cloudflare · deadlypants1973 · Sep 1, 2025 · Jul 25, 2025 · Jul 29, 2025 · Jul 30, 2025
@@ -35,86 +35,73 @@ Your profile will appear in the **Profile settings** list. You can rearrange the
 Send a `POST` request to the [Devices API](/api/resources/zero_trust/subresources/devices/subresources/policies/subresources/custom/methods/create/):
 
 <APIRequest
-  path="/accounts/{account_id}/devices/policy"
-  method="POST"
-  json={{
-    "allow_mode_switch": false,
-		"allow_updates": false,
-		"allowed_to_leave": false,
-		"auto_connect": 600,
-		"captive_portal": 180,
-		"description": "Example device profile recommended in the implementation documentation. For details, refer to https://developers.cloudflare.com/learning-paths/replace-vpn/configure-device-agent/device-profiles/",
-		"disable_auto_fallback": true,
-		"enabled": true,
-		"exclude_office_ips": false,
-		"match": "identity.email in {\"[email protected]\"} or any(identity.groups.name[*] in {\"developers\" \"admin\"}) and os.name == \"windows\"",
-		"name": "Example device profile",
-		"precedence": 101,
-		"service_mode_v2": {
-			"mode": "warp"
+	path="/accounts/{account_id}/devices/policy"
+	method="POST"
+	json={{
+		allow_mode_switch: false,
+		allow_updates: false,
+		allowed_to_leave: false,
+		auto_connect: 600,
+		captive_portal: 180,
+		description:
+			"Example device profile recommended in the implementation documentation. For details, refer to https://developers.cloudflare.com/learning-paths/replace-vpn/configure-device-agent/device-profiles/",
+		disable_auto_fallback: true,
+		enabled: true,
+		exclude_office_ips: false,
+		match:
+			'identity.email in {"[email protected]"} or any(identity.groups.name[*] in {"developers" "admin"}) and os.name == "windows"',
+		name: "Example device profile",
+		precedence: 101,
+		service_mode_v2: {
+			mode: "warp",
 		},
-		"support_url": "https://support.example.com",
-		"switch_locked": true
-  }}
+		support_url: "https://support.example.com",
+		switch_locked: true,
+	}}
 />
 
 </TabItem>
 <TabItem label="Terraform (v5)">
 
 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
-	- `Zero Trust Write`
+   - `Zero Trust Write`
 
 2. Create a new profile using the [`cloudflare_zero_trust_device_custom_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_custom_profile) resource:
 
-	```tf
-	resource "cloudflare_zero_trust_device_custom_profile" "example" {
-		account_id            = var.cloudflare_account_id
-		name                  = "Example device profile"
-		description           = "Example device profile recommended in the implementation documentation. For details, refer to https://developers.cloudflare.com/learning-paths/replace-vpn/configure-device-agent/device-profiles/"
-		allow_mode_switch     = false
-		allow_updates         = false
-		allowed_to_leave      = false
-		auto_connect          = 600
-		captive_portal        = 180
-		disable_auto_fallback = true
-		enabled               = true
-		exclude_office_ips    = false
-		precedence            = 101
-		service_mode_v2       = {mode = "warp"}
-		support_url           = "https://support.example.com"
-		switch_locked         = true
-		tunnel_protocol       = "wireguard"
-
-		match = trimspace(replace(<<-EOT
-			identity.email in {"[email protected]"}
-			or any(identity.groups.name[*] in {"developers" "admin"})
-			and os.name == "windows"
-		EOT
-		, "\n", " "))
-	}
-	```
+   ```tf
+   resource "cloudflare_zero_trust_device_custom_profile" "example" {
+   	account_id            = var.cloudflare_account_id
+   	name                  = "Example device profile"
+   	description           = "Example device profile recommended in the implementation documentation. For details, refer to https://developers.cloudflare.com/learning-paths/replace-vpn/configure-device-agent/device-profiles/"
+   	allow_mode_switch     = false
+   	allow_updates         = false
+   	allowed_to_leave      = false
+   	auto_connect          = 600
+   	captive_portal        = 180
+   	disable_auto_fallback = true
+   	enabled               = true
+   	exclude_office_ips    = false
+   	precedence            = 101
+   	service_mode_v2       = {mode = "warp"}
+   	support_url           = "https://support.example.com"
+   	switch_locked         = true
+   	tunnel_protocol       = "wireguard"
+
+   	match = trimspace(replace(<<-EOT
+   		identity.email in {"[email protected]"}
+   		or any(identity.groups.name[*] in {"developers" "admin"})
+   		and os.name == "windows"
+   	EOT
+   	, "\n", " "))
+   }
+   ```
 
