Skip to content

[ZT] Windows multi-user support #18645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Dec 13, 2024
Merged

[ZT] Windows multi-user support #18645

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
d64fa39
alphabetize parameters
ranbel Dec 9, 2024
db88844
remove limitation
ranbel Dec 9, 2024
fa7ecf3
new multi-user page
ranbel Dec 9, 2024
5827f4f
update section title
ranbel Dec 9, 2024
81ddc26
update configs MDM example
ranbel Dec 10, 2024
cd5b011
add MDM parameters
ranbel Dec 10, 2024
3c817f4
update flowchart
ranbel Dec 10, 2024
eb141ee
break out top-level parameters
ranbel Dec 12, 2024
8f882ca
add beta
ranbel Dec 12, 2024
946a743
clarify mode switch behavior
ranbel Dec 12, 2024
479f4c9
Update src/content/docs/cloudflare-one/connections/connect-devices/wa…
ranbel Dec 13, 2024
875adc9
simplify flowchart
ranbel Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
138 changes: 70 additions & 68 deletions ...e-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,58 +44,32 @@ Instructs the client to direct all DNS queries to a specific [Gateway DNS locati

## Optional fields

### `service_mode`
### `auth_client_id`

Allows you to choose the operational mode of the client.
Enrolls the device in your Zero Trust organization using a [service token](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#check-for-service-token).
Requires the `auth_client_secret` parameter.

**Value Type:** `string`

**Value:**

* `warp` — (default) [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default).
* `1dot1` — [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh).
* `proxy` — [Proxy mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#proxy-mode). Use the `proxy_port` parameter to specify the localhost SOCKS proxy port (between `0`-`66535`). For example,
```xml
<key>service_mode</key>
<string>proxy</string>
<key>proxy_port</key>
<integer>44444</integer>
```
* `postureonly` — [Device Information Only](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#device-information-only).

The service mode [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) is not currently supported as a value and must be configured in Zero Trust.

### `onboarding`

Controls the visibility of the onboarding screens that ask the user to review the privacy policy during an application's first launch.

**Value Type:** `boolean`

**Value:**

* `false` — Screens hidden.
* `true` — (default) Screens visible.

### `switch_locked`

Allows the user to turn off the WARP switch and disconnect the client.

**Value Type:** `boolean`

**Value:**

* `false` — (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
* `true` — The user is prevented from turning off the switch. The WARP client will automatically start in the connected state.
**Value:** Client ID of the service token.

On new deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
Example configuration:

:::note
```xml
<key>auth_client_id</key>
<string>88bf3b6d86161464f6509f7219099e57.access</string>
<key>auth_client_secret</key>
<string>bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5</string>
```

### `auth_client_secret`

This parameter replaces the old `enabled` property, which can no longer be used in conjunction with the new `switch_locked` and `auto_connect`. If you want to use these parameters, you must remove `enabled`.
Enrolls the device in your Zero Trust organization using a [service token](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#check-for-service-token).
Requires the `auth_client_id` parameter.

**Value Type:** `string`

:::
**Value:** Client Secret of the service token.

### `auto_connect`

Expand All @@ -113,16 +87,26 @@ If switch has been turned off by user, the client will automatically turn itself
This parameter replaces the old `enabled` property, which can no longer be used in conjunction with the new `switch_locked` and `auto_connect`. If you want to use these parameters, you must remove `enabled`.
:::

### `support_url`

When the WARP client is deployed via MDM, the in-app **Send Feedback** button is disabled by default. This parameter allows you to re-enable the button and direct feedback towards your organization.
### `display_name`

When WARP is deployed with [multiple organizations or configurations](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations/), this parameter is used to identify each configuration in the GUI.

**Value Type:** `string`

**Value:** Configuration name shown in the GUI (for example, `Test environment`).

### `onboarding`

Controls the visibility of the onboarding screens that ask the user to review the privacy policy during an application's first launch.

**Value Type:** `boolean`

**Value:**

* `https://<support.example.com>` — Use an `https://` link to open your company's internal help site.
* `mailto:<[email protected]>` — Use a `mailto:` link to open your default mail client.
* `false` — Screens hidden.
* `true` — (default) Screens visible.


### `override_api_endpoint`

Expand Down Expand Up @@ -160,45 +144,63 @@ This functionality is intended for use with a Cloudflare China local network par

The string must be a valid IPv4 or IPv6 socket address (containing the IP address and port number), otherwise the WARP client will fail to parse the entire MDM file.

### `unique_client_id`
### `service_mode`

Assigns a unique identifier to the device for the [device UUID posture check](/cloudflare-one/identity/devices/warp-client-checks/device-uuid).
Allows you to choose the operational mode of the client.

**Value Type:** `string`

**Value:** UUID for the device (for example, `496c6124-db89-4735-bc4e-7f759109a6f1`).
**Value:**

### `auth_client_id`
* `warp` — (default) [Gateway with WARP](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-warp-default).
* `1dot1` — [Gateway with DoH](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh).
* `proxy` — [Proxy mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#proxy-mode). Use the `proxy_port` parameter to specify the localhost SOCKS proxy port (between `0`-`66535`). For example,
```xml
<key>service_mode</key>
<string>proxy</string>
<key>proxy_port</key>
<integer>44444</integer>
```
* `postureonly` — [Device Information Only](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#device-information-only).

Enrolls the device in your Zero Trust organization using a [service token](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#check-for-service-token).
Requires the `auth_client_secret` parameter.
The service mode [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) is not currently supported as a value and must be configured in Zero Trust.


### `support_url`

When the WARP client is deployed via MDM, the in-app **Send Feedback** button is disabled by default. This parameter allows you to re-enable the button and direct feedback towards your organization.

**Value Type:** `string`

**Value:** Client ID of the service token.
**Value:**

Example configuration:
* `https://<support.example.com>` — Use an `https://` link to open your company's internal help site.
* `mailto:<[email protected]>` — Use a `mailto:` link to open your default mail client.

```xml
<key>auth_client_id</key>
<string>88bf3b6d86161464f6509f7219099e57.access</string>
<key>auth_client_secret</key>
<string>bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5</string>
```

### `auth_client_secret`
### `switch_locked`

Enrolls the device in your Zero Trust organization using a [service token](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#check-for-service-token).
Requires the `auth_client_id` parameter.
Allows the user to turn off the WARP switch and disconnect the client.

**Value Type:** `string`
**Value Type:** `boolean`

**Value:** Client Secret of the service token.
**Value:**

### `display_name`
* `false` — (default) The user is able to turn the switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
* `true` — The user is prevented from turning off the switch. The WARP client will automatically start in the connected state.

When WARP is deployed with [multiple organizations or configurations](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations/), this parameter is used to identify each configuration in the GUI.
On new deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them.

:::note
This parameter replaces the old `enabled` property, which can no longer be used in conjunction with the new `switch_locked` and `auto_connect`. If you want to use these parameters, you must remove `enabled`.
:::

### `unique_client_id`

Assigns a unique identifier to the device for the [device UUID posture check](/cloudflare-one/identity/devices/warp-client-checks/device-uuid).

**Value Type:** `string`

**Value:** Configuration name shown in the GUI (for example, `Test environment`).
**Value:** UUID for the device (for example, `496c6124-db89-4735-bc4e-7f759109a6f1`).


104 changes: 104 additions & 0 deletions ...onnections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
---
pcx_content_type: concept
title: Multiple users on a Windows device
sidebar:
order: 3
---

import { Details, Render } from "~/components";

<Details header="Feature availability">

| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
| All modes | All plans |

| System | Availability | Minimum WARP version |
| -------- | ------------ | -------------------- |
| Windows | ✅ | 2024.6.415.0 |
| macOS | ❌ | |
| Linux | ❌ | |
| iOS | ❌ | |
| Android | ❌ | |
| ChromeOS | ❌ | |

</Details>

Cloudflare WARP supports multiple user registrations on a single Windows device. When deployed in multi-user mode, the WARP client will automatically switch user registrations after a user logs in to their Windows account. All traffic to Cloudflare will be attributed to the currently active Windows user. This allows administrators to apply identity-based policies and device settings, audit user activity, and remove individual users from a shared workstation.

:::note
A user must log out of their Windows account before switching to another account. A user cannot lock the screen and log in to another account, use the **Switch users** option in Windows, or have any other type of concurrent sessions.
:::

## Enable multi-user mode

To enable multi-user support on Windows, [deploy an MDM file](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/#windows) onto the device with the `multi_user` key set to `true`. For example:

```xml
<dict>
<key>multi_user</key>
<true/>
<key>organization</key>
<string>your-team-name</string>
<key>onboarding</key>
<false/>
</dict>
```

To use multi-user mode alongside the [Windows pre-login](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin/) and [Switch between Zero Trust organizations](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/switch-organizations/) options:

```xml
<dict>
<key>multi_user</key>
<true/>
<key>pre_login</key>
<dict>
<key>organization</key>
<string>mycompany</string>
<key>auth_client_id</key>
<string>88bf3b6d86161464f6509f7219099e57.access</string>
<key>auth_client_secret</key>
<string>bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5</string>
</dict>
<key>configs</key>
<array>
<dict>
<key>organization</key>
<string>mycompany</string>
<key>display_name</key>
<string>Production environment</string>
</dict>
<dict>
<key>organization</key>
<string>test-org</string>
<key>display_name</key>
<string>Test environment</string>
</dict>
</array>
</dict>
```

Switching to multi-user mode will require a user to re-register even if they had a previous registration.

## WARP registration logic

The following flowchart shows how WARP registration settings take effect as users log in and out:

```mermaid
flowchart TB
start(["Enable multi-user mode"])-->reg["Active Windows user is prompted to register WARP"]
reg--"Log out of Windows"-->prelogin{{"Is there a pre-login <br />registration?"}}
prelogin--"Yes"-->preloginyes
prelogin-. "No" .->preloginno

subgraph preloginbehavior["Windows login screen"]
preloginyes["Use pre-login settings"]
preloginno["Stay registered as previous Windows user"]
end

preloginbehavior--"Log in to Windows"-->regexists{{"Has the user already registered with WARP?"}}
regexists--"Yes"-->user["Switch to that user's registration"]
regexists-. "No" .->reg
user--"Log out of Windows"--> prelogin
```

4 changes: 0 additions & 4 deletions ...lare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,6 @@ The WARP client does not run on Windows Server. Refer to the [downloads page](/c

[Managed network detection](/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks/) will not work when the TLS certificate is served from IIS 8.5 on Windows Server 2012 R2. To work around the limitation, move the certificate to a different host.

## Multi-user support on Windows

The WARP client does not support multiple users on a single Windows device. WARP uses hard-coded global paths to store settings and keys and does not save information on a per-user basis. Therefore, after one user logs into WARP, their settings will apply to all traffic from the device.

## nslookup on Windows in DoH mode

On Windows devices in [Gateway with DoH mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#gateway-with-doh), `nslookup` by default sends DNS requests to the [WARP local DNS proxy](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#dns-traffic) over IPv6. However, because WARP uses an IPv4-mapped IPv6 address (instead of a real IPv6 address), `nslookup` will not recognize this address type and the query will fail:
Expand Down
Loading