[CF1] macOS intune deployment

deadlypants1973 · deadlypants1973 · commit 92e3e313b6e9 · 2025-08-13T19:20:48.000+01:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/intune.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/intune.mdx
@@ -109,7 +109,173 @@ If you prefer to use Intune's Win32 App tool to run the Powershell script, refer
 
 ## macOS
 
-Refer to the [generic instructions for macOS](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/#macos).
+The following steps outline deploying WARP on MacOS using Intune.
+
+### Prerequisites
+
+- A Microsoft Intune account.
+- A Cloudflare account that has completed the Zero Trust onboarding flow.
+- macOS devices enrolled in Intune.
+
+### Deployment order
+
+:::tip[Best practice]
+Deploy configuration profiles before the WARP application itself. This ensures that when the WARP client installs, it already has the required permissions and certificates, avoiding failed installations.
+:::
+
+- Upload user-side certificate and team domain certificate (2 separate configuration policies).
+- Allow system extensions (bundle ID and team identifier policy).
+- Upload MobileConfig (custom configuration policy).
+- Upload and assign the WARP `.pkg` (application policy).
+
+### 1. Upload certificates
+
+You must deploy two certificates via Intune: user-side certificate and team domain certificate.
+
+#### 1.1 User-side certificate
+
+1. Log into [Zero Trust](https://one.dash.cloudflare.com/).
+2. Go to **Settings** > **Resources** > under **Certificates**, select **Manage**.
+3. Find your [certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) and select the three dot icon next to it > select **Download .crt**.
+4. In the [Microsoft Intune admin center](https://intune.microsoft.com) > go to **Devices** > select **macOS**.
+5. Under **Manage devices**, select **Configurations**.
+6. Select **Create** > **New Policy**.
+7. For **Profile Type**, select _Templates_ > select **Trusted certificate** as the **Template name** > **Create**.
+8. In **Basics**, input the necessary field(s) > **Next**.
+9. For **Deployment Channel**, select **Device Channel**.
+10. Upload your file.
+// this has to be in cer format, and the user only has crt, what steps do they take to remedy this?
+
+#### 1.2 Team domain certificate
+
+1. Go your [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) in a browser.
+	```
+	https://<team-name>.cloudflareaccess.com
+	```
+2. Export the TLS certificate as `.cer`.
+3. Repeat the upload steps in 1.1.
+
+By completing this step, you ensure that macOS devices trust WARP’s connection to your team domain and Cloudflare.
+
+### 2. Allow WARP system extensions
+
+1. In the [Microsoft Intune admin center](https://intune.microsoft.com) > go to **Devices** > **macOS**.
+2. Under **Manage devices**, select **Configurations**.
+3. Select **Create** > **New Policy**.
+4. For **Profile type**, select _Settings catalog_ > **Create**.
+5. In **Basics**, input the necessary field(s) > **Next**.
+6. In **Configuration settings**, select **Add settings**.
+7. In the **Settings picker**, search for **System Extensions** under System Configuration.
+8. Enable **Allowed System Extensions**.
+9. Edit instance and add:
+	Bundle Identifier: `com.cloudflare.1.1.1.1`
+	Team Identifier: `68BUP38M2J`
+10. Select a button to save. // which button on which screen?
+11. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. This will be the same scope for all steps.
+12. Select **Next**.
+13. // step here where they press the button to create
+// full steps here need to fleshed out with UI walkthrough
+
+This step allows WARP to install withour user interaction. By completing this step, you allow WARP to install and manage its required system extensions without end-user prompts.
+
+### 3. Upload `MobileConfig` configuration
+
+1. Open a text editor and paste in the following `.mobileconfig` template:
+
+	```
+	<?xml version="1.0" encoding="UTF-8"?>
+	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+	<plist version="1.0">
+			<dict>
+					<key>PayloadDisplayName</key>
+					<string>Cloudflare WARP</string>
+					<key>PayloadIdentifier</key>
+					<string>cloudflare_warp</string>
+					<key>PayloadOrganization</key>
+					<string>Cloudflare, Ltd.</string>
+					<key>PayloadRemovalDisallowed</key>
+					<false/>
+					<key>PayloadType</key>
