Device profiles

A device profile defines WARP client settings for a specific set of devices in your organization. You can create multiple profiles and apply different settings based on the user's identity, the device's location, and other criteria.

For example, users in one identity provider group (signifying a specific office location) might have different routes that need to be excluded from their WARP tunnel, or some device types (like Linux) might need different DNS settings to accommodate local development services.

Create a new profile

Dashboard

1. In Zero Trust ↗, go to Settings > WARP Client.
2. In the Profile settings card, select Create profile. This will make a copy of the Default profile.
3. Enter any name for the profile.
4. Create rules to define the devices that will use this profile. Learn more about the available Selectors, Operators, and Values.
5. Configure WARP settings for these devices.

Note

At this time, Split Tunnels and Local Domain Fallback can only be modified after you save the profile.

6. Select Create profile.

Your profile will appear in the Profile settings list. You can rearrange the profiles in the list according to your desired order of precedence.

API

Send a POST request to the Devices API:

Required API token permissions

At least one of the following token permissions is required:

• Zero Trust Write

Create a device settings profile

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "allow_mode_switch": false,
    "allow_updates": false,
    "allowed_to_leave": false,
    "auto_connect": 600,
    "captive_portal": 180,
    "description": "Example device profile recommended in the implementation documentation. For details, refer to https://developers.cloudflare.com/learning-paths/replace-vpn/configure-device-agent/device-profiles/",
    "disable_auto_fallback": true,
    "enabled": true,
    "exclude_office_ips": false,
    "match": "identity.email in {\"jdoe@example.com\"} or any(identity.groups.name[*] in {\"developers\" \"admin\"}) and os.name == \"windows\"",
    "name": "Example device profile",
    "precedence": 101,
    "service_mode_v2": {
        "mode": "warp"
    },
    "support_url": "https://support.example.com",
    "switch_locked": true
  }'

Terraform (v5)

1. Add the following permission to your cloudflare_api_token ↗:

   • Zero Trust Write

2. Create a new profile using the cloudflare_zero_trust_device_custom_profile ↗ resource:

   resource "cloudflare_zero_trust_device_custom_profile" "example" {
     account_id            = var.cloudflare_account_id
     name                  = "Example device profile"
     description           = "Example device profile recommended in the implementation documentation. For details, refer to https://developers.cloudflare.com/learning-paths/replace-vpn/configure-device-agent/device-profiles/"
     allow_mode_switch     = false
     allow_updates         = false
     allowed_to_leave      = false
     auto_connect          = 600
     captive_portal        = 180
     disable_auto_fallback = true
     enabled               = true
     exclude_office_ips    = false
     precedence            = 101
     service_mode_v2       = {mode = "warp"}
     support_url           = "https://support.example.com"
     switch_locked         = true
     tunnel_protocol       = "wireguard"
   
     match = trimspace(replace(<<-EOT
       identity.email in {"jdoe@example.com"}
       or any(identity.groups.name[*] in {"developers" "admin"})
       and os.name == "windows"
     EOT
     , "\n", " "))
   }

Edit profile settings

1. In Zero Trust ↗, go to Settings > WARP Client.

2. In the Profile settings card, find the profile you want to update and select Configure.

3. Use selectors to add or adjust match rules, and modify WARP settings for this profile as needed.

   Note

   Changing any of the settings below will cause the WARP connection to restart. The user may experience a brief period of connectivity loss while the new settings are being applied.

   • Service mode
   • Local Domain Fallback
   • Split Tunnels

4. Select Save profile.

It may take up to 10 minutes for newly updated settings to propagate to devices.

Verify device profile

To check which device profile and profile settings are currently on a device, open a terminal and run:

warp-cli settings

The device profile UUID is shown in the Profile ID field.

Alternatively, if you do not have access to the CLI, you can use DEX remote captures to collect WARP diagnostic logs from the Zero Trust dashboard. The device profile UUID is shown in your WARP diagnostics summary under Profile ID.

Selectors

You can configure device profiles to match against the following selectors, or criteria. Identity-based selectors are only available if the user enrolled the device by logging in to an identity provider (IdP).

User email

Apply a device profile based on the user's email.

UI name	API example value
User email	identity.email == "user-name@company.com"

User group emails

Apply a device profile based on an IdP group email address of which the user is configured as a member in the IdP.

UI name	API example
User group emails	identity.groups.email == "contractors@company.com"

User group IDs

Apply a device profile based on an IdP group ID of which the user is configured as a member in the IdP.

UI name	API example
User group IDs	identity.groups.id == "12jf495bhjd7893ml09o"

User group names

Apply a device profile based on an IdP group name of which the user is configured as a member in the IdP.

UI name	API example
User group names	identity.groups.name == "\"finance\""

Operating system

Apply a device profile based on the operating system of the device.

UI name	API example
Operating system	os.name in {\"windows\" \"mac\"}

Operating system version

Apply a device profile based on the OS version of the device.

UI name	API example
Operating system version	os.version == \"1.2.0\"

Note

The OS version must be specified as a valid Semver ↗. For example, if your device is running OS version 1.2, you must enter 1.2.0.

Managed network

Apply a device profile based on the managed network that the device is connected to.

UI name	API example
Managed network	network == \"Austin office\"

SAML attributes

Apply a device profile based on an attribute name and value from a SAML IdP.

UI name	API example
SAML Attributes	identity.saml_attributes == "\"group=finance\""

Service token

Apply a device profile based on the service token used to enroll the device.

UI name	API example
Service Token	identity.service_token_uuid == \"f174e90a-fafe-4643-bbbc-4a0ed4fc8415\"

Comparison operators

Comparison operators determine how device profiles match a selector.

Operator	Meaning
is	equals the defined value
in	matches at least one of the defined values

Logical operators

To evaluate multiple conditions in an expression, select a logical operator:

Operator	Meaning
And	match all of the conditions in the expression
Or	match any of the conditions in the expression

Order of precedence

Cloudflare WARP evaluates device profiles dynamically based on a hierarchy. When a device connects, WARP checks the profiles from top to bottom as they appear in the dashboard. WARP follows the first match principle — once a device matches a profile, WARP stops evaluating and no subsequent profiles can override the decision.

The Default profile is always at the bottom of the list. It will only be applied if the device does not meet the criteria of any profile listed above it. If you make another custom profile the default, all settings will be copied over into the Default profile.

Administrators can create multiple profiles to apply different settings based on specific criteria such as user identity, location, or operating system. Understanding this top-to-bottom evaluation order is crucial for ensuring that the correct policies are applied to devices.