Device enrollment permissions
Device enrollment permissions determine which users can connect new devices to your organization's Cloudflare Zero Trust instance.
- In Zero Trust ↗, go to Settings > WARP Client.
- In Device enrollment permissions, select Manage.
- In the Rules tab, configure one or more Access policies to define who can join their device. For example, you could allow all users with a company email address:
Rule type Selector Value Include Emails ending in @company.com
- In the Authentication tab, select the identity providers users can authenticate with. If you have not integrated an identity provider, you can use the one-time PIN.
- Select Save.
- 
Add the following permission to your cloudflare_api_token↗:- Access: Apps and Policies Write
 
- 
Use the cloudflare_zero_trust_access_application↗ resource to create an application with typewarp.resource "cloudflare_zero_trust_access_application" "warp_enrollment_app" {account_id = var.cloudflare_account_idsession_duration = "18h"name = "Warp device enrollment"allowed_idps = [cloudflare_zero_trust_access_identity_provider.microsoft_entra_id.id]auto_redirect_to_identity = truetype = "warp"app_launcher_visible = false}
- 
Use the cloudflare_zero_trust_access_policy↗ resource to define enrollment permissions.resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" {application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.idaccount_id = var.cloudflare_account_idname = "Allow company emails"decision = "allow"precedence = 1include {email_domain = ["company.com"]}}
Users can now enroll their device by logging in to your identity provider. To prevent users from logging out of your organization after they enroll, disable Allow devices to leave organization in your WARP client settings.
Instead of requiring users to authenticate with their credentials, you can use a service token to enroll devices without any user interaction. Because users are not required to log in to an identity provider, identity-based policies cannot be enforced on these devices.
To enroll devices using a service token:
- 
Copy the token's Client ID and Client Secret. 
- 
Go to Access > Policies and create the following policy: Rule Action Rule type Selector Value Service Auth Include Service Token <TOKEN-NAME>Make sure to set Action to Service Auth instead of Allow. 
- 
Add the Access policy to your device enrollment permissions. 
- 
In your MDM deployment parameters, add the following fields: - auth_client_id: The Client ID of your service token.
- auth_client_secret: The Client Secret of your service token.
 
- 
Add the following permission to your cloudflare_api_token↗:- Access: Apps and Policies Write
 
- 
Create a service token and copy its Client ID and Client Secret. 
- 
Add the following policy to your WARP enrollment Access application: resource "cloudflare_zero_trust_access_policy" "warp_enrollment_service_token" {application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.idaccount_id = var.cloudflare_account_idname = "Allow service token"decision = "non_identity"precedence = 2include {service_token = [cloudflare_zero_trust_access_service_token.example_service_token.id]}}
- 
In your MDM deployment parameters, add the following fields: - auth_client_id: The Client ID of your service token.
- auth_client_secret: The Client Secret of your service token.
 
When you deploy the WARP client with your MDM provider, WARP will automatically connect the device to your Zero Trust organization.
You can verify which devices have enrolled by going to My Team > Devices. Devices that enrolled using a service token (or any other Service Auth policy) will have the Email field show as non_identity@<team-name>.cloudflareaccess.com.
Enterprise customers can enforce mutual TLS authentication during device enrollment.
To check for an mTLS certificate:
- 
Add an mTLS certificate to your account. You can generate a sample certificate using the Cloudflare PKI toolkit. 
- 
In Associated hostnames, enter your Zero Trust team domain: <team-name>.cloudflareaccess.com
- 
In your device enrollment permissions, add a Common Name or Valid Certificate rule. For example, the following policy requires a client certificate with a specific common name: Action Rule type Selector Value Allow Require Common Name <CERT-COMMON-NAME>
- 
On your device, add the client certificate to the system keychain. 
- 
Add the following permissions to your cloudflare_api_token↗:- Access: Mutual TLS Certificates Write
- Access: Apps and Policies Write
 
- 
Use the cloudflare_zero_trust_access_mtls_certificate↗ resource to add an mTLS certificate to your account:resource "cloudflare_zero_trust_access_mtls_certificate" "example_mtls_cert" {account_id = var.cloudflare_account_idname = "WARP enrollment mTLS cert"certificate = <<EOT-----BEGIN CERTIFICATE-----xxxxxxxx-----END CERTIFICATE-----EOTassociated_hostnames = ["your-team-name.cloudflareaccess.com"]}
- 
Add the following policy to your WARP enrollment Access application: resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" {application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.idaccount_id = var.cloudflare_account_idname = "Allow company emails"decision = "allow"precedence = 1include {email_domain = ["company.com"]}require {common_names = ["Common name 1", "Common name 2"]}}
- 
On your device, add the client certificate to the system keychain. 
When users log in to your Zero Trust organization from the WARP client, their device must present a valid client certificate in order to connect.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark