cloudflare · deadlypants1973 · Sep 26, 2025 · Aug 13, 2025 · Sep 24, 2025 · Sep 25, 2025
@@ -109,7 +109,217 @@ If you prefer to use Intune's Win32 App tool to run the Powershell script, refer
 
 ## macOS
 
-Refer to the [generic instructions for macOS](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/#macos).
+The following steps outline deploying WARP on macOS using Intune.
+
+### Prerequisites
+
+- A [Microsoft Intune account](https://login.microsoftonline.com/).
+- A Cloudflare account that has a [Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization).
+- macOS devices enrolled in Intune.
+
+### Deployment order
+
+:::tip[Best practice]
+Deploy configuration profiles (steps 1, 2, and 3) before the WARP application (step 4) itself. This order ensures that when the WARP client installs, it already has the required permissions and certificates, avoiding failed installations.
+:::
+
+- Upload user-side certificate.
+- Allow system extensions (bundle ID and team identifier policy).
+- Upload MobileConfig (custom configuration policy).
+- Upload and assign the WARP `.pkg` (application policy).
+
+### 1. Upload user-side certificate
+
+You must deploy a [user-side certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) so that devices managed by Intune can establish trust with Cloudflare when their traffic is inspected.
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+
+2. Go to **Settings** > **Resources** > under **Certificates**, select **Manage**.
+
+3. Find your [certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) and select the three dotted icon next to it > select **Download .crt**.
+
+4. In the [Microsoft Intune admin center](https://intune.microsoft.com), go to **Devices** > select **macOS**.
+
+	![Intune admin console where you select macOS before creating a policy](~/assets/images/cloudflare-one/connections/intune/devices-macos.png)
+
+5. Under **Manage devices**, select **Configuration**.
+
+	![Intune admin console where you will create a new policy](~/assets/images/cloudflare-one/connections/intune/manage-devices-configuration.png)
+
+6. Select **Create** > **New Policy**.
+
+7. For **Profile Type**, select _Templates_ > select **Trusted certificate** as the **Template name** > select **Create**.
+
+8. In **Basics**, input the necessary field(s) and give your policy a name like `Cloudflare certificate` > select **Next**.
+
+9. For **Deployment Channel**, select **Device Channel**.
+
+10. Upload your file (Intune may request `.cer` format, though `.crt` files are also accepted) > select **Next**.
+
+11. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. This will be the same scope for all steps. Select **Next**.
+
+12. Review your configuration in **Review + create** and select **Create**.
+
+Sharing this certificate with Intune automates the installation of this certificate on your user devices, creating trust between browsers on a user's device and Cloudflare.
+
+### 2. Allow WARP system extensions
+
+Before deploying WARP, you need to allow its system extensions.
+
+1. In the [Microsoft Intune admin center](https://intune.microsoft.com), go to **Devices** > **macOS**.
+
+2. Under **Manage devices**, select **Configuration**.
+
+3. Select **Create** > **New Policy**.
+
+4. For **Profile type**, select _Settings catalog_ > select **Create**.
+
+5. In **Basics**, input the necessary field(s) and give your policy a name like `WARP System Extensions` > select **Next**.
+
+6. In **Configuration settings**, select **Add settings**.
+
+7. In the **Settings picker**, search for **System Extensions** under System Configuration.
+
+8. Enable **Allowed System Extensions**.
+
+9. Select **Edit instance** and add:
+
+	- Bundle Identifier: `com.cloudflare.1.1.1.1`
+	- Team Identifier: `68BUP38M2J`
+
+	![Intune admin console where you enter team identifier and bundle identifier](~/assets/images/cloudflare-one/connections/intune/intune-bundle-team-identifier.png)
+
+10. Select **Save**.
+
+11. In **Scope tags**, select **Next**.
+
+12. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. This will be the same scope for all steps. Select **Next**.
+
+13. Review your configuration and select **Create**.
+
+This step allows WARP to install without user interaction. By completing this step, you allow WARP to install and manage its required system extensions without end-user prompts.
+
+### 3. Upload `MobileConfig` configuration
+
+1. Open a text editor and paste in the following `.mobileconfig` template:
+
+	```xml
+	<?xml version="1.0" encoding="UTF-8"?>
+	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+	<plist version="1.0">
+			<dict>
+					<key>PayloadDisplayName</key>
+					<string>Cloudflare WARP</string>
+					<key>PayloadIdentifier</key>
+					<string>cloudflare_warp</string>
+					<key>PayloadOrganization</key>
+					<string>Cloudflare, Ltd.</string>
+					<key>PayloadRemovalDisallowed</key>
+					<false/>
+					<key>PayloadType</key>
+					<string>Configuration</string>
+					<key>PayloadScope</key>
+					<string>System</string>
+					<key>PayloadUUID</key>
+					<string>YOUR_PAYLOAD_UUID_HERE</string>
+					<key>PayloadVersion</key>
+					<integer>1</integer>
+					<key>PayloadContent</key>
+					<array>
+							<dict>
+									<key>organization</key>
+									<string>YOUR_TEAM_NAME_HERE</string>
+									<key>auto_connect</key>
+									<integer>120</integer>
+									<key>onboarding</key>
+									<false/>
+									<key>PayloadDisplayName</key>
+									<string>Warp Configuration</string>
+									<key>PayloadIdentifier</key>
+									<string>com.cloudflare.warp.YOUR_PAYLOAD_UUID_HERE</string>
+									<key>PayloadOrganization</key>
+									<string>Cloudflare Ltd.</string>
+									<key>PayloadType</key>
+									<string>com.cloudflare.warp</string>
+									<key>PayloadUUID</key>
+									<string>YOUR_PAYLOAD_UUID_HERE</string>
+									<key>PayloadVersion</key>
+									<integer>1</integer>
+							</dict>
+					</array>
+			</dict>
+	</plist>
+	```
+2. Open your macOS Terminal and run `uuidgen`. This will generate a value for `PayloadUUID`. Use this value to replace the default value (`YOUR_PAYLOAD_UUID_HERE`) used in the template (three locations total).
+
+3. Update your organization's string (`YOUR_TEAM_NAME_HERE`) with your [team name](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name).
+
+4. Modify the file with your desired [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/).
+	```xml
+	<array>
+		<dict>
+				<key>organization</key>
+				<string>YOUR_TEAM_NAME_HERE</string>
+				// add desired deployment parameters here
+	```
+
+	:::tip[Best practice]
+	Start by deploying the template in its default, minimal form. This helps you verify a successful deployment before adding custom parameters.
+	:::
+5. In the [Microsoft Intune admin center](https://intune.microsoft.com), go to **Devices** > **macOS**.
+
+6. Under **Manage devices**, select **Configuration**.
+
+7. Select **Create** > **New Policy**.
+
+8. For **Profile Type**, select _Templates_ > select **Custom** as the **Template name** > select **Create**.
+
+9. In **Basics**, input the necessary field(s) > select **Next**.
+
+10. In **Custom configuration profile name**, input a name.
+
+11. For **Deployment Channel**, select **Device Channel**.
+
+12. Under **Configuration profile file**, upload the `.mobileconfig` file that you created in your text editor in step 1 > select **Next**.
+
+13. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. This will be the same scope for all steps.
+
+14. Review your configuration and create your policy.
+
+By completing this step, you preconfigure WARP with your team settings so it connects automatically upon installation.
+
+### 4. Upload WARP client `.pkg`
+
+:::tip[Best practice]
+Complete Step 4 at least one hour after steps 1, 2, and 3 so clients have enough time to check in and update their device configurations.
+:::
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+
+2. Go to **Settings** > **Resources** > find macOS under **Download the WARP client** > select **Download release**.
+
+	You will be taken to the WARP documentation on [stable releases for macOS](/cloudflare-one/connections/connect-devices/warp/download-warp/#macos) and download a `.pkg` file.
+
+	:::note[Repeat this step to update WARP when a new release is available]
+	Every time WARP releases a new version, you must repeat this process and get a new `.pkg` file for the new WARP version.
+	:::
+3. Log in to the [Microsoft Intune admin center](https://intune.microsoft.com), and go to **Apps** > **macOS**.
+
+4. Select **Create**.
+
+5. For **App type**, select _macOS app (PKG)_.
+
+6. In **App information**, select the `.pkg` file you downloaded and input required details. Enter `Cloudflare` as the Publisher.
+
+7. In **Requirements**, refer to the OS versions listed in [stable releases for macOS](/cloudflare-one/connections/connect-devices/warp/download-warp/#macos) and find what matches for you.
+
+8. In **Detection rules**, note that the WARP package will have filled in the App bundle ID and App version.
+
+9. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. Select **Next**.
+
+10. Review your configuration in **Review + create** and select **Create**.
+
+By completing this step, you deliver the WARP client to targeted macOS devices, either automatically (assignment scope set as **Required**) or on-demand (assignment scope as **Available**) through your company portal.
 
 ## iOS