cloudflare · deadlypants1973 · Feb 19, 2025 · Feb 20, 2025 · ranbel · Feb 19, 2025
@@ -27,13 +27,31 @@ WARP settings define the WARP client modes and permissions available to end user
 
 :::note
 
-In order to enable **Admin override**, [**Lock WARP switch**](#lock-warp-switch) must also be enabled.
+To enable **Admin override**, you must have first enabled the [**Lock WARP switch**](#lock-warp-switch).
 
 :::
 
-When `Enabled`, end users can turn off the WARP client using an override code provided by an admin. This feature allows users to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).
+When **Admin override** is turned on, end users can turn off the WARP client using an override code provided by an admin.
 
-You can set a **Timeout** to define how long a user can toggle on or off the WARP switch. The timer starts when the user first enters their code into the WARP client. The code remains valid and can be reused anytime during this time period. For example, if **Timeout** is 24 hours, the user can re-enter the code at 23:59:00 and continue to turn off WARP until 47:59:00 (up to 48 hours total).
+To enable **Admin override**:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
+2. Toggle **Admin override** on.
+3. (Optional) Set the **Timeout** to your desired time. **Timeout** is set to 1 hour by default.
+
+**Admin override** allows end users to momentarily turn off WARP with an override code to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).
+
+As admin, you can set a **Timeout** to define how long a user can toggle on or off the WARP switch after entering the override code. Cloudflare generates a new override code every hour that the admin can access and send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user. For example, if admin generates a code with a **Timeout** of one hour at 9:00 AM and the end user inputs the override code in their device at 9:59AM, the user will be able to toggle WARP on and off until 10:59AM (a one hour duration.)
+
+However, if admin generates an override code at 9:00 AM that has a one hour Timeout and the user attempts to enter it at 10:00 AM, the override code will not work.
+
+If an admin generated an override code at 9:00 AM and set a **Timeout** to three hours, a user who enters the override code at 9:59 AM would be able to toggle WARP off for three hours (until 12:59 PM). A user who enters the same override code at 10AM would only be able to toggle WARP off for two hours (until 12 PM) because the 9:00 AM hour block would be counted as used.
+
+To learn more about override code timeouts and how Cloudflare calculates an override code's validity, refer to Troubleshooting.
+
+:::
+
+Be aware that if [**Auto connect**](#auto-connect) is enabled, WARP will turn on according to the value set by **Auto connect** even when an override code has been entered by the user. To prevent WARP from auto connecting, temporarily disable **Auto connect** or temporarily set a longer **Timeout** for **Auto connect**.
 
 #### Retrieve the override code
 
@@ -163,10 +181,17 @@ For more details on WireGuard versus MASQUE, refer to our [blog post](https://bl
 
 Allows the user to turn off the WARP switch and disconnect the client.
 
+To enable the Lock WARP switch:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
+2. Find the profile you would like to enable the Lock WARP switch for and select the three dot icon next to the profile.
+3. Select **Configure**.
+4. Under **Configure settings**, toggle the **Lock WARP switch** on.
+
 **Value:**
 
-- `Disabled`: (default) The user is able to turn the switch on or off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
-- `Enabled`: The user is prevented from turning off the switch. The WARP client will always start in the connected state.
+- `Disabled`: (default) The user is able to turn the WARP switch on or off at their discretion. When the WARP switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
+- `Enabled`: The user is prevented from turning off the WARP switch. The WARP client will always start in the connected state.
 
 On MDM deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them.
 

@@ -267,3 +267,7 @@ Turning off TLS decryption should be a temporary measure. TLS decryption should
 ## I am getting an `Error 401: deleted_client - The OAuth Client was deleted` authorization error.
 
 <Render file="access/error-401" product="cloudflare-one" />
+
+## I entered an override code for WARP that was supposed to be valid for 3 hours but the override code expired faster than I expected.
+
+## I disabled WARP using an override code but WARP turned on by itself before my override code expired.