add client cert locations

ranbel · ranbel · commit 5add7d1cf780 · 2025-04-07T13:15:13.000-04:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/device-information-only.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/device-information-only.mdx
@@ -6,13 +6,26 @@ sidebar:
 
 ---
 
-import { TabItem, Tabs } from "~/components"
+import { TabItem, Tabs, Details, Width } from "~/components"
+
+<Details header="Feature availability">
+
+| System   | Availability |
+| ---------| -------------|
+| Windows  | ✅           |
+| macOS    | ✅           |
+| Linux    | ✅           |
+| iOS      | ✅           |
+| Android  | ✅           |
+| ChromeOS | ✅           |
+
+</Details>
 
 Device Information Only mode allows you to enforce device posture rules when a user connects to your [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/). This mode relies on a client certificate generated from your account to establish trust between the Access application and the device.
 
-To set up Device Information Only mode:
+## 1. Turn on account settings
 
-1. Enable client certificate provisioning for [your zone](/fundamentals/setup/find-account-and-zone-ids/):
+Using the API, enable client certificate provisioning for [your zone](/fundamentals/setup/find-account-and-zone-ids/):
 
    ```bash
    curl --request PATCH \
@@ -23,55 +36,95 @@ To set up Device Information Only mode:
    --data '{"enabled": true}'
    ```
 
-2. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
+## 2. Configure the WARP client
 
-3. In the **Profile settings** card, choose a [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) and select **Configure**.
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
 
-4. For **Service mode**, select **Device Information Only**.
+2. Under  **Profile settings** card, choose a [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) and select **Configure**.
 
-5. Next, [enroll your device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) into your Zero Trust organization.
+3. For **Service mode**, select **Device Information Only**.
+
+4. [Enroll your device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) into your Zero Trust organization.
 
    When enrolled in Device Information Only mode, the WARP client will automatically generate a client certificate and install the certificate on the device. This certificate is necessary to confirm the source of outgoing traffic.
 
-6. (Optional) Verify the client certificate on the device:
+## 3. (Optional) Verify the client certificate
+
+1. To view the client certificates installed on the device:
+
+		<Tabs> <TabItem label="Windows">
+
+		1. Open the Start menu and select **Run**.
+		2. Enter `certlm.msc`.
+		3. Go to **Personal** > **Certificates**.
+
+		</TabItem> <TabItem label="macOS">
+
+		1. Open **Keychain Access**.
+		2. Go to **System** > **My Certificates**.
+
+		The certificate name should match the **Device ID** in your WARP client **Preferences**.
+
+		</TabItem>
+
+		<TabItem label="Linux">
 
-<Tabs> <TabItem label="Windows">
+		Open a terminal window and run the following command:
 
-1. Open the Start menu and select **Run**.
-2. Enter `certlm.msc`.
-3. Go to **Personal** > **Certificates**.
+		```sh
+		$ certutil -L -d sql:/etc/pki/nssdb
+		```
 
-The certificate name should match the **Device ID** in your WARP client **Preferences**.
-![Verifying the Device Information Only mode certificate in Windows](~/assets/images/cloudflare-one/connections/device-information-only-windows.png)
+		</TabItem>
 
-</TabItem> <TabItem label="macOS">
+		<TabItem label="iOS">
 
-1. Open **Keychain Access**.
-2. Go to **System** > **My Certificates**.
+		Go to **Settings** > **General** > **About** > **Certificate Trust Settings**.
 
-The certificate name should match the **Device ID** in your WARP client **Preferences**.
+		</TabItem>
 
-</TabItem> </Tabs>
+		<TabItem label="Android">
 
-7. (Optional) Verify the client certificate in your Cloudflare account:
+		The location of the client certificate may vary depending on the Android device.
+
+		- **Samsung**: Go to **Settings** > **Security** > **Other security settings** > **View security certificates**.
+		- **Google Pixel**: Go to **Security** > **Advanced settings** > **Encryption & credentials** > **Credential storage**.
+
+		</TabItem>
+
+		<TabItem label="ChromeOS">
+
+		Go to **Settings** > **Apps** > **Google Play Store** > **Manage Android Preferences** > **Security** > **Credentials**.
+
+		</TabItem>
+		</Tabs>
+
+		The client certificate name should match the **Device ID** in your WARP client **Preferences**.
+
+2. To verify the client certificate in your Cloudflare account:
 
    1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), select the zone for which you enabled client certificates.
    2. Go to **SSL/TLS** > **Client Certificates**.
 
    The certificate name is the WARP enrollment **Device ID**.
    ![Example client certificate in the Cloudflare dashboard](~/assets/images/cloudflare-one/connections/device-information-only-cert.png)
 
-8. Lastly, block traffic from devices that do not have a valid client certificate:
-   1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **SSL/TLS** > **Client Certificates**.
-   2. Under **Hosts**, add the domain you want to protect with device posture rules.
-   3. Select **Create mTLS rule**.
-   4. Change the **URI path** field to **Hostname**, and enter the domain you want to protect.
-   5. Select **Deploy**. This creates a WAF custom rule that checks all requests to your domain for a valid client certificate.
+## 4. Enforce the client certificate
 
-Device Information Only mode is now enabled on the device. To start enforcing device posture, set up a [WARP client check](/cloudflare-one/identity/devices/warp-client-checks/) and add a *Require* device posture rule to your [Access policy](/cloudflare-one/policies/access/). When the device connects to the Access application for the first time, the browser will ask to use the client certificate installed by WARP.
+To block traffic from devices that do not have a valid client certificate:
 
-<div class="large-img">
+1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **SSL/TLS** > **Client Certificates**.
+2. Under **Hosts**, select **Edit** and enter the hostname of your Access application (for example, `app.mycompany.com`). This enables mTLS authentication for the application.
+3. Select **Create mTLS rule**.
+4. Create a WAF custom rule that checks all requests to your application for a valid client certificate:
+    | Field | Operator | Value | Logic | Action |
+    | ----- | -------- | ----- | ----- | ------ |
+    | Client Certificate | equals | Off | And | Block |
+    | Hostname | equals |  `app.mycompany.com` | | |
+5. Select **Deploy**.
 
-![Browser prompts for client certificate](~/assets/images/cloudflare-one/connections/device-information-only-browser.png)
+Device Information Only mode is now enabled on the device. To start enforcing device posture, set up a [WARP client check](/cloudflare-one/identity/devices/warp-client-checks/) and add a *Require* device posture rule to your [Access policy](/cloudflare-one/policies/access/). When the device connects to the Access application for the first time, the browser will ask to use the client certificate installed by WARP.
 
-</div>
+<Width size="large">
+![Browser prompts for client certificate](~/assets/images/cloudflare-one/connections/device-information-only-browser.png)
+</Width>
