Cloudflare for Teams Deployment Guide – Hexnode UEM

Internet access management has always been a challenging task for organizations. Network insecurities and threats are some of the heavily explored territories advancing in a very alarming pattern. This calls for a proactive internet access solution that makes web access faster, safer and private for all your customers, clients and partners. Cloudflare for Teams is such a solution that replaces the legacy security perimeters that are long outdated to build a new, faster, and safer internet experience for your users. It makes use of the Cloudflare WARP client application to connect the devices to Cloudflare for DNS filtering, web proxying, port handling and more. WARP uses a modern protocol to rebuild the connection between the device and the internet to make DNS queries faster and private.

Cloudflare for Teams partners with Hexnode UEM to make internet management easier for enterprises. With this collaboration, you can distribute the Cloudflare for Teams client application to the end-user devices and remotely set up advanced configurations for the app in real-time. Hexnode UEM assists organizations in remotely deploying, configuring, administering, and maintaining this app. Hexnode, along with Cloudflare for Teams, helps organizations keep an eye on the internet to provide a safer workplace for the employees. The Cloudflare WARP client is available on iOS, Android, Mac and Windows endpoints with Hexnode.

Cloudflare for Teams on Mac

1. Get the Cloudflare WARP client.
2. Upload the cloudflare_WARP.pkg file in Hexnode.
   • On your Hexnode console, head on to Apps.
   • Click on +Add Apps > Enterprise App.
   • Select macOS as the app platform.
   • Add an app name, category and description.
   • Upload the PKG file and click on Add.
3. Set up an XML file with the supported app configurations for the app.
   Here’s a sample XML file with the accepted parameters.
   
   Sample XML

   MS DOS

   <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>organization</key> <string>organizationname</string> <key>auto_connect</key> <integer>1</integer> <key>switch_locked</key> <false /> <key>service_mode</key> <string>warp</string> <key>support_url</key> <string>https://support.example.com</string> </dict> </plist>

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

   <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>   <key>organization</key>   <string>organizationname</string>   <key>auto_connect</key>   <integer>1</integer>   <key>switch_locked</key>   <false />   <key>service_mode</key>   <string>warp</string>   <key>support_url</key> <string>https://support.example.com</string> </dict> </plist>

4. Push the app and configurations to the devices.
   • On your Hexnode console, go to Policies.
   • Create a new policy and provide a policy name.
   • Go to macOS > App Management > Required Apps and start setting up the policy.
   • Click on +Add and select the previously uploaded WARP client app.
   • Now go to App Configurations and click on +Add new configuration.
   • Select the WARP client app and upload the XML file.
   • Now go to Policy Targets and associate the policy with the target entities.

This will push the app along with the configurations to the selected devices.

Cloudflare for Teams on Android

1. Approve the app 1.1.1.1: Faster & Safer Internet as a Managed Google Play app.
   • On your Hexnode console, navigate to the Apps tab.
   • Click on +Add Apps > Managed Google Apps.
   • Search and find the app 1.1.1.1: Faster & Safer Internet.
   • Approve the app as a Managed Google app.
2. Set up custom configurations for the app with App Configurations.
   • On your Hexnode console, go to Policies and create a new policy.
   • Go to Android > App Configurations > + Add new configuration.
   • Search and find the app and set up the customizations.
   • Associate the policy with the required target devices before saving from Policy Targets.

The app automatically gets installed on the devices once the policy with the app configuration reaches the device.

Cloudflare for Teams on Windows

1. Create a script file with “.bat”, “.cmd”, and “.ps1” file formats to download, install and configure the Cloudflare WARP client Windows application on the device.
   Listed below is a sample script with all the configurable parameters.
   Sample script

   MS DOS

   <# Choose file name for downloading application #> $filename = filename.msi' <# Download URL of the installer. #> $url = 'https://www.cloudflarewarp.com/Cloudflare_WARP_Release-x64.msi' Write-Host 'Downloading App from' $url Invoke-WebRequest -Uri $url -OutFile $filename <# Run the installer and wait for the installation to finish #> $arguments = "ORGANIZATION="exampleorg" SERVICE_MODE="warp" GATEWAY_UNIQUE_ID="fmxk762nrj" SUPPORT_URL="http://support.example.com"" $installProcess = (Start-Process $filename -ArgumentList $arguments -PassThru -Wait) <# Check if installation was successful #> if ($installProcess.ExitCode -ne 0) { Write-Host "Installation failed!" exit $installProcess.ExitCode } else { Write-Host "Installation completed successfully!" }

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

   <# Choose file name for downloading application #> $filename = filename.msi'   <# Download URL of the installer. #> $url = 'https://www.cloudflarewarp.com/Cloudflare_WARP_Release-x64.msi' Write-Host 'Downloading App from' $url Invoke-WebRequest -Uri $url -OutFile $filename   <# Run the installer and wait for the installation to finish #>   $arguments = "ORGANIZATION="exampleorg" SERVICE_MODE="warp" GATEWAY_UNIQUE_ID="fmxk762nrj" SUPPORT_URL="http://support.example.com""   $installProcess = (Start-Process $filename -ArgumentList $arguments -PassThru -Wait)   <# Check if installation was successful #>   if ($installProcess.ExitCode -ne 0) {       Write-Host "Installation failed!"       exit $installProcess.ExitCode }   else {       Write-Host "Installation completed successfully!"   }

2. Push the script file to the devices using Hexnode.
   • On your Hexnode console, go to Manage > Devices.
   • Click on your device name, this will take you to the Device Summary.
   • Click on Actions > Execute Custom Script.
   • Choose the script file source as Upload file, then upload the script file.
   • Click on Execute.

Cloudflare for iOS

1. Add the Cloudflare WARP iOS client in the Hexnode app inventory.
   • On your Hexnode console, head on to Apps.
   • Click on +Add Apps > Store App.
   • Select iOS as the app platform.
   • Search for the app 1.1.1.1: Faster Internet and click on Add corresponding to the app.
2. Set up an XML file with the supported app configurations for the app.

   Refer this sample XML code to identify the supported arguments
   

   Sample XML

   MS DOS

   <dict> <key>organization</key> <string>yourorganization</string> <key>auto_connect</key> <integer>1</integer> <key>switch_locked</key> <false /> <key>service_mode</key> <string>warp</string> <key>support_url</key <string>https://support.example.com</string> </dict>

   1 2 3 4 5 6 7 8 9 10 11 12

   <dict>   <key>organization</key>   <string>yourorganization</string>   <key>auto_connect</key>   <integer>1</integer>   <key>switch_locked</key>   <false />   <key>service_mode</key>   <string>warp</string>   <key>support_url</key <string>https://support.example.com</string> </dict>

3. Upload the app configurations in Hexnode.
   • On your Hexnode console, go to Apps tab.
   • Find the app and click on its name.
   • Click on the settings icon and choose App Configuration.
   • Upload the XML file in the corresponding field.
   • Now click on Save.
4. Push the app to the target devices using Hexnode.
   • On your Hexnode console, go to Policies and create a new policy.
   • Provide a name for the policy and go to iOS.
   • Select Required Apps from the left menu and click on Configure.
   • Click on +Add > Add app, check the required app and click on Done.
   • Now go to Policy Targets and associate the policy with the required target entities.

Configurable Arguments

The following are the Cloudflare WARP client parameters that can be remotely configured via the Hexnode app configuration scripts and policies on the devices upon deployment.

Organization

Use your organization name as the field value. This WARP client registers the device to the organization specified in the field. Note that users will be asked to sign in to the organization for registration. Registering the organization is mandatory to avail many Cloudflare for Teams features like browser isolation, etc.

Gateway Unique ID

Specify the Cloudflare Gateway DoH subdomain. The parameter is used to define the policy location to which the DNS queries are to be directed. If the Gateway DoH subdomain is not specified, the client will automatically use the default location specified in the organization.

Service mode

This key allows you to choose the operational mode of the client. This field can have the values 1.1.1.1 or WARP, the former enforces Gateway DoH only for DNS policies, and the latter sends all the traffic through Cloudflare Gateway via the encrypted tunnels.

Enable the service

Force-enable the service in the selected (WARP/1.1.1.1) mode.

Onboarding

This is a toggle switch that lets you alter the visibility of some app setup screens, such as the privacy policy review page during the app’s first launch.

Switch Locked

This is a toggle switch that allows you to let users control the connection state of the WARP client. If the switch is in an off position, users can turn the app off and on at their preference. Switch it on to block users from turning it back off.

Auto connect

Use a value between 0 and 1440 (minutes). This will automatically switch on the connection on devices if manually turned off by the user after the specified number of minutes. Choose 0 to disable auto-connect.

Support URL

Provide your organization’s support URL to redirect the app feedbacks to your organization’s custom support page. The URLs can have the format: https://support.example.com or mailto://yoursupport@example.com.

Custom ID

Enter the custom/internal user identifier from the service token you can deploy with the WARP client.