From a8542c9874938bef31b6de044c30a616b4a6641e Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 6 Sep 2024 17:05:15 -0400 Subject: [PATCH 01/18] create add-service-provider partial --- .../devices/service-providers/crowdstrike.mdx | 5 +---- .../identity/devices/service-providers/kolide.mdx | 5 +---- .../identity/devices/service-providers/microsoft.mdx | 5 +---- .../devices/service-providers/sentinelone.mdx | 5 +---- .../identity/devices/service-providers/taniums2s.mdx | 5 +---- .../identity/devices/service-providers/uptycs.mdx | 5 +---- .../devices/service-providers/workspace-one.mdx | 12 +++++------- .../cloudflare-one/posture/add-service-provider.mdx | 11 +++++++++++ 8 files changed, 22 insertions(+), 31 deletions(-) create mode 100644 src/content/partials/cloudflare-one/posture/add-service-provider.mdx diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/crowdstrike.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/crowdstrike.mdx index 60dd9803d8b13a4..c9bc1ab3eb52f22 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/crowdstrike.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/crowdstrike.mdx @@ -51,10 +51,7 @@ To retrieve those values: ### 2. Add CrowdStrike as a service provider -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. -2. Scroll down to **Device posture providers** and select **Add new**. -3. Select **CrowdStrike**. -4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection. + 5. Enter the **Client ID** and **Client secret** you noted down above. 6. Enter your **Rest API URL**. 7. Enter your **Customer ID**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/kolide.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/kolide.mdx index 34c1be1788b290e..ab16c1016c7c982 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/kolide.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/kolide.mdx @@ -27,10 +27,7 @@ import { Render } from "~/components" ### 2. Add Kolide as a service provider -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. -2. Scroll down to **Device posture providers** and select **Add new**. -3. Select **Kolide**. -4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection. + 5. Enter the **Client secret** you noted down above. 6. Choose a **Polling frequency** for how often Cloudflare Zero Trust should query Kolide for information. 7. Select **Save**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/microsoft.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/microsoft.mdx index 7615c5a94f3b78f..330d625350ae4b0 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/microsoft.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/microsoft.mdx @@ -43,10 +43,7 @@ To retrieve those values: ## 2. Add Intune as a service provider -1. Go to **Settings** > **WARP Client**. -2. Scroll down to **Device posture providers** and select **Add new**. -3. Select **Microsoft Endpoint Manager**. -4. Give your provider a name. This name will be used throughout the dashboard to reference this connection. + 5. Enter the **Client ID**, **Client secret** and **Customer ID** as you noted down above. 6. Select a **Polling frequency** for how often Cloudflare Zero Trust should query Microsoft Graph API for information. 7. Select **Save**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/sentinelone.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/sentinelone.mdx index 5ac8153c120b86d..6b14a6211214192 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/sentinelone.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/sentinelone.mdx @@ -41,10 +41,7 @@ To retrieve those values: ### 2. Add SentinelOne as a service provider -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. -2. Scroll down to **Device posture providers** and select **Add new**. -3. Select **SentinelOne**. -4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection. + 5. In **Client Secret**, enter your **API Token**. 6. In **Rest API URL**, enter `https://.sentinelone.net`. 7. Choose a **Polling frequency** for how often Cloudflare Zero Trust should query SentinelOne for information. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/taniums2s.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/taniums2s.mdx index 50fa406d6173b0f..b493e4f2fbe91f6 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/taniums2s.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/taniums2s.mdx @@ -41,10 +41,7 @@ To retrieve those values: ### 2. Add Tanium as a service provider -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. -2. Scroll down to **Device posture providers** and select **Add new**. -3. Select **Tanium**. -4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection. + 5. Enter the **Client Secret** and **Rest API URL** you noted down above. 6. Choose a **Polling frequency** for how often Cloudflare Zero Trust should query Tanium for information. 7. Select **Save**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/uptycs.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/uptycs.mdx index 27f4280b35923d1..c9f2204f555d268 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/uptycs.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/uptycs.mdx @@ -31,10 +31,7 @@ To obtain these values: ## 2. Add Uptycs as a service provider -1. Go to **Settings** > **WARP Client**. -2. Scroll down to **Device posture providers** and select **Add new**. -3. Select **Uptycs**. -4. Give your provider a name. This name will be used throughout the dashboard to reference this connection. + 5. Enter the **Client ID**, **Client secret** and **Customer ID** as you noted down above. 6. Select a **Polling frequency** for how often Cloudflare Zero Trust should query Uptycs for information. 7. Select **Save**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/workspace-one.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/workspace-one.mdx index f5de04b1d075e66..f1e302296a48496 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/workspace-one.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/workspace-one.mdx @@ -40,13 +40,11 @@ To retrieve those values: ## 2. Add Workspace ONE as a service provider -1. Go to **Settings** > **Devices** > **Device posture providers** and select **Add new**. -2. Select **Workspace ONE**. -3. Give your provider a name. This name will be used throughout the dashboard to reference this connection. -4. Enter the **Client ID** and **Client secret** you noted down above. -5. Select a **Polling frequency** for how often Cloudflare Zero Trust should query Workspace ONE for information. -6. Enter the **Region-specific token URL** and **REST API URL** you noted down above. -7. Select **Save**. + +5. Enter the **Client ID** and **Client secret** you noted down above. +6. Select a **Polling frequency** for how often Cloudflare Zero Trust should query Workspace ONE for information. +7. Enter the **Region-specific token URL** and **REST API URL** you noted down above. +8. Select **Save**. diff --git a/src/content/partials/cloudflare-one/posture/add-service-provider.mdx b/src/content/partials/cloudflare-one/posture/add-service-provider.mdx new file mode 100644 index 000000000000000..697b469f1574f8d --- /dev/null +++ b/src/content/partials/cloudflare-one/posture/add-service-provider.mdx @@ -0,0 +1,11 @@ +--- +inputParameters: param1 + +--- + +import { Markdown } from "~/components" + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. +2. Scroll down to **Third-party service provider integrations** and select **Add new**. +3. Select **{props.one}**. +4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection. \ No newline at end of file From 9b4c610d177812f785a4a2e5c1fa660412f9cbed Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 6 Sep 2024 17:09:13 -0400 Subject: [PATCH 02/18] update UI --- .../partials/cloudflare-one/posture/test-posture-provider.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/cloudflare-one/posture/test-posture-provider.mdx b/src/content/partials/cloudflare-one/posture/test-posture-provider.mdx index ea9e23c437a4e41..85f225371d6e903 100644 --- a/src/content/partials/cloudflare-one/posture/test-posture-provider.mdx +++ b/src/content/partials/cloudflare-one/posture/test-posture-provider.mdx @@ -3,4 +3,4 @@ --- -You will see the new provider listed under **Settings** > **WARP Client** > **Device posture providers**. To ensure the values have been entered correctly, select **Test**. +You will see the new provider listed under **Settings** > **WARP Client** > **Third-party service provider integrations**. To ensure the values have been entered correctly, select **Test**. From d90d6eee0b64074b019c0ed06ad1728dc1aa315d Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 6 Sep 2024 17:11:19 -0400 Subject: [PATCH 03/18] update posture check steps --- .../cloudflare-one/posture/configure-posture-check.mdx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/content/partials/cloudflare-one/posture/configure-posture-check.mdx b/src/content/partials/cloudflare-one/posture/configure-posture-check.mdx index cd4fc5e2b630652..415d3d4f7a52ba1 100644 --- a/src/content/partials/cloudflare-one/posture/configure-posture-check.mdx +++ b/src/content/partials/cloudflare-one/posture/configure-posture-check.mdx @@ -8,7 +8,8 @@ import { Markdown } from "~/components" 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client** > **Service provider checks**. 2. Select **Add new**. 