+					<string>Configuration</string>
+					<key>PayloadScope</key>
+					<string>System</string>
+					<key>PayloadUUID</key>
+					<string>YOUR_PAYLOAD_UUID_HERE</string>
+					<key>PayloadVersion</key>
+					<integer>1</integer>
+					<key>PayloadContent</key>
+					<array>
+							<dict>
+									<key>organization</key>
+									<string>YOUR_TEAM_NAME_HERE</string>
+									<key>auto_connect</key>
+									<integer>120</integer>
+									<key>onboarding</key>
+									<false/>
+									<key>PayloadDisplayName</key>
+									<string>Warp Configuration</string>
+									<key>PayloadIdentifier</key>
+									<string>com.cloudflare.warp.YOUR_PAYLOAD_UUID_HERE</string>
+									<key>PayloadOrganization</key>
+									<string>Cloudflare Ltd.</string>
+									<key>PayloadType</key>
+									<string>com.cloudflare.warp</string>
+									<key>PayloadUUID</key>
+									<string>YOUR_PAYLOAD_UUID_HERE</string>
+									<key>PayloadVersion</key>
+									<integer>1</integer>
+							</dict>
+					</array>
+			</dict>
+	</plist>
+	```
+2. Open your macOS Terminal and run `uuidgen`. This will generate a value for `PayloadUUID`. Use this value to replace the default value (`YOUR_PAYLOAD_UUID_HERE`) used in the template (three locations total).
+3. Update your organization's string (`YOUR_TEAM_NAME_HERE`) with your [team name](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name).
+// are team name and payload UUID the only requirements? can everything else be left the same? like the autoconnect key //
+4. Modify the file with your desired [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/).
+	```
+	<array>
+		<dict>
+				<key>organization</key>
+				<string>YOUR_TEAM_NAME_HERE</string>
+				// Add additional configuration here
+	```
+	// what does this step mean? is it completely optional? need less generic guidance here //
+5. In the [Microsoft Intune admin center](https://intune.microsoft.com) > go to **Devices** > **macOS**.
+6. Under **Manage devices**, select **Configurations**.
+7. Select **Create** > **New Policy**.
+8. For **Profile Type**, select _Templates_ > select **Custom** as the **Template name** > **Create**.
+9. In **Basics**, input the necessary field(s) > **Next**.
+10. In **Custom configuration profile name**, input a name.
+11. For **Deployment Channel**, select **Device Channel**.
+12. Under **Configuration profile file**, upload your `.mobileconfig` file > **Next**.
+13. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. This will be the same scope for all steps.
+
+By completing this step, you preconfigure WARP with your team settings so it connects automatically upon installation.
+
+### 4. Upload WARP client `.pkg`
+
+:::tip
+Complete Step 4 one hour after Steps 1, 2, and 3 so clients have enough time to check in and update their device configurations.
+:::
+
+1. Log into [Zero Trust](https://one.dash.cloudflare.com/).
+2. Go to **Settings** > **Resources** > find macOS under **Download the WARP client** > select **Download release**.
+
+	You will be taken to the WARP documentation on [stable releases for macOS](/cloudflare-one/connections/connect-devices/warp/download-warp/#macos) and download a `.pkg` file.
+	:::note[Repeat this step to update WARP when a new release is availables]
+	Every time WARP releases a new version, you must repeat this process and get a new `.pkg` file for the new WARP version.
+	:::
+3. Log into the [Microsoft Intune admin center](https://intune.microsoft.com) > **Apps** > **MacOS**.
+4. Select **Create**.
+5. For **App type**, select _macOS app (PKG)_.
+6. In **App information**, select the `.pkg` file you downloaded and input required details.
+7. In **Requirements**, refer to the OS versions listed in [stable releases for macOS](/cloudflare-one/connections/connect-devices/warp/download-warp/#macos) and find what matches for you.
+8. In **Detection rules**, note that the WARP package will have filed in the App bundle ID and App version.
+9. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope.
+10. Continue on the Microsoft Intune admin center until you can select **Create** to create your policy.
+
+By completing this step, you deliver the WARP client to targeted macOS devices, either automatically (assignment scope set as **Required**) or on-demand (assignment scope as **Available**) through your company portal.
 
 ## iOS
 
