device enrollment examples

Author: ranbel

src/content/partials/cloudflare-one/access/create-service-token.mdx

@@ -3,6 +3,10 @@
 
 ---
 
+import { Tabs, TabItem } from '~/components';
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Service Auth** > **Service Tokens**.
 
 2. Select **Create Service Token**.
@@ -16,5 +20,47 @@
 6. Copy the Client Secret.
 
    :::caution
-   This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 
+   This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token.
    :::
+
+</TabItem> <TabItem label="Terraform">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Service Tokens Write`
+
+2. Configure the [`cloudflare_zero_trust_access_service_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_service_token) resource:
+
+		```tf
+		resource "cloudflare_zero_trust_access_service_token" "example_service_token" {
+		account_id = var.cloudflare_account_id
+		name       = "Example service token"
+		duration  = "8760h"
+		}
+		```
+
+3. Output the Client ID and Client Secret to the Terraform state file:
+
+		```tf
+		output "example_service_token_client_id" {
+			value     = cloudflare_zero_trust_access_service_token.example_service_token.client_id
+		}
+
+		output "example_service_token_client_secret" {
+			value     = cloudflare_zero_trust_access_service_token.example_service_token.client_secret
+			sensitive = true
+		}
+		```
+4. Apply the configuration:
+		```sh
+		terraform apply
+		```
+
+5. Read the Client ID and Client Secret:
+		```sh
+		terraform output example_service_token_client_id
+		```
+		```sh
+		terraform output example_service_token_client_secret
+		```
+
+</TabItem> </Tabs>

src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx

@@ -3,10 +3,12 @@
 
 ---
 
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip, Tabs, TabItem } from "~/components"
 
 To check for an mTLS certificate:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. [Add an mTLS certificate](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) to your account. You can generate a sample certificate using the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki).
 
 2. In **Associated hostnames**, enter your Zero Trust <GlossaryTooltip term="team domain">team domain</GlossaryTooltip>: `<team-name>.cloudflareaccess.com`
@@ -18,3 +20,49 @@ To check for an mTLS certificate:
    | Allow  | Require   | Common Name | `<CERT-COMMON-NAME>` |
 
 4. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
+
+</TabItem> <TabItem label="Terraform">
+
+1. Add the following permissions to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Mutual TLS Certificates Write`
+	- `Access: Apps and Policies Write`
+
+2. Use the [`cloudflare_zero_trust_access_mtls_certificate`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_mtls_certificate) resource to add an mTLS certificate to your account:
+
+	```tf
+	resource "cloudflare_zero_trust_access_mtls_certificate" "example_mtls_cert" {
+		account_id     = var.cloudflare_account_id
+		name           = "WARP enrollment mTLS cert"
+		certificate    = <<EOT
+		-----BEGIN CERTIFICATE-----
+		xxxx
+		xxxx
+		-----END CERTIFICATE-----
+		EOT
+		associated_hostnames = ["your-team-name.cloudflareaccess.com"]
+	}
+	```
+
+3. Add the following policy to your [WARP enrollment Access application](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions):
+
+	```tf
+	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" {
+		application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
+		account_id     = var.cloudflare_account_id
+		name           = "Allow company emails"
+		decision       = "allow"
+		precedence     = 1
+
+		include {
+			email_domain = ["company.com"]
+		}
+
+		require {
+			common_names = ["Common name 1", "Common name 2"]
+		}
+	}
+	```
+
+4. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
+
+</TabItem> </Tabs>

src/content/partials/cloudflare-one/warp/device-enrollment.mdx

@@ -3,6 +3,10 @@
 
 ---
 
+import { Tabs, TabItem } from '~/components';
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
 2. In **Device enrollment permissions**, select **Manage**.
 3. In the **Rules** tab, configure one or more [Access policies](/cloudflare-one/policies/access/) to define who can join their device. For example, you could allow all users with a company email address:
@@ -12,8 +16,45 @@
 
 :::note
 
-Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled. 
+Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled.
 :::
 
 4. In the **Authentication** tab, select the [identity providers](/cloudflare-one/identity/idp-integration/) users can authenticate with. If you have not integrated an identity provider, you can use the [one-time PIN](/cloudflare-one/identity/one-time-pin/).
 5. Select **Save**.
+
+</TabItem> <TabItem label="Terraform">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Apps and Policies Write`
+
+2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an application with type `warp`.
+
+	```tf
+	resource "cloudflare_zero_trust_access_application" "warp_enrollment_app" {
+		account_id                = var.cloudflare_account_id
+		session_duration          = "18h"
+		name                      = "Warp device enrollment"
+		allowed_idps              = [cloudflare_zero_trust_access_identity_provider.microsoft_entra_id.id]
+		auto_redirect_to_identity = true
+		type                      = "warp"
+		app_launcher_visible      = false
+	}
+	```
+
+3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to define enrollment permissions.
+
+	```tf
+	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" {
+		application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
+		account_id     = var.cloudflare_account_id
+		name           = "Allow company emails"
+		decision       = "allow"
+		precedence     = 1
+
+		include {
+			email_domain = ["company.com"]
+		}
+	}
+	```
+
+</TabItem> </Tabs>

src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx

@@ -3,6 +3,10 @@
 
 ---
 
+import { Tabs, TabItem } from '~/components';
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. [Create a service token](/cloudflare-one/identity/service-tokens/#create-a-service-token).
 
 2. Copy the token's **Client ID** and **Client Secret**.
@@ -17,4 +21,32 @@
    * `auth_client_id`: The **Client ID** of your service token.
    * `auth_client_secret`: The **Client Secret** of your service token.
 
+</TabItem> <TabItem label="Terraform">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Apps and Policies Write`
+
+2. [Create a service token](/cloudflare-one/identity/service-tokens/#create-a-service-token) and copy its **Client ID** and **Client Secret**.
+
+3. Add the following policy to your [WARP enrollment Access application](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions):
+
+	```tf
+	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_service_token" {
+		application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
+		account_id     = var.cloudflare_account_id
+		name           = "Allow service token"
+		decision       = "non_identity"
+		precedence     = 2
+
+		include {
+			service_token = [cloudflare_zero_trust_access_service_token.example_service_token.id]
+		}
+	}
+	```
+4. In your MDM [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/), add the following fields:
+   * `auth_client_id`: The **Client ID** of your service token.
+   * `auth_client_secret`: The **Client Secret** of your service token.
+
+</TabItem> </Tabs>
+
 When you deploy the WARP client with your MDM provider, WARP will automatically connect the device to your Zero Trust organization.