3. Select the {props.one} provider. -4. Configure a [device posture check](#device-posture-attributes) and enter any name. -5. Select **Save**. +4. Enter any name for the posture check. +5. Configure the [attributes](#device-posture-attributes) required for the device to pass the posture check. +6. Select **Save**. Next, go to **Logs** > **Posture** and verify that the service provider posture check is returning the expected results. From 7b8de16c07ab6eab708ac0c328fd16178a2f2435 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 6 Sep 2024 18:18:28 -0400 Subject: [PATCH 04/18] add new service provider page --- .../devices/service-providers/custom.mdx | 119 ++++++++++++++++++ .../devices/service-providers/index.mdx | 1 + 2 files changed, 120 insertions(+) create mode 100644 src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx new file mode 100644 index 000000000000000..01607cfd78ac95e --- /dev/null +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -0,0 +1,119 @@ +--- +pcx_content_type: how-to +title: Custom service provider +sidebar: + order: 1 + +--- + +import { Render } from "~/components" + +Cloudflare Zero Trust allows you to enforce custom device posture checks on your applications. This involves configuring a WARP service-to-service integration that periodially calls the external API of your choice, whether it is a third-party endpoint provider or a home built solution. When called, the API will receive device identifying information from Cloudflare and be expected to return a value between 0 to 100. You can then set up a device posture check that determines if the returned value counts as a pass or fail; for example, you could allow access to a user only if their device has a posture value greater than 60. + +```mermaid +sequenceDiagram + participant WARP + participant External API + WARP->>External API: Client ID and Secret + WARP->>External API: JSON with user and device identity + External API-->>WARP: JSON with 0-100 result +``` + +## External API requirements + +The custom service provider integration works with any API service that meets the following request/response specifications. Sample code is available in our GitHub repository. To learn how to build a custom external API, refer to our [Create custom device posture checks with Workers](/cloudflare-one/tutorials/custom-device-posture-workers) tutorial. + +### Data passed to external API + +Cloudflare will pass the following parameters to the configured API endpoint. You can use this data to identify the device and assign a posture score. For some devices, not all identifying information will apply, in which case the field will be blank. + +| Field | Description | +| ----- | ----------- | +| device_id | Device UUID assigned by the WARP client | +| email | Email address used to authenticate the WARP client | +| serial_number | Device serial number | +| mac_address | Device MAC address | +| virtual_ipv4 | Device virtual IPv4 address | +| hostname | Device name | + +Example request body: +```json +{ + "devices": { + [ + { + "device_id": "9ece5fab-7398-488a-a575-e25a9a3dec07", + "email": "jdoe@mycompany.com", + "serial_number": "jdR44P3d", + "mac_address": "74:1d:3e:23:e0:fe", + "virtual_ipv4": "100.96.0.10", + "hostname": "string", + }, + {...}, + {...} + ] + } +} +``` + +### Expected response from external API + +For each Cloudflare `device_id`, The API service is expected to return a posture score and optionally a third-party device ID. + +| Field | Description | +| ----- | ----------- | +| s2s_id | Third party device ID (empty string if unavailable) | +| score | Integer value between 0 - 100 | + +Example response body: +```json +{ + "result": { + "9ece5fab-7398-488a-a575-e25a9a3dec07": { + "s2s_id": "", + "score": 10 + }, + "device_id2": {...}, + "device_id3": {...} + } +} +``` + +## Set up custom device posture checks + +### 1. Create a service token + +WARP uses an Access Client ID and Access Client Secret to securely authenticate to the external API. If you do not already have an Access Client ID and Access Client Secret, [create a new service token](/cloudflare-one/identity/service-tokens/#create-a-service-token). + +### 2. Create an Access application + +Next, secure the external API behind Cloudflare Access so that WARP can authenticate with the service token. To add the API endpoint to Access: + +1. [Create a self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-apps/) for your API endpoint. +2. Add the following Access policy to the application. Make sure that **Action** is set to _Service Auth_ (not _Allow_). + + | Action | Rule type | Selector | Value | + | ------ | --------- | ----------------- | ------------------------------------- | + | Service Auth | Include | Service Token | `` | + +### 3. Add a service provider integration + +To create a custom service-to-service integration: + + +5. In **Access client ID** and **Access client secret**, enter the Access service token used to authenticate to your external API. +6. In **Rest API URL**, enter the external API endpoint that Cloudflare will query for posture information (for example, `https://api.example.com`). For more information, refer to [External API requirements](#external-api-requirements). +7. In **Polling frequency**, choose how often Cloudflare Zero Trust should query the external API for information. +8. Select **Test and save**. + +Next, [configure a device posture check](#configure-the-posture-check) to determine if a given posture score constitutes a pass or fail. + +### 4. Configure the posture check + + + +## Device posture attributes + +| Selector | Description | Value | +| ------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | +| Score | Posture score returned by external API | `1` to `100` | \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/index.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/index.mdx index 03e10a56a910dc5..1b7010d7c374e41 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/index.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/index.mdx @@ -18,6 +18,7 @@ Service-to-service integrations allow the WARP client to get device posture data | Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | | ------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- | ---------------- | +| [Custom service provider](/cloudflare-one/identity/devices/service-providers/custom/) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Crowdstrike](/cloudflare-one/identity/devices/service-providers/crowdstrike/) | ✅ | ✅ | ✅ | ❌ | ❌ | | [Kolide](/cloudflare-one/identity/devices/service-providers/kolide/) | ✅ | ✅ | ✅ | ❌ | ❌ | | [Microsoft Endpoint Manager](/cloudflare-one/identity/devices/service-providers/microsoft/) | ✅ | ✅ | ❌ | ❌ | ❌ | From 395682b2ebf095a4d6012908722e7352da9090c9 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 6 Sep 2024 18:18:38 -0400 Subject: [PATCH 05/18] link to device posture policy info --- .../cloudflare-one/posture/configure-posture-check.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/content/partials/cloudflare-one/posture/configure-posture-check.mdx b/src/content/partials/cloudflare-one/posture/configure-posture-check.mdx index 415d3d4f7a52ba1..dd74636532ce360 100644 --- a/src/content/partials/cloudflare-one/posture/configure-posture-check.mdx +++ b/src/content/partials/cloudflare-one/posture/configure-posture-check.mdx @@ -11,5 +11,6 @@ import { Markdown } from "~/components" 4. Enter any name for the posture check. 5. Configure the [attributes](#device-posture-attributes) required for the device to pass the posture check. 6. Select **Save**. +7. To test, go to **Logs** > **Posture** and verify that the service provider posture check is returning the expected results. -Next, go to **Logs** > **Posture** and verify that the service provider posture check is returning the expected results. +You can now use this posture check in a [device posture policy](/cloudflare-one/identity/devices/#3-build-a-device-posture-policy). From e205a15ec620f510083684340b3262c2faf06ede Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 6 Sep 2024 18:19:27 -0400 Subject: [PATCH 06/18] update tutorials layout --- src/content/docs/cloudflare-one/tutorials/index.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/src/content/docs/cloudflare-one/tutorials/index.mdx b/src/content/docs/cloudflare-one/tutorials/index.mdx index e2436193f6d2da1..0e28f93dc01d966 100644 --- a/src/content/docs/cloudflare-one/tutorials/index.mdx +++ b/src/content/docs/cloudflare-one/tutorials/index.mdx @@ -8,6 +8,7 @@ column_param: category sidebar: order: 11 head: [] +tableOfContents: false description: View tutorials for Cloudflare Zero Trust. --- From 19432cba77aa0795b856c9fa21a2188ed79b936a Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 6 Sep 2024 18:19:53 -0400 Subject: [PATCH 07/18] create new tutorial placeholder --- .../tutorials/custom-device-posture-workers.mdx | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 src/content/docs/cloudflare-one/tutorials/custom-device-posture-workers.mdx diff --git a/src/content/docs/cloudflare-one/tutorials/custom-device-posture-workers.mdx b/src/content/docs/cloudflare-one/tutorials/custom-device-posture-workers.mdx new file mode 100644 index 000000000000000..24fc2cbea956058 --- /dev/null +++ b/src/content/docs/cloudflare-one/tutorials/custom-device-posture-workers.mdx @@ -0,0 +1,12 @@ +--- +updated: 2024-09-06 +pcx_content_type: tutorial +difficulty: Intermediate +title: Create custom device posture checks with Workers + +--- + +import { Render } from "~/components" + + +## Before you begin From d8df357884ae2d1ac9584ded382fe0c876b95f9d Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 30 Sep 2024 17:45:44 -0400 Subject: [PATCH 08/18] access jwt verification --- .../identity/devices/service-providers/custom.mdx | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index 01607cfd78ac95e..5e29c26e2dcbb08 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -13,19 +13,25 @@ Cloudflare Zero Trust allows you to enforce custom device posture checks on your ```mermaid sequenceDiagram participant WARP + participant Cloudflare Access participant External API - WARP->>External API: Client ID and Secret + WARP->>Cloudflare Access: Client ID and Secret + Cloudflare Access->>External API: Application token WARP->>External API: JSON with user and device identity External API-->>WARP: JSON with 0-100 result ``` ## External API requirements -The custom service provider integration works with any API service that meets the following request/response specifications. Sample code is available in our GitHub repository. To learn how to build a custom external API, refer to our [Create custom device posture checks with Workers](/cloudflare-one/tutorials/custom-device-posture-workers) tutorial. +The custom service provider integration works with any API service that meets the following specifications. To get started with building a custom external API, refer to the sample code and our [Create custom device posture checks with Workers](/cloudflare-one/tutorials/custom-device-posture-workers) tutorial. + +### Authentication + +The WARP client authenticates to the external API through Cloudflare Access. The external API should [validate the application token](/cloudflare-one/identity/authorization-cookie/validating-json/) issued by Cloudflare Access to ensure that any requests which bypass Access (for example, due to a network misconfiguration) are rejected. ### Data passed to external API -Cloudflare will pass the following parameters to the configured API endpoint. You can use this data to identify the device and assign a posture score. For some devices, not all identifying information will apply, in which case the field will be blank. +Cloudflare will pass the following parameters to the configured API endpoint. You can use this data to identify the device and assign a posture score. For some devices, not all identifying information will apply, in which case the field will be blank. A maximum of 1000 devices will be sent per a request. | Field | Description | | ----- | ----------- | From 19ae67a77affea883fd73aede073478748daf29b Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 7 Oct 2024 15:18:45 -0400 Subject: [PATCH 09/18] remove Worker references --- .../identity/devices/service-providers/custom.mdx | 5 +++-- .../tutorials/custom-device-posture-workers.mdx | 12 ------------ 2 files changed, 3 insertions(+), 14 deletions(-) delete mode 100644 src/content/docs/cloudflare-one/tutorials/custom-device-posture-workers.mdx diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index 5e29c26e2dcbb08..3b2dc8f23fc54c4 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -1,6 +1,7 @@ --- pcx_content_type: how-to title: Custom service provider +hidden: true sidebar: order: 1 @@ -23,7 +24,7 @@ sequenceDiagram ## External API requirements -The custom service provider integration works with any API service that meets the following specifications. To get started with building a custom external API, refer to the sample code and our [Create custom device posture checks with Workers](/cloudflare-one/tutorials/custom-device-posture-workers) tutorial. +The custom service provider integration works with any API service that meets the following specifications. ### Authentication @@ -64,7 +65,7 @@ Example request body: ### Expected response from external API -For each Cloudflare `device_id`, The API service is expected to return a posture score and optionally a third-party device ID. +For each Cloudflare `device_id`, the API service is expected to return a posture score and optionally a third-party device ID. | Field | Description | | ----- | ----------- | diff --git a/src/content/docs/cloudflare-one/tutorials/custom-device-posture-workers.mdx b/src/content/docs/cloudflare-one/tutorials/custom-device-posture-workers.mdx deleted file mode 100644 index 24fc2cbea956058..000000000000000 --- a/src/content/docs/cloudflare-one/tutorials/custom-device-posture-workers.mdx +++ /dev/null @@ -1,12 +0,0 @@ ---- -updated: 2024-09-06 -pcx_content_type: tutorial -difficulty: Intermediate -title: Create custom device posture checks with Workers - ---- - -import { Render } from "~/components" - - -## Before you begin From 4b6157934d98055855b7ba81ba365d8c10125e28 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 7 Oct 2024 15:29:58 -0400 Subject: [PATCH 10/18] clarify test button --- .../identity/devices/service-providers/custom.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index 3b2dc8f23fc54c4..e010573d1e0ceae 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -111,7 +111,7 @@ To create a custom service-to-service integration: 5. In **Access client ID** and **Access client secret**, enter the Access service token used to authenticate to your external API. 6. In **Rest API URL**, enter the external API endpoint that Cloudflare will query for posture information (for example, `https://api.example.com`). For more information, refer to [External API requirements](#external-api-requirements). 7. In **Polling frequency**, choose how often Cloudflare Zero Trust should query the external API for information. -8. Select **Test and save**. +8. Select **Test and save**. The test checks if Cloudflare can authenticate to the API URL using the provided Access credentials. Next, [configure a device posture check](#configure-the-posture-check) to determine if a given posture score constitutes a pass or fail. From 65ef37e48b744cd378a21a9378464ec590052953 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Mon, 7 Oct 2024 22:14:22 -0400 Subject: [PATCH 11/18] fix front matter --- .../identity/devices/service-providers/custom.mdx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index e010573d1e0ceae..f749cf5b61c9b87 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -1,9 +1,10 @@ --- pcx_content_type: how-to -title: Custom service provider -hidden: true +title: Custom device posture integration sidebar: + label: Custom integration order: 1 + hidden: true --- From 071629c01f217c74db5e27642ec3a88ab2fc87bd Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 8 Oct 2024 10:28:01 -0400 Subject: [PATCH 12/18] fix score --- .../identity/devices/service-providers/custom.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index f749cf5b61c9b87..d26e1a39d00620c 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -124,4 +124,4 @@ Next, [configure a device posture check](#configure-the-posture-check) to determ | Selector | Description | Value | | ------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | -| Score | Posture score returned by external API | `1` to `100` | \ No newline at end of file +| Score | Posture score returned by external API | `0` to `100` | \ No newline at end of file From 099fdd92270aacfcc1bf20810c9d9271e093cebe Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:57:10 -0400 Subject: [PATCH 13/18] Update src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- .../identity/devices/service-providers/custom.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index d26e1a39d00620c..ce1b22641afcf5d 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -10,7 +10,7 @@ sidebar: import { Render } from "~/components" -Cloudflare Zero Trust allows you to enforce custom device posture checks on your applications. This involves configuring a WARP service-to-service integration that periodially calls the external API of your choice, whether it is a third-party endpoint provider or a home built solution. When called, the API will receive device identifying information from Cloudflare and be expected to return a value between 0 to 100. You can then set up a device posture check that determines if the returned value counts as a pass or fail; for example, you could allow access to a user only if their device has a posture value greater than 60. +Cloudflare Zero Trust allows you to enforce custom device posture checks on your applications. This involves configuring a WARP service-to-service integration that periodially calls the external API of your choice, whether it is a third-party endpoint provider or a home built solution. When called, the API will receive device identifying information from Cloudflare and be expected to return a value between `0` to `100`. You can then set up a device posture check that determines if the returned value counts as a pass or fail; for example, you could allow access to a user only if their device has a posture value greater than `60`. ```mermaid sequenceDiagram From 85540905e20b71aef321394cd24c62bfbd3e7ade Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 8 Oct 2024 12:50:17 -0400 Subject: [PATCH 14/18] Update src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- .../identity/devices/service-providers/custom.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index ce1b22641afcf5d..c5c0496cae006fc 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -33,7 +33,7 @@ The WARP client authenticates to the external API through Cloudflare Access. The ### Data passed to external API -Cloudflare will pass the following parameters to the configured API endpoint. You can use this data to identify the device and assign a posture score. For some devices, not all identifying information will apply, in which case the field will be blank. A maximum of 1000 devices will be sent per a request. +Cloudflare will pass the following parameters to the configured API endpoint. You can use this data to identify the device and assign a posture score. For some devices, not all identifying information will apply, in which case the field will be blank. A maximum of 1,000 devices will be sent per a request. | Field | Description | | ----- | ----------- | From dca4812f8eae6e15997252a4db87ffb4d31da88b Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 8 Oct 2024 12:50:26 -0400 Subject: [PATCH 15/18] Update src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- .../identity/devices/service-providers/custom.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index c5c0496cae006fc..bf2a4bc9c17b4b6 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -70,8 +70,8 @@ For each Cloudflare `device_id`, the API service is expected to return a posture | Field | Description | | ----- | ----------- | -| s2s_id | Third party device ID (empty string if unavailable) | -| score | Integer value between 0 - 100 | +| `s2s_id` | Third party device ID (empty string if unavailable) | +| `score` | Integer value between `0` - `100` | Example response body: ```json From b4079f24807b508aa32843ee9a649d1707ea637f Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Tue, 8 Oct 2024 12:50:39 -0400 Subject: [PATCH 16/18] Update src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- .../identity/devices/service-providers/custom.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index bf2a4bc9c17b4b6..bc01c4d21170e02 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -37,12 +37,12 @@ Cloudflare will pass the following parameters to the configured API endpoint. Yo | Field | Description | | ----- | ----------- | -| device_id | Device UUID assigned by the WARP client | -| email | Email address used to authenticate the WARP client | -| serial_number | Device serial number | -| mac_address | Device MAC address | -| virtual_ipv4 | Device virtual IPv4 address | -| hostname | Device name | +| `device_id` | Device UUID assigned by the WARP client | +| `email` | Email address used to authenticate the WARP client | +| `serial_number` | Device serial number | +| `mac_address` | Device MAC address | +| `virtual_ipv4` | Device virtual IPv4 address | +| `hostname` | Device name | Example request body: ```json From a45da282c2019dd798692c0686b2428a8bfefaf2 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 8 Oct 2024 13:01:05 -0400 Subject: [PATCH 17/18] link to Workers example --- .../identity/devices/service-providers/custom.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index bc01c4d21170e02..15906307925569b 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -25,7 +25,7 @@ sequenceDiagram ## External API requirements -The custom service provider integration works with any API service that meets the following specifications. +The custom service provider integration works with any API service that meets the following specifications. For an example of a custom device posture integration API, refer to our [Cloudflare Workers sample code](https://github.com/cloudflare/custom-device-posture-integration-example-worker). ### Authentication From 168e033465a97941cdec01b05f52f329df5721a6 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Tue, 8 Oct 2024 13:06:54 -0400 Subject: [PATCH 18/18] update partial frontmatter --- .../identity/devices/service-providers/crowdstrike.mdx | 2 +- .../identity/devices/service-providers/custom.mdx | 2 +- .../identity/devices/service-providers/kolide.mdx | 2 +- .../identity/devices/service-providers/microsoft.mdx | 2 +- .../identity/devices/service-providers/sentinelone.mdx | 2 +- .../identity/devices/service-providers/taniums2s.mdx | 2 +- .../identity/devices/service-providers/uptycs.mdx | 2 +- .../identity/devices/service-providers/workspace-one.mdx | 2 +- .../cloudflare-one/posture/add-service-provider.mdx | 6 +++--- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/crowdstrike.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/crowdstrike.mdx index 0ec8160fa2ce9f2..9b70d40cc0b114d 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/crowdstrike.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/crowdstrike.mdx @@ -51,7 +51,7 @@ To retrieve those values: ### 2. Add CrowdStrike as a service provider - + 5. Enter the **Client ID** and **Client secret** you noted down above. 6. Enter your **Rest API URL**. 7. Enter your **Customer ID**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx index 15906307925569b..986069dbd8d7a86 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/custom.mdx @@ -108,7 +108,7 @@ Next, secure the external API behind Cloudflare Access so that WARP can authenti To create a custom service-to-service integration: - + 5. In **Access client ID** and **Access client secret**, enter the Access service token used to authenticate to your external API. 6. In **Rest API URL**, enter the external API endpoint that Cloudflare will query for posture information (for example, `https://api.example.com`). For more information, refer to [External API requirements](#external-api-requirements). 7. In **Polling frequency**, choose how often Cloudflare Zero Trust should query the external API for information. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/kolide.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/kolide.mdx index ab16c1016c7c982..9618ba6a3a342ed 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/kolide.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/kolide.mdx @@ -27,7 +27,7 @@ import { Render } from "~/components" ### 2. Add Kolide as a service provider - + 5. Enter the **Client secret** you noted down above. 6. Choose a **Polling frequency** for how often Cloudflare Zero Trust should query Kolide for information. 7. Select **Save**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/microsoft.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/microsoft.mdx index 330d625350ae4b0..12355fee93a31e6 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/microsoft.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/microsoft.mdx @@ -43,7 +43,7 @@ To retrieve those values: ## 2. Add Intune as a service provider - + 5. Enter the **Client ID**, **Client secret** and **Customer ID** as you noted down above. 6. Select a **Polling frequency** for how often Cloudflare Zero Trust should query Microsoft Graph API for information. 7. Select **Save**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/sentinelone.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/sentinelone.mdx index 6b14a6211214192..3218c3f8e033003 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/sentinelone.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/sentinelone.mdx @@ -41,7 +41,7 @@ To retrieve those values: ### 2. Add SentinelOne as a service provider - + 5. In **Client Secret**, enter your **API Token**. 6. In **Rest API URL**, enter `https://.sentinelone.net`. 7. Choose a **Polling frequency** for how often Cloudflare Zero Trust should query SentinelOne for information. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/taniums2s.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/taniums2s.mdx index 090b584c0a1958c..4e2d65a916efa3e 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/taniums2s.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/taniums2s.mdx @@ -40,7 +40,7 @@ To retrieve those values: ### 2. Add Tanium as a service provider - + 5. Enter the **Client Secret** and **Rest API URL** you noted down above. 6. Choose a **Polling frequency** for how often Cloudflare Zero Trust should query Tanium for information. 7. Select **Save**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/uptycs.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/uptycs.mdx index c9f2204f555d268..bed35d087953560 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/uptycs.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/uptycs.mdx @@ -31,7 +31,7 @@ To obtain these values: ## 2. Add Uptycs as a service provider - + 5. Enter the **Client ID**, **Client secret** and **Customer ID** as you noted down above. 6. Select a **Polling frequency** for how often Cloudflare Zero Trust should query Uptycs for information. 7. Select **Save**. diff --git a/src/content/docs/cloudflare-one/identity/devices/service-providers/workspace-one.mdx b/src/content/docs/cloudflare-one/identity/devices/service-providers/workspace-one.mdx index f1e302296a48496..82e3e1ce83e3a31 100644 --- a/src/content/docs/cloudflare-one/identity/devices/service-providers/workspace-one.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/service-providers/workspace-one.mdx @@ -40,7 +40,7 @@ To retrieve those values: ## 2. Add Workspace ONE as a service provider - + 5. Enter the **Client ID** and **Client secret** you noted down above. 6. Select a **Polling frequency** for how often Cloudflare Zero Trust should query Workspace ONE for information. 7. Enter the **Region-specific token URL** and **REST API URL** you noted down above. diff --git a/src/content/partials/cloudflare-one/posture/add-service-provider.mdx b/src/content/partials/cloudflare-one/posture/add-service-provider.mdx index 697b469f1574f8d..9c4d69d30475ab4 100644 --- a/src/content/partials/cloudflare-one/posture/add-service-provider.mdx +++ b/src/content/partials/cloudflare-one/posture/add-service-provider.mdx @@ -1,11 +1,11 @@ --- -inputParameters: param1 - +params: + - provider --- import { Markdown } from "~/components" 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. 2. Scroll down to **Third-party service provider integrations** and select **Add new**. -3. Select **{props.one}**. +3. Select **{props.provider}**. 4. Enter any name for the provider. This name will be used throughout the dashboard to reference this connection. \ No newline at end of file