string
Value: Organization nickname shown to users in the WARP GUI (for example, Test environment).
Controls the visibility of the onboarding screens that ask the user to review the privacy policy during an application's first launch.
Value Type: boolean
Value:
false— Screens hidden.true— (default) Screens visible.
Overrides the IP address used by the WARP client to communicate with the client orchestration API. If you set this parameter, be sure to update your organization's firewall to ensure the new IP is allowed through.
This functionality is intended for use with a Cloudflare China local network partner or any other third-party network partner that can maintain the integrity of network traffic. Most IT admins should not set this setting as it will redirect all API traffic to a new IP.
Value Type: string
Value: 1.2.3.4 — Redirect all client orchestration API calls to 1.2.3.4.
The string must be a valid IPv4 or IPv6 address, otherwise the WARP client will fail to parse the entire MDM file.
Overrides the IP address used by the WARP client to resolve DNS queries via DNS over HTTPS (DoH). If you set this parameter, be sure to update your organization's firewall to ensure the new IP is allowed through.
This functionality is intended for use with a Cloudflare China local network partner or any other third-party network partner that can maintain the integrity of network traffic. Most IT admins should not set this setting as it will redirect all DoH traffic to a new IP.
Value Type: string
Value: 1.2.3.4 — Redirect all DNS over HTTPS lookups to 1.2.3.4.
The string must be a valid IPv4 or IPv6 address, otherwise the WARP client will fail to parse the entire MDM file.
Overrides the IP address and UDP port used by the WARP client to send traffic to Cloudflare's edge. If you set this parameter, be sure to update your organization's firewall to ensure the new IP is allowed through.
This functionality is intended for use with a Cloudflare China local network partner or any other third-party network partner that can maintain the integrity of network traffic. Most IT admins should not set this setting as it will redirect all WARP traffic to a new IP.
Value Type: string
Value: 203.0.113.0:500 — Redirect all WARP traffic to 203.0.113.0 on port 500.
The string must be a valid IPv4 or IPv6 socket address (containing the IP address and port number), otherwise the WARP client will fail to parse the entire MDM file.
Allows you to choose the operational mode of the client.
Value Type: string
Value:
warp— (default) Gateway with WARP.1dot1— Gateway with DoH.proxy— Proxy mode. Use theproxy_portparameter to specify the localhost SOCKS proxy port (between0-66535). For example,<key>service_mode</key><string>proxy</string><key>proxy_port</key><integer>44444</integer>postureonly— Device Information Only.
The service mode Secure Web Gateway without DNS filtering is not currently supported as a value and must be configured in Zero Trust.
When the WARP client is deployed via MDM, the in-app Send Feedback button is disabled by default. This parameter allows you to re-enable the button and direct feedback towards your organization.
Value Type: string
Value:
https://<support.example.com>— Use anhttps://link to open your company's internal help site.mailto:<yoursupport@example.com>— Use amailto:link to open your default mail client.
Allows the user to turn off the WARP switch and disconnect the client.
Value Type: boolean
Value:
false— (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.true— The user is prevented from turning off the switch. The WARP client will automatically start in the connected state.
On new deployments, you must also include the auto_connect parameter with at least a value of 0. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
Assigns a unique identifier to the device for the device UUID posture check.
Value Type: string
Value: UUID for the device (for example, 496c6124-db89-4735-bc4e-7f759109a6f1).
Top-level parameters determine how WARP manages device registrations.
Allows a user to switch between Zero Trust organizations in the WARP client GUI. The configs array is also required when using another top-level parameter such as multi_user or pre_login, even if only one organization is specified.
Value Type: array
Value: An array containing one or more Zero Trust organizations.
Enables multiple user registrations on a Windows device.
Value Type: boolean
Value:
false— (default) Only one WARP registration is stored per device. After a user logs in to WARP, their settings and identity will apply to all traffic from the device.true— Each Windows user has their own WARP registration. For more information, refer to Multiple users on a Windows device.
Allows WARP to connect with a service token before a user completes the initial Windows login. For more information, refer to Connect WARP before Windows login.
To support the per-app VPN for Android devices, Cloudflare has introduced new MDM parameters. The admin can configure these new MDM parameters via any MDM tool that supports deploying an Android app to managed devices or work profiles.
An application package name/bundle identifier which uniquely identifies the app on the Google Play Store. This application will be tunneled through the WARP service.
Value Type: string
Value: The app identifier can be found in the ID query parameter of the specific app's Play Store URL. For example: in the case of https://play.google.com/store/apps/details?id=com.cloudflare.cloudflareoneagent, the app identifier for the Cloudflare One Agent app is com.cloudflare.cloudflareoneagent.
An optional property. is_browser will help the Cloudflare One Agent application decide which browser to open instead of the default browser for specific features such as re-authentication and Gateway block notifications. If needed, admins should explicitly indicate that a given tunneled_app is a browser, rather than relying on automatic browser detection.
Value Type: boolean
Value: If the value is true, identifies the application defined in app_identifier as a browser. The default value is false and is_browser is an optional property.