cloudflare · deadlypants1973 · Jun 4, 2025 · May 30, 2025 · May 30, 2025 · May 30, 2025
@@ -6,10 +6,9 @@ sidebar:
   order: 1
 
 description: Configure custom device posture checks in Cloudflare Zero Trust using a service-to-service integration.
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 Cloudflare Zero Trust allows you to enforce custom device posture checks on your applications. This involves configuring a WARP service-to-service integration that periodically calls the external API of your choice, whether it is a third-party endpoint provider or a home built solution. When called, the API will receive device identifying information from Cloudflare and be expected to return a value between `0` to `100`. You can then set up a device posture check that determines if the returned value counts as a pass or fail; for example, you could allow access to a user only if their device has a posture value greater than `60`.
 
@@ -23,6 +22,7 @@ sequenceDiagram
 		WARP->>External API: JSON with user and device identity
     External API-->>WARP: JSON with 0-100 result
 ```
+
 ## External API requirements
 
 The custom service provider integration works with any API service that meets the following specifications. For an example of a custom device posture integration API, refer to our [Cloudflare Workers sample code](https://github.com/cloudflare/custom-device-posture-integration-example-worker).
@@ -35,16 +35,23 @@ The WARP client authenticates to the external API through Cloudflare Access. The
 
 Cloudflare will pass the following parameters to the configured API endpoint. You can use this data to identify the device and assign a posture score. For some devices, not all identifying information will apply, in which case the field will be blank. A maximum of 1,000 devices will be sent per a request.
 
-| Field | Description |
-| ----- | ----------- |
-| `device_id` | Device UUID assigned by the WARP client |
-| `email` | Email address used to authenticate the WARP client |
-| `serial_number` | Device serial number |
-| `mac_address` | Device MAC address |
-| `virtual_ipv4` | Device virtual IPv4 address |
-| `hostname` | Device name |
+| Field           | Description                                        |
+| --------------- | -------------------------------------------------- |
+| `device_id`     | Device UUID assigned by the WARP client            |
+| `email`         | Email address used to authenticate the WARP client |
+| `serial_number` | Device serial number                               |
+| `mac_address`   | Device MAC address                                 |
+| `virtual_ipv4`  | Device virtual IPv4 address                        |
+| `hostname`      | Device name                                        |
+
+:::note
+
+Devices are identified by their serial numbers. You must ensure that each of your devices has a unique serial number. If multiple devices have the same serial number, Cloudflare and your external API will not be able to accurately match them.
+
+:::
 
 Example request body:
+
 ```json
 {
   "devices": {
@@ -68,12 +75,13 @@ Example request body:
 
 For each Cloudflare `device_id`, the API service is expected to return a posture score and optionally a third-party device ID.
 
-| Field | Description |
-| ----- | ----------- |
+| Field    | Description                                         |
+| -------- | --------------------------------------------------- |
 | `s2s_id` | Third party device ID (empty string if unavailable) |
-| `score` | Integer value between `0` - `100` |
+| `score`  | Integer value between `0` - `100`                   |
 
