Customize device profiles
A device profile defines WARP client settings for a specific set of devices in your organization. You can create multiple profiles and apply different settings based on the user's identity, the device's location, and other criteria.
For example, users in one identity provider group (signifying a specific office location) might have different routes that need to be excluded from their WARP tunnel, or some device types (like Linux) might need different DNS settings to accommodate local development services.
Set your default device profile to be applicable to a majority of your userbase, or any user without known explicit considerations.
To customize the default settings:
- 
Go to Settings > WARP Client. 
- 
Under Device settings, select the default profile and select Configure. 
- 
Many users running Cloudflare Zero Trust to secure their organization have a default profile that resembles the following. Refer to WARP client settings for a description of each setting. Setting State Notes Captive portal detection Enabled Mode switch Disabled If enabled, users have the option to switch to a DNS-only security mode and lose access to your private network. Lock WARP switch Enabled Should be enabled unless users have an explicit reason to disable WARP, such as a conflicting VPN client on the device or other extenuating circumstances. If disabled for concerns about user experience, Auto Connect should be enabled and set on a short interval, like 10-15 minutes. Allow device to leave organization Disabled Allow updates Disabled Usually disabled on managed devices. If enabled, users who are local administrators on their device can update the WARP client on their own — this can introduce version consistency control issues if WARP versions are centrally managed by IT. Auto connect Enabled Timeout is usually set between 10min - 30min. Support URL Enabled Service mode Gateway with WARP Proxies device traffic to Cloudflare according to your Split Tunnel rules. Local Domain Fallback Refer to Resolve Private DNS. Split Tunnels Exclude IPs and domains Refer to Define Split Tunnels settings. Directly route Microsoft 365 traffic Disabled Usually disabled to allow inspection of Microsoft 365 traffic. 
- 
Save the profile. 
- 
Configure global settings for all device profiles: - (Recommended) Enable Admin override code if you turned on Lock WARP switch.
- Enable Install CA to system certificate store if you want users to see a custom block page.
 
- Update the default device settings profile:
curl --request PATCH \https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--header "Content-Type: application/json" \--data '{  "allow_mode_switch": false,  "allow_updates": false,  "allowed_to_leave": false,  "auto_connect": 900,  "captive_portal": 180,  "disable_auto_fallback": true,  "exclude_office_ips": false,  "service_mode_v2": {    "mode": "warp"  },  "support_url": "https://it.company.com/help",  "switch_locked": true}'- Update global settings:
curl --request PUT \https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/settings \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--header "Content-Type: application/json" \--data '{  "disable_for_time": 3600,  "root_certificate_installation_enabled": true}'- 
Add the following permission to your cloudflare_api_token↗:- Zero Trust Write
 
- 
Configure default profile settings using the cloudflare_zero_trust_device_default_profile↗ resource:resource "cloudflare_zero_trust_device_default_profile" "default_profile" {account_id = var.cloudflare_account_idallow_mode_switch = falseallow_updates = falseallowed_to_leave = falseauto_connect = 600captive_portal = 180disable_auto_fallback = trueexclude_office_ips = falseservice_mode_v2 = {mode = "warp"}support_url = "https://support.example.com"switch_locked = truetunnel_protocol = "wireguard"}
- 
Configure global settings using the cloudflare_zero_trust_device_settings↗ resource:resource "cloudflare_zero_trust_device_settings" "global_warp_settings" {account_id = var.cloudflare_account_iddisable_for_time = 3600root_certificate_installation_enabled = trueuse_zt_virtual_ip = false}
You can configure a device settings profile to take effect when the device is connected to a trusted network such as an office. For example, you may wish to allow users in the office to access applications directly rather than route traffic through Cloudflare.
For setup instructions, refer to Add a managed network.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-