From fcec047feab35a1020c758accdd41c87e76c57a6 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Thu, 20 Feb 2025 15:44:43 +0000 Subject: [PATCH 1/6] [CF1] override code explanation --- .../configure-warp/warp-settings/index.mdx | 20 +++++++++---- .../cloudflare-one/faq/troubleshooting.mdx | 30 +++++++++++++++++++ 2 files changed, 45 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx index f0c420c36f43ab3..f97b4749c4c5f1e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx @@ -27,13 +27,23 @@ WARP settings define the WARP client modes and permissions available to end user :::note -In order to enable **Admin override**, [**Lock WARP switch**](#lock-warp-switch) must also be enabled. +To use **Admin override**, you must first have enabled the [**Lock WARP switch**](#lock-warp-switch). ::: -When `Enabled`, end users can turn off the WARP client using an override code provided by an admin. This feature allows users to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection). +When the [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot turn the WARP client off on their device. Enabling **Admin override** gives users the ability to turn off the WARP client using an override code provided by an admin. -You can set a **Timeout** to define how long a user can toggle on or off the WARP switch. The timer starts when the user first enters their code into the WARP client. The code remains valid and can be reused anytime during this time period. For example, if **Timeout** is 24 hours, the user can re-enter the code at 23:59:00 and continue to turn off WARP until 47:59:00 (up to 48 hours total). +**Admin override** allows end users to momentarily turn off WARP with an override code to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection). + +As admin, you can set a **Timeout** to define how long a user can toggle the WARP switch on or off after entering the override code. Cloudflare generates a new override code every hour that an admin can send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user. + +:::caution[Troubleshooting] + +To learn more about override code timeouts and how Cloudflare calculates an override code's valid duration, refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#i-entered-an-override-code-for-warp-that-was-supposed-to-be-valid-for-3-hours-but-the-override-code-expired-faster-than-i-expected). + +If [Auto connect](#auto-connect) is enabled, WARP will automatically reconnect, according to the value set for the auto connect timeout, even when using **Admin override**. Refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#i-disabled-warp-using-an-override-code-but-warp-turned-on-by-itself-before-my-override-code-expired) for more information. + +::: #### Retrieve the override code @@ -165,8 +175,8 @@ Allows the user to turn off the WARP switch and disconnect the client. **Value:** -- `Disabled`: (default) The user is able to turn the switch on or off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks. -- `Enabled`: The user is prevented from turning off the switch. The WARP client will always start in the connected state. +- `Disabled`: (default) The user is able to turn the WARP switch on or off at their discretion. When the WARP switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks. +- `Enabled`: The user is prevented from turning off the WARP switch. The WARP client will always start in the connected state. On MDM deployments, you must also include the `auto_connect` parameter with at least a value of `0`. This will prevent clients from being deployed in the off state without a way for users to manually enable them. diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx index 96d9ffa8d8ff506..20f32c098de117a 100644 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx @@ -267,3 +267,33 @@ Turning off TLS decryption should be a temporary measure. TLS decryption should ## I am getting an `Error 401: deleted_client - The OAuth Client was deleted` authorization error. + +## I entered an override code for WARP that was supposed to be valid for 3 hours but the override code expired faster than I expected. + +[Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) codes are time-sensitive and adhere to fixed-hour time blocks. An override code's validity is attached to the hour it was generated in. Override codes cannot be reused after their timeout has expired. When an override code timeout has expired, the user must receive a new override code from the admin. Refer to the following scenarios. + +### Scenario one: Admin generates an override code at 9:00 AM with a timeout of one hour. + +If admin generates an override code with a timeout of one hour at **9:00 AM** and the user inputs the override code in their device at **9:59 AM**, the user will be able to toggle WARP on and off until **10:59 AM** (a one hour duration.) + +However, if the user attempts to enter the override code at **10:00 AM**, the override code will not work. The override code will not work because the override code was generated at **9:00 AM** and its one hour validity was counted as used in the 9:00 AM to 10:00 AM hour. + +### Scenario two: Admin generates an override code at 9:30 AM with timeout of three hours. + +If admin generates an override code with a timeout of three hours at **9:30 AM** and the user inputs the override code in their device at **9:59 AM**, the user will be able to toggle WARP on and off until **12:59 PM** (a three hour duration.) + +However, if the user attempts to enter the override code at **10:00 AM**, the override code will only be valid until **12:00 PM** (a two hour duration). The override code was generated at **9:30 AM** and one hour of its total three hour validity was