diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/device-registration.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/device-registration.mdx new file mode 100644 index 000000000000000..28eda60df71b64c --- /dev/null +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/device-registration.mdx @@ -0,0 +1,107 @@ +--- +pcx_content_type: reference +title: Device registration +sidebar: + order: 3 +--- + +import { TabItem, Tabs } from "~/components"; + +A device registration is made when a user, approved by the Zero Trust organization, puts a device onto Cloudflare. A device registration status indicates the current state of a device registration, such as `Active`, `Revoked`, or `Deleted`. + +## Device registration + +A device registration represents the identity a device uses to connect through WARP. Each registration represents a specific combination of user and device. A user is an identity from your identity provider (IdP) that can consume a [seat](/cloudflare-one/team-and-resources/users/seat-management/). + +Cloudflare authenticates each device registration with a public key. A single device may have multiple device registrations, such as in a shared-device environment where multiple users share and use a single device. Each device registration's public key is unique to the device and user. + +:::tip[Check a device's registrations] + +Review how many device registrations are associated with a device by logging into [Cloudflare One](https://one.dash.cloudflare.com/) and going to **Teams & Resources** > **Devices** > select a device > **View details** > scroll down to **Users** and review users who enrolled on this device. + +::: + +The onboarding process for Cloudflare One starts with creating your [Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization) and configuring an identity provider (IdP) or one-time pin for user authentication. After setting up the login method, administrators define [device enrollment permissions](/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment/) to define which users should be able to connect devices to your organization. + +Whether the WARP client is installed manually by a user or deployed through an MDM solution, a device registration is created when the WARP client first authenticates. + +| Concept | Definition | +|--------|------------| +| User | An IdP-backed human identity that can connect new devices to your Zero Trust organization. | +| Seat | definition needed | +| [Service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) | Used by automated systems (a non-human identity) to authenticate against your Cloudflare One policies. | +| Device registration | A public key, associated to a user and device, used by WARP to connect to Cloudflare's network. | +| [Session](/cloudflare-one/access-controls/access-settings/session-management/) | JSON Web Tokens (JWTs) that are generated when Access validates user identity against your Access policies and determines how long a user can access an Access application without re-authenticating. | + +## Device registration statuses + +Registrations can have the following statuses: + +| Status | Description | +| --- | --- | +| **Active** | Registered and able to connect via WARP. This is the expected operational state. | +| **Revoked** | The registration's public key is invalidated, preventing the device from connecting. The device registration can be unrevoked manually or via WARP re-authentication. | +| **Deleted** | The registration is permanently removed from the account and no longer appears in your device list. Deletion is permanent and requires re-registering the device. | + +:::caution[Revocation has no practical usefulness] + +The WARP clients automatically re-registers when it detects that a device registration has been revoked. As a result, the **Unrevoke** action has no practical effect and will be phased out in the near future. + +::: + +To check your device status: + +1. Log into [Cloudflare One](https://one.dash.cloudflare.com/). +2. Go to **Teams & Resources** > **Devices**. +3. Select the device and select **View details**. +4. Scroll down to **Users** and find the user associated with the device. +5. Review the status (such as `Active` or revoked) of the device registration under **Status**. + +## Revoke and unrevoke access + +Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device. + +- Revoking disallows the device from connecting to Cloudflare's network. The public key remains on the device during revocation. +- Unrevoking reuses the same public key and re-authenticates the device to grant access again. + +TODO: add revoke and unrevoke instructions + + + + +1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Teams & Resources** > **Devices**. +2. Select the device and select **View details**. +3. To revoke access, select **Revoke access**. This revokes access for all associated registrations on the device. +4. To unrevoke access, scroll down to the **Users** section and select one or more users using the checkbox. Select **Actions** > **Unrevoke access**. + + + + +- [Revoke a device](/api/resources/zero_trust/subresources/devices/subresources/revoke/) +- [Revoke a registration](/api/resources/zero_trust/subresources/devices/subresources/registrations/methods/revoke/) + + + + +:::caution + +Device revocation does not change [seat usage](/cloudflare-one/team-and-resources/users/seat-management/). To stop a user from consuming a seat, [remove the user](/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) from your organization. + +::: + +## Delete a registration + +Deleting a registration permanently removes it from your account. If you delete a registration, you will need to re-register the device to connect to your organization. + +You can delete a registration by: TODO: add delete instructions + +- Using the Zero Trust dashboard. +- Running `warp-cli registration delete` on the device. +- Using the [API](/api/resources/zero_trust/subresources/devices/subresources/devices/methods/delete/). +- Uninstalling the WARP client (may automatically delete the registration). + +:::caution + +Deleting a device registration does not change [seat usage](/cloudflare-one/team-and-resources/users/seat-management/). To stop a user from consuming a seat, you must [remove the user](/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) from your organization. + +:::