Enable Device Information Only mode
Device Information Only mode allows you to enforce device posture rules when a user connects to your self-hosted Access application. This mode relies on a client certificate generated from your account to establish trust between the Access application and the device.
To set up Device Information Only mode:
-
Enable client certificate provisioning for your zone:
curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/<ZONE ID>/devices/policy/certificates' \-H "X-Auth-Email: <EMAIL>" \-H "X-Auth-Key: <API_KEY>" \--data '{"enabled": true}' -
In Zero Trust, go to Settings > WARP Client.
-
In the Profile settings card, choose a device profile and select Configure.
-
For Service mode, select Device Information Only.
-
Next, enroll your device into your Zero Trust organization.
When enrolled in Device Information Only mode, the WARP client will automatically generate a client certificate and install the certificate on the device. This certificate is necessary to confirm the source of outgoing traffic.
-
(Optional) Verify the client certificate on the device:
- Open the Start menu and select Run.
- Enter
certlm.msc
. - Go to Personal > Certificates.
The certificate name should match the Device ID in your WARP client Preferences.
- Open Keychain Access.
- Go to System > My Certificates.
The certificate name should match the Device ID in your WARP client Preferences.
-
(Optional) Verify the client certificate in your Cloudflare account:
- In the Cloudflare dashboard, select the zone for which you enabled client certificates.
- Go to SSL/TLS > Client Certificates.
The certificate name is the WARP enrollment Device ID.
-
Lastly, block traffic from devices that do not have a valid client certificate:
- In the Cloudflare dashboard, go to SSL/TLS > Client Certificates.
- Under Hosts, add the domain you want to protect with device posture rules.
- Select Create mTLS rule.
- In the Hostname dropdown, select your domain.
- Select Deploy. This creates a WAF Firewall rule that checks all requests to your domain for a valid client certificate.
Device Information Only mode is now enabled on the device. To start enforcing device posture, set up a WARP client check and add a Require device posture rule to your Access policy. When the device connects to the Access application for the first time, the browser will ask to use the client certificate installed by WARP.