cloudflare · ranbel · Oct 28, 2025 · Oct 28, 2025 · Oct 28, 2025 · Oct 28, 2025
@@ -2389,6 +2389,7 @@
 /cloudflare-one/identity/users/scim/ /cloudflare-one/team-and-resources/users/scim/ 301
 /cloudflare-one/applications/login-page/ /cloudflare-one/reusable-components/custom-pages/access-login-page/ 301
 /cloudflare-one/applications/block-page/ /cloudflare-one/reusable-components/custom-pages/access-block-page/ 301
+/cloudflare-one/policies/gateway/block-page/ /cloudflare-one/reusable-components/custom-pages/gateway-block-page/ 301
 /cloudflare-one/applications/app-library/ /cloudflare-one/team-and-resources/app-library/ 301
 /cloudflare-one/applications/bookmarks/ /cloudflare-one/access-controls/applications/bookmarks/ 301
 /cloudflare-one/applications/app-launcher/ /cloudflare-one/access-controls/access-settings/app-launcher/ 301
@@ -2399,9 +2400,11 @@
 /cloudflare-one/identity/authorization-cookie/application-token/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/ 301
 /cloudflare-one/identity/authorization-cookie/cors/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/ 301
 /cloudflare-one/identity/service-tokens/ /cloudflare-one/access-controls/service-credentials/service-tokens/ 301
+/cloudflare-one/identity/mutual-tls-authentication/ /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/ 301
 /cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/ /cloudflare-one/access-controls/ai-controls/mcp-portals/ 301
 /cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/ /cloudflare-one/access-controls/ai-controls/saas-mcp/ 031
 /cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/ /cloudflare-one/access-controls/ai-controls/linked-apps/ 301
+/cloudflare-one/identity/devices/access-integrations/tanium/ /cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/ 301
 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301

@@ -12,4 +12,4 @@ You can now use more flexible redirect capabilities in Cloudflare One with Gatew
 - A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters.
 - For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL.
 
-Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](/cloudflare-one/traffic-policies/block-page/#redirect-to-a-block-page).
+Learn more in our documentation for [HTTP Redirect](/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page).
@@ -24,7 +24,7 @@ However, if you want to update the Minimum TLS settings for all wildcard hostnam
 
 ## Enable mTLS
 
-Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/), you can enable mTLS by using Cloudflare Access. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/) and [add mTLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) with a few clicks.
+Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/), you can enable mTLS by using Cloudflare Access. Go to [Cloudflare Zero Trust](https://one.dash.cloudflare.com/) and [add mTLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) with a few clicks.
 
 :::note
 Currently, you cannot add mTLS policies for custom hostnames using [API Shield](/api-shield/security/mtls/).

@@ -0,0 +1,44 @@
+---
+pcx_content_type: how-to
+title: App Launcher customization
+sidebar:
+  order: 2
+---
+
+import { Render } from "~/components";
+
+:::note
+
+Only available on Pay-as-you-go and Enterprise plans.
+:::
+
+You can display your own branding, messages, and links to users when they open the [Access App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/).
+
+To customize the App Launcher appearance:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**.
+2. Find the **Customize App Launcher** setting and select **Customize**.
+3. Give the App Launcher the look and feel of your organization by adding:
+   - Your organization's name
+   - A logo
+   - A preferred background color for the header
+   - A preferred background color for the page
+   - A custom footer with links to your organization's help desk or other internal resources.
+
+:::note
+
+We recommend lighter background colors because the font defaults to black.
+:::
+
+4. Next, customize the landing page that users will see when they login to the App Launcher. Available properties include:
+   - A custom title
+   - A custom subtitle
+   - An image
+   - A preferred color for the **Log in** button
+   - A preferred color for the **Log in** button text
+
+   All of the properties configured in Step 3 will also apply to the landing page.
+
+5. Once you are satisfied with your customization, select **Save**.
+
+The App Launcher screens are now updated. To view your changes, select **Preview**.
@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Block page
 sidebar:
-  order: 14
+  order: 1
 ---
 
 import { Render, Tabs, TabItem } from "~/components";

@@ -0,0 +1,15 @@
+---
+pcx_content_type: navigation
+title: Access integrations
+sidebar:
+  order: 4
+---
+
+The following device posture checks do not require the WARP client and can only be used in [Cloudflare Access policies](/cloudflare-one/access-controls/policies/). They cannot be used in Gateway network policies.
+
+## Supported operating systems
+
+| Device posture check                                                                            | macOS | Windows | Linux | iOS | Android/ChromeOS |
+| ----------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- |---------------------------------------------------------------------------------------- |
+| [Microsoft Entra ID Conditional Access](/cloudflare-one/tutorials/entra-id-conditional-access/) | ✅    | ✅      | ❌    | ❌  | ❌               |
+| [Mutual TLS](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/)   | ✅    | ✅      | ✅    | ✅  | ✅               |
@@ -32,7 +32,7 @@ You can now use your device posture check in an [Access policy](/cloudflare-one/
 
 :::caution[Gateway policy limitation]
 
-Gateway does not support device posture checks for the [Tanium Access integration](/cloudflare-one/reusable-components/posture-checks/access-integrations/tanium/).
+Gateway does not support device posture checks for the [Tanium Access integration](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/).
 :::
 
 ## 4. Ensure traffic is going through WARP

@@ -44,7 +44,7 @@ The Client Certificate device posture attribute checks if the device has a valid
 
 :::note
 
-To generate a sample root CA for testing, refer to [Generate mTLS certificates](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#generate-mtls-certificates).
+To generate a sample root CA for testing, refer to [Generate mTLS certificates](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#generate-mtls-certificates).
 :::
 
 ## Configure the client certificate check

@@ -31,3 +31,4 @@ These device posture checks are performed by the [Cloudflare WARP client](/cloud
 | [Require Gateway](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-gateway/)       | ✅     | ✅       | ✅           | ✅   | ✅                |
 | [Require WARP](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/require-warp/)             | ✅     | ✅       | ✅           | ✅   | ✅                |
 | [SentinelOne](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/sentinel-one/)              | ✅     | ✅       | ✅           | ❌   | ❌                |
+| [Tanium (legacy)](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/tanium/)                          | ✅    | ✅      | ✅    | ❌  | ❌  |
@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Tanium (legacy)
 sidebar:
-  order: 4
+  order: 12
 head:
   - tag: title
     content: Integrate Tanium with Access
@@ -16,10 +16,8 @@ Not recommended for new deployments. We recommend using the [Tanium service-to-s
 
 Cloudflare Access can use endpoint data from [Tanium™](https://www.tanium.com/) to determine if a request should be allowed to reach a protected resource. When users attempt to connect to a resource protected by Access with a Tanium rule, Cloudflare Access will validate the user's identity, and the browser will connect to the Tanium agent before making a decision to grant access.
 
-:::caution[Gateway device posture limitation]
-
-The Tanium integration cannot be used with [Gateway device posture policies](/cloudflare-one/traffic-policies/network-policies/#device-posture).
-
+:::caution[Gateway policy limitation]
+The legacy Tanium integration cannot be used in [Gateway network policies](/cloudflare-one/traffic-policies/network-policies/#device-posture). Only [Access policies](/cloudflare-one/access-controls/policies/) are supported.
 :::
 
 ## Prerequisites

@@ -275,7 +275,7 @@ curl --silent "https://<ACCOUNT_ID>.cloudflare-gateway.com/dns-query?name=exampl
 --header "CF-Authorization: <USER_DOH_TOKEN>" | jq
 ```
 
-If the site is blocked and you have turned on the [block page](/cloudflare-one/traffic-policies/block-page/#configure-policy-block-behavior) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
+If the site is blocked and you have turned on the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#configure-policy-block-behavior) for the policy, the query will return `162.159.36.12` (the IP address of the Gateway block page). If the block page is disabled, the response will be `0.0.0.0`.
 
 <Details header="Example response">
 

@@ -29,7 +29,7 @@ import { Details, Render } from "~/components";
 
 The [WARP client](/cloudflare-one/team-and-resources/devices/warp/) can automatically install a Cloudflare certificate or [custom root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/).
 
-The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/traffic-policies/block-page/), and more.
+The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/), and more.
 
 ## Install a certificate using WARP
 

@@ -14,7 +14,7 @@ import { Render, Tabs, TabItem, APIRequest } from "~/components";
 Only available on Enterprise plans.
 :::
 
-Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/traffic-policies/block-page/).
+Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/).
 
 You can upload up to five custom root certificates. If your organization requires more than five certificates, contact your account team.
 

@@ -49,7 +49,7 @@ If you are using Split Tunnels in Include mode, you must include the following d
 
 #### Block page
 
-If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) with the [block page](/cloudflare-one/traffic-policies/block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to:
+If you are using Split Tunnels in Include mode and have [DNS policies](/cloudflare-one/traffic-policies/dns-policies/) with the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) enabled, you must include the IPs that blocked domains will resolve to. Unless you are using a [dedicated or BYOIP resolver IP](/cloudflare-one/team-and-resources/devices/agentless/dns/locations/dns-resolver-ips/#dns-resolver-ip) the block page will resolve to:
 
 - `162.159.36.12`
 - `162.159.46.12`

@@ -29,7 +29,7 @@ You can verify which devices have enrolled by going to **My Team** > **Devices**
 
 ### Check for mTLS certificate
 
-Enterprise customers can enforce [mutual TLS authentication](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/) during device enrollment.
+Enterprise customers can enforce [mutual TLS authentication](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) during device enrollment.
 
 <Render file="warp/device-enrollment-mtls" product="cloudflare-one" />
 

@@ -141,7 +141,7 @@ Policies with Block actions block DNS queries to reach destinations you specify
 
 #### Custom block page
 
-When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](/cloudflare-one/traffic-policies/block-page/).
+When choosing the Block action, turn on **Modify Gateway block behavior** to respond to queries with a block page to display to users who go to blocked websites. Optionally, you can override your global block page setting with a URL redirect for the specific DNS policy. For more information, refer to [Block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/).
 
 If the block page is turned off for a policy, Gateway will respond to queries blocked at the DNS level with an `A` record of `0.0.0.0` for IPv4 destinations, or with an `AAAA` record of `::` for IPv6 destinations. The browser will display its default connection error page.
 

@@ -23,7 +23,7 @@ For example, if you created a policy to block `example.com`, you can do the foll
 
 2. Type `dig example.com` (`nslookup example.com` if you are using Windows) and press **Enter**.
 
-3. If the [block page](/cloudflare-one/traffic-policies/block-page/) is turned off for the policy, you should see `REFUSED` in the answer section:
+3. If the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is turned off for the policy, you should see `REFUSED` in the answer section:
 
    ```sh
    dig example.com
@@ -46,7 +46,7 @@ For example, if you created a policy to block `example.com`, you can do the foll
    ;; MSG SIZE  rcvd: 29
    ```
 
-   If the [block page](/cloudflare-one/traffic-policies/block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers:
+   If the [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) is enabled for the policy, you should see `NOERROR` in the answer section with `162.159.36.12` and `162.159.46.12` as the answers:
 
    ```sh null
    dig example.com
-Original file line number
+Diff line change
@@ Expand Up @@
     :::note
-    To generate a sample root CA for testing, refer to [Generate mTLS certificates](/cloudflare-one/reusable-components/posture-checks/access-integrations/mutual-tls-authentication/#generate-mtls-certificates).
+    To generate a sample root CA for testing, refer to [Generate mTLS certificates](/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/#generate-mtls-certificates).
     :::
     ## Configure the client certificate check
@@ Expand Down @@