Define device enrollment permissions
Device enrollment permissions determine which users can connect new devices to your organization's Cloudflare Zero Trust instance. Once the user registers their device, the WARP client will store their identity token and use it to authenticate to services in your private network.
- In Zero Trust ↗, go to Settings > WARP Client.
- In Device enrollment permissions, select Manage.
- In the Rules tab, configure one or more Access policies to define who can join their device. For example, you could allow all users with a company email address:
Rule type Selector Value Include Emails ending in @company.com
- In the Authentication tab, select the identity providers users can authenticate with. If you have not integrated an identity provider, you can use the one-time PIN.
- Select Save.
- 
Add the following permission to your cloudflare_api_token↗:- Access: Apps and Policies Write
 
- 
Create a reusable Access policy using the cloudflare_zero_trust_access_policy↗ resource:resource "cloudflare_zero_trust_access_policy" "allow_company_emails" {account_id = var.cloudflare_account_idname = "Allow company emails"decision = "allow"include = [{email_domain = {domain = "@example.com"}}]}
- 
Use the cloudflare_zero_trust_access_application↗ resource to create an application with typewarp.resource "cloudflare_zero_trust_access_application" "device_enrollment" {account_id = var.cloudflare_account_idtype = "warp"name = "Warp device enrollment"allowed_idps = [cloudflare_zero_trust_access_identity_provider.microsoft_entra_id.id]auto_redirect_to_identity = trueapp_launcher_visible = falsepolicies = [{id = cloudflare_zero_trust_access_policy.allow_company_emails.idprecedence = 1}]}
Device posture evaluation happens after a device has already enrolled in your Zero Trust organization. If you want only specific devices to be able to enroll, we recommend adding a mutual TLS authentication rule to your device enrollment policy. This rule will check for the presence of a specific client certificate on the enrolling devices.
To check for an mTLS certificate:
- 
Add an mTLS certificate to your account. You can generate a sample certificate using the Cloudflare PKI toolkit. 
- 
In Associated hostnames, enter your Zero Trust team domain: <team-name>.cloudflareaccess.com
- 
In your device enrollment permissions, add a Common Name or Valid Certificate rule. For example, the following policy requires a client certificate with a specific common name: Action Rule type Selector Value Allow Require Common Name <CERT-COMMON-NAME>
- 
On your device, add the client certificate to the system keychain. 
- 
Add the following permissions to your cloudflare_api_token↗:- Access: Mutual TLS Certificates Write
- Access: Apps and Policies Write
 
- 
Use the cloudflare_zero_trust_access_mtls_certificate↗ resource to add an mTLS certificate to your account:resource "cloudflare_zero_trust_access_mtls_certificate" "example_mtls_cert" {account_id = var.cloudflare_account_idname = "WARP enrollment mTLS cert"certificate = <<EOT-----BEGIN CERTIFICATE-----xxxxxxxx-----END CERTIFICATE-----EOTassociated_hostnames = ["your-team-name.cloudflareaccess.com"]}
- 
Create the following Access policy: resource "cloudflare_zero_trust_access_policy" "warp_enrollment_mtls" {account_id = var.cloudflare_account_idname = "Allow employees with mTLS cert"decision = "allow"include = [{email_domain = {domain = "@example.com"}}]require = [{common_name = {common_name = "Common name 1"}},{common_name = {common_name = "Common name 2"}}]}
- 
Add the policy to your cloudflared_zero_trust_access_applicationfor WARP.
- 
On your device, add the client certificate to the system keychain. 
Most businesses use a single identity provider as the source of truth for their user directory. You should use this source of truth to onboard your corporate users to Zero Trust, for example by requiring company email addresses to login with your primary identity provider. Later on, you can add other login methods or identity providers as necessary for any contractors, vendors, or acquired corporations who may need access to your network.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark