Guides Cloudflare One Zero Trust and SASE work across Access, Gateway, WARP, Tunnel, Cloudflare WAN, DLP, CASB, device posture, and identity. Use when designing, configuring, troubleshooting, or reviewing Cloudflare One deployments. Retrieval-first: use current Cloudflare docs/API schemas instead of embedded product docs.
warp, not a device setting. It accepts reusable Access policies. Look in Access for enrollment debugging, not Devices.non_identity@[team-domain].cloudflareaccess.com and have no group membership - device profiles targeting IdP groups will not match them. Target headless devices explicitly with the non-identity email, specific conventions about the devices (OS information, etc.),or let them fall to the default profile.| Goal | Mode | Rationale |
|---|---|---|
| VPN replacement only (private apps) | Include | Route only specified private CIDRs and hostnames through the client. Everything else goes direct. Minimal blast radius. |
| SWG only (internet security) | Exclude | All traffic through the client. Exclude only what breaks (local printers, certificate-pinned apps). |
| VPN replacement + SWG | Exclude | All traffic through the client. Most common enterprise configuration. |
| Coexistence with another VPN | Include | Avoids conflict with the other VPN's tunnel interface and DNS control. |
| DNS filtering only | DNS-only mode | Only DNS queries go to Gateway. No traffic proxying. |
mdm.xml / managed preferences) override dashboard-configured profile settings for any setting specified in the file. If dashboard changes appear to have no effect on managed devices, check MDM config. Retrieve MDM deployment docs for platform-specific file locations and parameters.dns.domains matches a domain and subdomains; dns.fqdn is exact-match only.sshd configured to trust the Cloudflare CA public key. Retrieve short-lived certificate setup docs before configuring.