cloudflare · ranbel · Dec 20, 2024 · Dec 14, 2024 · Dec 18, 2024 · Dec 18, 2024
@@ -44,6 +44,13 @@ Refer to the [generic instructions for iOS](/cloudflare-one/connections/connect-
 
 Intune allows you to insert [predefined variables](https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-ios#tokens-used-in-the-property-list) into the XML configuration file. For example, you can set the [`unique_client_id`](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#unique_client_id) key to `{{deviceid}}` for a [device UUID posture check](/cloudflare-one/identity/devices/warp-client-checks/device-uuid/) deployment.
 
+### Per-app VPN for iOS
+
+Before proceeding with per-app VPN configuration, you must make sure Autoconnect is disabled for your organization in the Cloudflare dashboard.
+
+
+
+
 ## Android
 
 To deploy WARP on Android devices:
@@ -122,3 +129,128 @@ To deploy WARP on Android devices:
     3. Select **Review + save** > **Save**.
 
 Intune will now deploy the Cloudflare One Agent to user devices.
+
+### Per-app VPN for Android
+
+Review the following steps to approve and deploy the Cloudflare One Agent application in Microsoft Intunes and use a configuration policy to set up the per-app VPN. To use the per-app VPN, you must have linked your Microsoft Intune account with the Google-managed Play account as described in the instructions above.
+
+1. Log into the Microsoft Intune admin center.
+2. Go to **Apps** > **All apps** > select **Add**.
+3. In App type, select _Managed Google Play_.
+4. Search for _Cloudflare One Agent_ > select the app > select **Sync**.
+5. Once the sync is successful, admin will see the Cloudflare One Agent app within the **All apps** view in the Microsoft Intune admin center.
+
+#### Configure your Cloudflare One Agent app policy
+
+To configure your Cloudflare One Agent app policy:
+
+1. In the Microsoft Intune admin center, go to **Apps** > **App configuration policies** > select **Add** > **Managed Devices**.
+2. Fill out the basic details of your configuration policy:
+	1. Enter the **Name** of the profile. (For example: Cloudflare One Agent - configuration policy)
+	2. Select the Platform as **Android Enterprise**.
+	3. Select the desired **Profile Type**. (For example: Personally-Owned Work Profile Only)
+	4. Select **Cloudflare One Agent** as the **Targeted app**.
+	5. Select **Next**.
+
+3. Fill out the settings for the configuration policy.
+	1. Select **Configuration setting format** as **Enter JSON data**.
+	2. Enter your desired deployment parameters in the `managedProperty` field. For example:
+
+	```sh
+		{
+		"kind": "androidenterprise#managedConfiguration",
+		"productId": "app:com.cloudflare.cloudflareoneagent",
+		"managedProperty": [
+			{
+				"key": "app_config_bundle_list",
+				"valueBundleArray": [
+					{
+						"managedProperty": [
+							{
+								"key": "organization",
+								"valueString": "${ORGANIZATION_NAME-1}"
+							},
+							{
+								"key": "service_mode",
+								"valueString": "warp"
+							},
+							{
+								"key": "onboarding",
+								"valueBool": true
+							},
+							{
+								"key": "display_name",
+								"valueString": "${UNIQUE_DISPLAY_NAME-1}"
+							},
+							{
+								"key": "warp_tunnel_protocol",
+								"valueString": "MASQUE"
+							},
+							{
+								"key": "tunneled_apps",
+								"valueBundleArray" :[
+									{
+										"managedProperty": [
+											{
+												"key": "app_identifier",
+												"valueString": "com.android.chrome" # Application package name/unique bundle identifier for the Chrome app browser
+											},
+											{
+												"key": "is_browser",
+												"valueBool": true
+											}
+										]
+									},
+									{
+										"managedProperty": [
+											{
+												"key": "app_identifier",
+												"valueString": "com.google.android.gm" # Application package name/unique bundle identifier for the Gmail app
+											},
+											{
+												"key": "is_browser",
+												"valueBool": false # Default value is false, if a user does not define `is_browser` property our app would not treat `app_identifier` package name as a browser.
+											}
+										]
+									}
+								]
+							}
+						]
+					},
+					{
+						"managedProperty": [
+							{
+								"key": "organization",
+								"valueString": "${ORGANIZATION_NAME-1}"
+							},
+							{
+								"key": "service_mode",
+								"valueString": "warp"
+							},
+							{
+								"key": "display_name",
+								"valueString": "${UNIQUE_DISPLAY_NAME-2}"
+							},
+							{
+								"key": "warp_tunnel_protocol",
+								"valueString": "wireguard"
+							}
+						]
+					}
+				]
+			}
+		]
+	}
+	```
+
+	3. After you have configured the deployment parameters, click **Next**.
+4. Fill out the assignments for the configuration policy. The admin can Include or Exclude specific groups of users to this policy. After you finish, select Next.
+5. Review the policy and select **Create**.
+
+#### Assign users to the Cloudflare One Agent application
+
+1. Go to **Apps** > **All Apps** > select **Cloudflare One Agent**.
+2. Under **Manage**, select **Properties** and near **Assignments**, select **Edit**.
+3. Add the groups of users in the assignments > select **Review + Save** > select **Save**.
+
+Inture will now deploy the Cloudflare One Agent application on a user's devise with the managed parameters.
@@ -66,3 +66,40 @@ Create an [XML file](/cloudflare-one/connections/connect-devices/warp/deployment
 8. Select **Save**.
 
 Jamf is now configured to deploy the Cloudflare One Agent.
+
+### Per-app VPN
+
+Before proceeding with per-app VPN configuration, you must make sure Autoconnect is disabled for your organization in the Cloudflare dashboard.
+
+1. Log in to the Jamf dashboard for your organization.
+2. Go to **Devices** > **Configuration Policies** > select **New**.
+3. Under **Options**, select **VPN**. Give the VPN a **Connection Name**, select *Per-App VPN* from the **VPN Type** dropdown menu, and check the box for **Automatically start Per-App VPN connection**.
+4. Under Per-App VPN Connection Type, set the **Connection Type** to _Custom SSL_ via the dropdown menu and enter `com.cloudflare.cloudflareoneagent` as the **Identifier**,  `1.1.1.1` as the **Server**, and `com.cloudflare.cloudflareoneagent.worker` as the **Provider Bundle Identifier**.
+5. Set the **Provider Type** to _Packet-Tunnel_ and select the checkboxes for **Include All Networks** and **Enable VPN on Demand**.
+6. Go to the **Scope** tab and add the devices that will use the Per-App VPN.
+7. Save the Configuration Profile.
+8. Go to **Devices*** > **Mobile Device Apps** > select **+ New**.
+9. For **App Type**, select **App Store app or apps purchased in volume** and select **Next**.
+10. In the search bar, enter the name of the app that you want to use the VPN for and select **Next**.
+
+:::note
+Alternatively, if you already know the **Bundle Identifier** of the app you want to go through the VPN, select **Enter Manually**.
+:::
+
+11. Find the app you are looking for in the search results and select **Add**.
+12. Select your preferred **Distribution Method** and under **Per-App Networking**, select the VPN connection you just configured.
+13. Repeat steps 8-12 for each app you want to use the VPN.
+
+:::note
+
+To support re-authentication, you must include a third-party browser that Cloudflare One can use to re-authenticate the user. The following third-party browsers are supported:
+
+- Google Chrome
+- Firefox
+- Firefox Focus
+- Microsoft Edge
+- Brave
+- Opera
+
+Cloudflare One will continue to use a Safari window for initial authentication per-security best practices.
+:::