 Example response body:
+
 ```json
 {
   "result": {
@@ -100,28 +108,39 @@ Next, secure the external API behind Cloudflare Access so that WARP can authenti
 1. [Create a self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) for your API endpoint.
 2. Add the following Access policy to the application. Make sure that **Action** is set to _Service Auth_ (not _Allow_).
 
-	| Action | Rule type | Selector          | Value                                 |
-	| ------ | --------- | ----------------- | ------------------------------------- |
-	| Service Auth | Include  | Service Token | `<TOKEN-NAME>`                       |
+   | Action       | Rule type | Selector      | Value          |
+   | ------------ | --------- | ------------- | -------------- |
+   | Service Auth | Include   | Service Token | `<TOKEN-NAME>` |
 
 ### 3. Add a service provider integration
 
 To create a custom service-to-service integration:
 
-<Render file="posture/add-service-provider" params={{ provider: "Custom service provider" }} />
-5. In **Access client ID** and **Access client secret**, enter the Access service token used to authenticate to your external API.
-6. In **Rest API URL**, enter the external API endpoint that Cloudflare will query for posture information (for example, `https://api.example.com`). For more information, refer to [External API requirements](#external-api-requirements).
-7. In **Polling frequency**, choose how often Cloudflare Zero Trust should query the external API for information.
-8. Select **Test and save**. The test checks if Cloudflare can authenticate to the API URL using the provided Access credentials.
+<Render
+	file="posture/add-service-provider"
+	params={{ provider: "Custom service provider" }}
+/>
+5. In **Access client ID** and **Access client secret**, enter the Access
+service token used to authenticate to your external API. 6. In **Rest API URL**,
+enter the external API endpoint that Cloudflare will query for posture
+information (for example, `https://api.example.com`). For more information,
+refer to [External API requirements](#external-api-requirements). 7. In
+**Polling frequency**, choose how often Cloudflare Zero Trust should query the
+external API for information. 8. Select **Test and save**. The test checks if
+Cloudflare can authenticate to the API URL using the provided Access
+credentials.
 
 Next, [configure a device posture check](#4-configure-the-posture-check) to determine if a given posture score constitutes a pass or fail.
 
 ### 4. Configure the posture check
 
-<Render file="posture/configure-posture-check" params={{ one: "Custom service provider" }} />
+<Render
+	file="posture/configure-posture-check"
+	params={{ one: "Custom service provider" }}
+/>
 
 ## Device posture attributes
 
-| Selector      | Description                                                                                       | Value                                                                                         |
-| ------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
-| Score            | Posture score returned by external API                                                                                   | `0` to `100`                                                                                  |
+| Selector | Description                            | Value        |
+| -------- | -------------------------------------- | ------------ |
+| Score    | Posture score returned by external API | `0` to `100` |
@@ -6,34 +6,39 @@ sidebar:
 head:
   - tag: title
     content: SentinelOne - Posture checks
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
-Cloudflare Zero Trust can integrate with SentinelOne to require that users connect to certain applications from managed devices. Our service-to-service posture check identifies devices based on their serial numbers.
+<Render file="posture/service-provider-intro" params={{ one: "SentinelOne" }} />
 
 ## Prerequisites
 
-* SentinelOne agent is deployed on the device.
-* <Render file="posture/prereqs-warp-is-deployed" params={{ name: "Service providers", link: "/cloudflare-one/identity/devices/service-providers/" }} />
+- SentinelOne agent is deployed on the device.
+- <Render
+  	file="posture/prereqs-warp-is-deployed"
+  	params={{
+  		name: "Service providers",
+  		link: "/cloudflare-one/identity/devices/service-providers/",
+  	}}
+  />
 
 ## Set up SentinelOne as a service provider
 
 ### 1. Obtain SentinelOne settings
 
 The following SentinelOne values are needed to set up the SentinelOne posture check:
 
-* API Token
-* REST API URL
+- API Token
+- REST API URL
 
 To retrieve those values:
 
 1. Log in to your SentinelOne Dashboard.
 2. Go to **Settings** > **Users** > **Create new Service User**.
 3. Select **Create New Service User**.
 4. Enter a **Name** and **Expiration Date** and select **Next**.
-5. Set **Scope of Access** to *Viewer*.
+5. Set **Scope of Access** to _Viewer_.
 6. Select **Create User**. SentinelOne will generate an API Token for this user.
 7. Copy the **API Token** to a safe location.
 8. Select **Close**.
@@ -49,19 +54,22 @@ To retrieve those values:
 
 ### 3. Configure the posture check
 
-<Render file="posture/configure-posture-check" params={{ one: "SentinelOne" }} />
+<Render
+	file="posture/configure-posture-check"
+	params={{ one: "SentinelOne" }}
+/>
 
 ## Device posture attributes
 
 Device posture data is gathered from the SentinelOne Management APIs. For more information, refer to `https://<S1-DOMAIN>.sentinelone.net/api-doc/overview`.
 
-| Selector       | Description                                                           |
-| -------------- | --------------------------------------------------------------------- |
-| Infected       | Whether the device is infected                                        |
-| Active Threats | Number of active threats on the device                                |
-| Is Active      | Whether the SentinelOne Agent is active                               |
-| Network status | Whether the SentinelOne Agent is connected to the SentinelOne service |
-| Operational State | The [operational state](https://community.sentinelone.com/s/login/?ec=302&startURL=%2Fs%2Farticle%2F000005285) of the SentinelOne Agent.|
+| Selector          | Description                                                                                                                              |
+| ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
+| Infected          | Whether the device is infected                                                                                                           |
+| Active Threats    | Number of active threats on the device                                                                                                   |
+| Is Active         | Whether the SentinelOne Agent is active                                                                                                  |
+| Network status    | Whether the SentinelOne Agent is connected to the SentinelOne service                                                                    |
+| Operational State | The [operational state](https://community.sentinelone.com/s/login/?ec=302&startURL=%2Fs%2Farticle%2F000005285) of the SentinelOne Agent. |
 
 ### Detect user risk behavior
 

@@ -1,8 +1,7 @@
 ---
 inputParameters: param1
-
 ---
 
-import { Markdown } from "~/components"
+import { Markdown } from "~/components";
 
-Cloudflare Zero Trust can integrate with {props.one} to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from {props.one}. Devices are identified by their serial numbers.
+Cloudflare Zero Trust can integrate with {props.one} to require that users connect to certain applications from managed devices. This service-to-service posture check uses the WARP client to read endpoint data from {props.one}. Devices are identified by their serial numbers. If multiple devices have the same serial number, Cloudflare cannot accurately match a WARP device with a third-party provider device. You must ensure that each of your devices has a unique serial number.