counted as used in the 9:00 AM to 10:00 AM hour. + +### Scenariot three: Admin generates an override code at 12:30 PM with a timeout of 24 hours. + +If admin generates an override code with a timeout of 24 hours at **12:00 PM** and the user inputs the override code in their device at **12:59 PM** the same day, the user will be able to toggle WARP on and off until **12:59 PM** the next day (a 24 hour duration.) + +However, if the user attempts to enter the override code at **1:00 PM** the same day, the override code will only be valid until **11:00 AM** the next day (a 23 hour duration). The override code was generated at **12:00 PM** and one hour of its total 24 hour validity was counted as used in the 12:00 PM to 1:00 PM hour. + +If the user attempts to enter the override code at **12:59 PM** the next day, the override code will only be valid until **1:59 PM** (a one hour duration). The override code was generated at **12:00 PM** and 23 hours of its total 24 hour validity were counted as used from 12:00 PM to 11:00 AM the next day (a 23 hour duration). + +## I disabled WARP using an override code but WARP turned on by itself before my override code expired. + +If you are using an [Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) code with [Auto connect](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#auto-connect) also enabled, WARP will turn on automatically according to the Timeout set for **Auto connect**. Using an override code to override the WARP lock switch will not disable Auto connect. As best practice, review your Auto connect settings before sending the override code to the user. + +To prevent WARP from auto connecting while using an admin override code, temporarily disable **Auto connect** or temporarily set a longer **Timeout** for **Auto connect**. From 665569fec43217cd3de8e495445bc1db290f73b3 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Thu, 20 Feb 2025 15:50:25 +0000 Subject: [PATCH 2/6] admin override depends on warp lock switch --- .../warp/configure-warp/warp-settings/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx index f97b4749c4c5f1e..7af4bc28a3290ab 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx @@ -27,11 +27,11 @@ WARP settings define the WARP client modes and permissions available to end user :::note -To use **Admin override**, you must first have enabled the [**Lock WARP switch**](#lock-warp-switch). +To use **Admin override**, you must first have enabled the [**Lock WARP switch**](#lock-warp-switch). **Admin override** is only needed and used when the WARP lock switch is turned on. ::: -When the [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot turn the WARP client off on their device. Enabling **Admin override** gives users the ability to turn off the WARP client using an override code provided by an admin. +When the [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot turn the WARP client off on their device. Enabling **Admin override** gives users the ability to temporarily turn off the WARP client using an override code provided by an admin. **Admin override** allows end users to momentarily turn off WARP with an override code to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection). From 802749e2835acdef27261972237df35f59e29009 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 21 Feb 2025 12:07:16 +0000 Subject: [PATCH 3/6] final edits --- src/content/docs/cloudflare-one/faq/troubleshooting.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx index 20f32c098de117a..e79c2591b7d726c 100644 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx @@ -270,7 +270,7 @@ Turning off TLS decryption should be a temporary measure. TLS decryption should ## I entered an override code for WARP that was supposed to be valid for 3 hours but the override code expired faster than I expected. -[Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) codes are time-sensitive and adhere to fixed-hour time blocks. An override code's validity is attached to the hour it was generated in. Override codes cannot be reused after their timeout has expired. When an override code timeout has expired, the user must receive a new override code from the admin. Refer to the following scenarios. +[Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) codes are time-sensitive and adhere to fixed-hour time blocks. Override codes can be reused until the end of their timeout. An override code's timeout begins in the hour the override code was generated in. Refer to the following scenarios. ### Scenario one: Admin generates an override code at 9:00 AM with a timeout of one hour. @@ -290,10 +290,10 @@ If admin generates an override code with a timeout of 24 hours at **12:00 PM** a However, if the user attempts to enter the override code at **1:00 PM** the same day, the override code will only be valid until **11:00 AM** the next day (a 23 hour duration). The override code was generated at **12:00 PM** and one hour of its total 24 hour validity was counted as used in the 12:00 PM to 1:00 PM hour. -If the user attempts to enter the override code at **12:59 PM** the next day, the override code will only be valid until **1:59 PM** (a one hour duration). The override code was generated at **12:00 PM** and 23 hours of its total 24 hour validity were counted as used from 12:00 PM to 11:00 AM the next day (a 23 hour duration). +If the user attempts to enter the override code at **11:59 AM** the next day, the override code will only be valid until **12:59 PM** (a one hour duration). The override code was generated at **12:00 PM** and 23 hours of its total 24 hour validity were counted as used from 12:00 PM to 11:00 AM the next day (a 23 hour duration). ## I disabled WARP using an override code but WARP turned on by itself before my override code expired. If you are using an [Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) code with [Auto connect](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#auto-connect) also enabled, WARP will turn on automatically according to the Timeout set for **Auto connect**. Using an override code to override the WARP lock switch will not disable Auto connect. As best practice, review your Auto connect settings before sending the override code to the user. -To prevent WARP from auto connecting while using an admin override code, temporarily disable **Auto connect** or temporarily set a longer **Timeout** for **Auto connect**. +To prevent WARP from auto connecting while using an admin override code, disable Auto connect or set a longer **Timeout** for **Auto connect**. Note the changes you make to Auto connect while the end user is using the admin override code if you need to revert them later. From c82568a0d530be2244ea775cf62bef4cae95cf61 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 21 Feb 2025 12:12:26 +0000 Subject: [PATCH 4/6] edits --- src/content/docs/cloudflare-one/faq/troubleshooting.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx index e79c2591b7d726c..aa9064c081ce308 100644 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx @@ -286,9 +286,9 @@ However, if the user attempts to enter the override code at **10:00 AM**, the ov ### Scenariot three: Admin generates an override code at 12:30 PM with a timeout of 24 hours. -If admin generates an override code with a timeout of 24 hours at **12:00 PM** and the user inputs the override code in their device at **12:59 PM** the same day, the user will be able to toggle WARP on and off until **12:59 PM** the next day (a 24 hour duration.) +If admin generates an override code with a timeout of 24 hours at **12:30 PM** and the user inputs the override code in their device at **12:59 PM** the same day, the user will be able to toggle WARP on and off until **12:59 PM** the next day (a 24 hour duration.) -However, if the user attempts to enter the override code at **1:00 PM** the same day, the override code will only be valid until **11:00 AM** the next day (a 23 hour duration). The override code was generated at **12:00 PM** and one hour of its total 24 hour validity was counted as used in the 12:00 PM to 1:00 PM hour. +However, if the user attempts to enter the override code at **1:00 PM** the same day, the override code will only be valid until **11:00 AM** the next day (a 23 hour duration). The override code was generated at **12:30 PM** and one hour of its total 24 hour validity was counted as used in the 12:00 PM to 1:00 PM hour. If the user attempts to enter the override code at **11:59 AM** the next day, the override code will only be valid until **12:59 PM** (a one hour duration). The override code was generated at **12:00 PM** and 23 hours of its total 24 hour validity were counted as used from 12:00 PM to 11:00 AM the next day (a 23 hour duration). From 462fbf93fa965cce0d1a74bb4d82b53b50086d33 Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Fri, 21 Feb 2025 12:13:35 +0000 Subject: [PATCH 5/6] clarify changes --- src/content/docs/cloudflare-one/faq/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx index aa9064c081ce308..e17b46c5cad19e2 100644 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx @@ -296,4 +296,4 @@ If the user attempts to enter the override code at **11:59 AM** the next day, th If you are using an [Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) code with [Auto connect](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#auto-connect) also enabled, WARP will turn on automatically according to the Timeout set for **Auto connect**. Using an override code to override the WARP lock switch will not disable Auto connect. As best practice, review your Auto connect settings before sending the override code to the user. -To prevent WARP from auto connecting while using an admin override code, disable Auto connect or set a longer **Timeout** for **Auto connect**. Note the changes you make to Auto connect while the end user is using the admin override code if you need to revert them later. +To prevent WARP from auto connecting while using an admin override code, disable Auto connect or set a longer **Timeout** for **Auto connect**. Note the changes you make to Auto connect while the end user is using the admin override code if you need to revert these changes later. From ee07cbdb9f797de815cc0f0ea603ba9a4a62badb Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Fri, 21 Feb 2025 16:43:40 +0000 Subject: [PATCH 6/6] Apply suggestions from code review --- .../connect-devices/warp/configure-warp/warp-settings/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx index 7af4bc28a3290ab..d32b92ad8ce3a1f 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx @@ -31,7 +31,7 @@ To use **Admin override**, you must first have enabled the [**Lock WARP switch** ::: -When the [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot turn the WARP client off on their device. Enabling **Admin override** gives users the ability to temporarily turn off the WARP client using an override code provided by an admin. +When the [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot toggle the WARP client on and off on their device. Enabling **Admin override** gives users the ability to temporarily turn off the WARP client using an override code provided by an admin. **Admin override** is only needed in a configuration where the **lock WARP switch** is enabled. **Admin override** allows end users to momentarily turn off WARP with an override code to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).