 </TabItem>
 </Tabs>
 
 ## Edit profile settings
 
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
-2. In the **Profile settings** card, find the profile you want to update and select **Configure**.
-3. Modify [WARP settings](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-settings) for this profile.
-   :::note
-
-   Changing any of the settings below will cause the WARP connection to restart. The user may experience a brief period of connectivity loss while the new settings are being applied.
-
-   - [Service mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#service-mode)
-   - [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#local-domain-fallback)
-   - [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#split-tunnels)
-
-   :::
-
-4. Select **Save profile**.
-
- <Render file="warp/client-notification-lag" product="cloudflare-one" />
+<Render file="warp/edit-profile-settings" />
 
 ## Verify device profile
 
@@ -136,50 +123,59 @@ You can configure device profiles to match against the following selectors, or c
 
 Apply a device profile based on the user's email.
 
-<Render file="gateway/selectors/user-email" params={{ UIname: "User email" }}/>
+<Render file="gateway/selectors/user-email" params={{ UIname: "User email" }} />
 
 ### User group emails
 
 Apply a device profile based on an [IdP group](/cloudflare-one/policies/gateway/identity-selectors/#idp-groups-in-gateway) email address of which the user is configured as a member in the IdP.
 
-<Render file="gateway/selectors/user-group-email" params={{ UIname: "User group emails" }}/>
+<Render
+	file="gateway/selectors/user-group-email"
+	params={{ UIname: "User group emails" }}
+/>
 
 ### User group IDs
 
 Apply a device profile based on an [IdP group](/cloudflare-one/policies/gateway/identity-selectors/#idp-groups-in-gateway) ID of which the user is configured as a member in the IdP.
 
-<Render file="gateway/selectors/user-group-ids" params={{ UIname: "User group IDs" }}/>
+<Render
+	file="gateway/selectors/user-group-ids"
+	params={{ UIname: "User group IDs" }}
+/>
 
 ### User group names
 
 Apply a device profile based on an [IdP group](/cloudflare-one/policies/gateway/identity-selectors/#idp-groups-in-gateway) name of which the user is configured as a member in the IdP.
 
-<Render file="gateway/selectors/user-group-names" params={{ UIname: "User group names" }}/>
+<Render
+	file="gateway/selectors/user-group-names"
+	params={{ UIname: "User group names" }}
+/>
 
 ### Operating system
 
 Apply a device profile based on the operating system of the device.
 
-| UI name         | API example                                       |
-| --------------- | ------------------------------------------------- |
+| UI name          | API example                        |
+| ---------------- | ---------------------------------- |
 | Operating system | `os.name in {\"windows\" \"mac\"}` |
 
 ### Operating system version
 
 Apply a device profile based on the [OS version](/cloudflare-one/identity/devices/warp-client-checks/os-version/#determine-the-os-version) of the device.
 
-| UI name         | API example                                       |
-| --------------- | ------------------------------------------------- |
+| UI name                  | API example               |
+| ------------------------ | ------------------------- |
 | Operating system version | `os.version == \"1.2.0\"` |
 
- <Render file="warp/os-version-semver" />
+<Render file="warp/os-version-semver" />
 
 ### Managed network
 
 Apply a device profile based on the [managed network](/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks/) that the device is connected to.
 
-| UI name         | API example                                       |
-| --------------- | ------------------------------------------------- |
+| UI name         | API example                    |
+| --------------- | ------------------------------ |
 | Managed network | `network == \"Austin office\"` |
 
 ### SAML attributes
@@ -192,8 +188,8 @@ Apply a device profile based on an attribute name and value from a [SAML IdP](/c
 
 Apply a device profile based on the [service token](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#check-for-service-token) used to enroll the device.
 
-| UI name         | API example                                       |
-| --------------- | ------------------------------------------------- |
+| UI name       | API example                                                               |
+| ------------- | ------------------------------------------------------------------------- |
 | Service Token | `identity.service_token_uuid == \"f174e90a-fafe-4643-bbbc-4a0ed4fc8415\"` |
 
 ## Comparison operators
@@ -216,6 +212,4 @@ To evaluate multiple conditions in an expression, select a logical operator:
 
 ## Order of precedence
 
-Profiles are evaluated from top to bottom as shown in the UI and follows the first match principle — once a device matches a profile, evaluation stops and no subsequent profiles can override the decision.
-
-The **Default** profile is always at the bottom of the list, meaning that it will only apply if the device does not match any of the previous profiles. If you make another custom profile the default, all settings will be copied over into the **Default** profile.
+<Render file="warp/device-profile-order-of-precedence" />
@@ -5,7 +5,7 @@ sidebar:
   order: 3
 ---
 
-import { Details, TabItem, Tabs } from "~/components";
+import { Details, Render, TabItem, Tabs } from "~/components";
 
 <Details header="Feature availability">
 
@@ -202,17 +202,7 @@ SHA256 Fingerprint=DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8
 
 </TabItem> <TabItem label="Remote server">
 
-To obtain the SHA-256 fingerprint of a remote server:
-
-```sh
-openssl s_client -connect <private-server-IP>:443 < /dev/null 2> /dev/null | openssl x509 -noout -fingerprint -sha256 | tr -d :
-```
-
-The output will look something like:
-
-```txt
-SHA256 Fingerprint=DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662
-```
+<Render file="warp/managed-networks-sha-256" />
 
 </TabItem> </Tabs>
 

@@ -7,13 +7,7 @@ sidebar:
 
 import { Render } from "~/components";
 
-Split Tunnels can be configured to exclude or include IP addresses or domains from going through WARP. This feature is commonly used to run WARP alongside a VPN (in Exclude mode) or to provide access to a specific private network (in Include mode).
-
-:::caution
-Split Tunnels only impacts the flow of IP traffic. DNS requests are still resolved by Gateway and subject to DNS policies unless you add the domains to your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) configuration.
-:::
-
-Because Split Tunnels controls what Gateway has visibility on at the network level, we recommend testing all changes before rolling out updates to end users.
+<Render file="warp/split-tunnel-intro" />
 
 ## Change Split Tunnels mode
 

@@ -17,7 +17,7 @@ This mode is best suited for organizations that want to use advanced firewall/pr
 
 ## Gateway with DoH
 
-This mode is best suited for organizations that only want to apply DNS filtering to outbound traffic from their company devices. Network and HTTP traffic is handled by the default mechanisms on your devices.
+Gateway with DNS-over-HTTPS (DoH) is best suited for organizations that only want to apply DNS filtering to outbound traffic from their company devices. Network and HTTP traffic is handled by the default mechanisms on your devices.
 
 | DNS filtering | Network filtering | HTTP filtering | Features enabled |
 | ------------- | ----------------- | -------------- | ---------------- |

@@ -53,6 +53,10 @@ If the user has an active browser session with the IdP, WARP will use the existi
 
 - [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/#force-user-interaction-during-warp-reauthentication)
 
+## Manually reauthenticate
+
+<Render file="warp/manually-reauth" />
+
 ## Limitations
 
 - **Only one user per device** — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if [Allow device to leave organization](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled), or an admin can revoke the registration from **My Team** > **Devices**. User B can then properly [enroll](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/).

@@ -8,7 +8,7 @@ head:
     content: About Cloudflare WARP
 ---
 
-import { Stream } from "~/components"
+import { Render, Stream } from "~/components"
 
 ## About Cloudflare WARP
 
@@ -40,6 +40,10 @@ For more information on how the WARP client routes traffic, refer to the [WARP a
 	}}
 />
 
+## WARP installation details
+
+<Render file="warp/warp-installation-details" />
+
 ## Key benefits of using WARP
 
 Deploying the WARP client significantly enhances your organization's security and visibility within Cloudflare Zero Trust: