From 8d274c59a18a0bbfdb9b76c9b6dafeffc22d3c1c Mon Sep 17 00:00:00 2001 From: deadlypants1973 Date: Thu, 20 Nov 2025 16:18:43 -0800 Subject: [PATCH 1/4] [CF1] Device status page --- .../devices/device-status.mdx | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx new file mode 100644 index 000000000000000..8deab3fe26f1d9a --- /dev/null +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx @@ -0,0 +1,63 @@ +--- +pcx_content_type: reference +title: Device status and registration +sidebar: + order: 3 +--- + +import { TabItem, Tabs } from "~/components"; + +Device registration occurs when a user, approved by the [Zero Trust organization](), puts a device onto Cloudflare. A device status indicates the current state of a device registration, such as `Active`, `Revoked`, or `Deleted`. + +## Device registration + +A device registration represents the identity a device uses to connect through WARP. Cloudflare authenticates each registration with a public key. A single device may have multiple registrations, such as in a shared-device environment where multiple users share and use a single device. + +The onboarding process for Cloudflare One starts with creating your Zero Trust organization and configuring an identity provider (IdP) for user authentication. After setting up the login method, administrators define device enrollment permissions to control which users are allowed to register devices. + +Users then install and sign in to the WARP client on their device, which creates a device registration for the organization. This registration becomes the primary object that Cloudflare One manages for that device. + +From an administrative perspective, device-level revocation removes all registrations associated with that device. + +## Device statuses + +Registrations can have the following statuses: + +| Status | Description | +| --- | --- | +| **Active** | Registered and able to connect via WARP. This is the expected operational state. | +| **Revoked** | The registration's public key is invalidated, preventing the device from connecting. The device still appears in your device list and can be unrevoked. | +| **Deleted** | The registration is permanently removed from the account and no longer appears in your device list. Deletion is permanent and requires re-registering the device. | + +## Revoke and unrevoke access + +Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device. + +- **Revocation** sends a request to the API which removes the public key associated with the registration. The public key remains on the device during revocation. +- **Unrevocation** reuses the same public key and re-authenticates it to grant access again. + + + + +1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Teams & Resources** > **Devices**. +2. Select the device and select **View details**. +3. To revoke access, select **Revoke access**. This revokes access for all associated registrations on the device. +4. To unrevoke access, scroll down to the **Users** section and select one or more users using the checkbox. Select **Actions** > **Unrevoke access**. + + + + +- [Revoke a device](/api/resources/zero_trust/subresources/devices/subresources/revoke/) +- [Revoke a registration](/api/resources/zero_trust/subresources/devices/subresources/registrations/methods/revoke/) + + + + +## Delete a registration + +Deleting a registration permanently removes it from your account. You can delete a registration by: + +- Using the Zero Trust dashboard. +- Running `warp-cli registration delete` on the device. +- Using the [API](/api/resources/zero_trust/subresources/devices/subresources/devices/methods/delete/). +- Uninstalling the WARP client (may automatically delete the registration). \ No newline at end of file From f048c34fdab178de6a9f492d1e3d3f25028ac9ce Mon Sep 17 00:00:00 2001 From: deadlypants1973 Date: Fri, 21 Nov 2025 10:44:41 -0800 Subject: [PATCH 2/4] updates --- .../devices/device-status.mdx | 55 ++++++++++++++++--- 1 file changed, 46 insertions(+), 9 deletions(-) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx index 8deab3fe26f1d9a..225e6924445fbbe 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx @@ -7,17 +7,30 @@ sidebar: import { TabItem, Tabs } from "~/components"; -Device registration occurs when a user, approved by the [Zero Trust organization](), puts a device onto Cloudflare. A device status indicates the current state of a device registration, such as `Active`, `Revoked`, or `Deleted`. +A device registration is made when a user, approved by the Zero Trust organization, puts a device onto Cloudflare. A device status indicates the current state of a device registration, such as `Active`, `Revoked`, or `Deleted`. ## Device registration -A device registration represents the identity a device uses to connect through WARP. Cloudflare authenticates each registration with a public key. A single device may have multiple registrations, such as in a shared-device environment where multiple users share and use a single device. +A device registration represents the identity a device uses to connect through WARP. Each registration represents a specific combination of user and device. A user is an identity from your IdP (or a service token identity) that can consume a [seat](/cloudflare-one/team-and-resources/users/seat-management/). -The onboarding process for Cloudflare One starts with creating your Zero Trust organization and configuring an identity provider (IdP) for user authentication. After setting up the login method, administrators define device enrollment permissions to control which users are allowed to register devices. +Cloudflare authenticates each registration with a public key. A single device may have multiple registrations, such as in a shared-device environment where multiple users share and use a single device. Each registration's public key is unique to the device and user. -Users then install and sign in to the WARP client on their device, which creates a device registration for the organization. This registration becomes the primary object that Cloudflare One manages for that device. +:::tip[Check a device's registrations] -From an administrative perspective, device-level revocation removes all registrations associated with that device. +Review how many registrations are associated with a device by logging into [Cloudflare One](https://one.dash.cloudflare.com/) and going to **Teams & Resources** > **Devices** > select a device > **View details** > scroll down to **Users** and review users who enrolled on this device. + +::: + +The onboarding process for Cloudflare One starts with creating your [Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization) and configuring an identity provider (IdP) or one-time pin for user authentication. After setting up the login method, administrators define [device enrollment permissions](/cloudflare-one/team-and-resources/devices/warp/deployment/device-enrollment/) to define which users should be able to connect devices to your organization. + +Whether the WARP client is installed manually by a user or deployed through an MDM solution, a device registration is created when the WARP client first authenticates. + +| Concept | Definition | +|--------|------------| +| User | A human identity that consumes a [seat](/cloudflare-one/team-and-resources/users/seat-management/) after any authentication event. | +| [Service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) | Used by automated systems (a non-human identity) to authenticate against your Cloudflare One policies. | +| Device registration | An public key, associated to a user and device, used by WARP to connect to Cloudflare's network. | +| [Session](/cloudflare-one/access-controls/access-settings/session-management/) | JSON Web Tokens (JWTs) that are generated when Access validates user identity against your Access policies and determines how long a user can access an Access application without re-authenticating. | ## Device statuses @@ -29,12 +42,22 @@ Registrations can have the following statuses: | **Revoked** | The registration's public key is invalidated, preventing the device from connecting. The device still appears in your device list and can be unrevoked. | | **Deleted** | The registration is permanently removed from the account and no longer appears in your device list. Deletion is permanent and requires re-registering the device. | +To check your device status: + +1. Log into [Cloudflare One](https://one.dash.cloudflare.com/). +2. Go to **Teams & Resources** > **Devices**. +3. Select the device and select **View details**. +4. Scroll down to **Users** and find the user associated with the device. +5. Review the status (`Active` or `Revoked`) of the device registration under **Status**. + ## Revoke and unrevoke access Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device. -- **Revocation** sends a request to the API which removes the public key associated with the registration. The public key remains on the device during revocation. -- **Unrevocation** reuses the same public key and re-authenticates it to grant access again. +- **Revocation** disallows the device from connecting to Cloudflare's network. The public key remains on the device during revocation. +- **Unrevocation** reuses the same public key and re-authenticates the device to grant access again. + +TODO: add revoke and unrevoke instructions @@ -53,11 +76,25 @@ Revoke access when you need to prevent a device from connecting (for example, if +:::caution + +Device revocation does not change [seat usage](/cloudflare-one/team-and-resources/users/seat-management/). To stop a user from consuming a seat, [remove the user](/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) from your organization. + +::: + ## Delete a registration -Deleting a registration permanently removes it from your account. You can delete a registration by: +Deleting a registration permanently removes it from your account. If you delete a registration, you will need to re-register the device to connect to your organization. + +You can delete a registration by: TODO: add delete instructions - Using the Zero Trust dashboard. - Running `warp-cli registration delete` on the device. - Using the [API](/api/resources/zero_trust/subresources/devices/subresources/devices/methods/delete/). -- Uninstalling the WARP client (may automatically delete the registration). \ No newline at end of file +- Uninstalling the WARP client (may automatically delete the registration). + +:::caution + +Deleting a device registration does not change [seat usage](/cloudflare-one/team-and-resources/users/seat-management/). To stop a user from consuming a seat, you must [remove the user](/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) from your organization. + +::: From f7fc3cdd929813937040602bc3bbac8484c1048c Mon Sep 17 00:00:00 2001 From: deadlypants1973 Date: Fri, 21 Nov 2025 10:55:38 -0800 Subject: [PATCH 3/4] updates --- .../team-and-resources/devices/device-status.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx index 225e6924445fbbe..b1f501bef85782e 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx @@ -11,13 +11,13 @@ A device registration is made when a user, approved by the Zero Trust organizati ## Device registration -A device registration represents the identity a device uses to connect through WARP. Each registration represents a specific combination of user and device. A user is an identity from your IdP (or a service token identity) that can consume a [seat](/cloudflare-one/team-and-resources/users/seat-management/). +A device registration represents the identity a device uses to connect through WARP. Each registration represents a specific combination of user and device. A user is an identity from your identity provider (IdP) that can consume a [seat](/cloudflare-one/team-and-resources/users/seat-management/). -Cloudflare authenticates each registration with a public key. A single device may have multiple registrations, such as in a shared-device environment where multiple users share and use a single device. Each registration's public key is unique to the device and user. +Cloudflare authenticates each device registration with a public key. A single device may have multiple device registrations, such as in a shared-device environment where multiple users share and use a single device. Each device registration's public key is unique to the device and user. :::tip[Check a device's registrations] -Review how many registrations are associated with a device by logging into [Cloudflare One](https://one.dash.cloudflare.com/) and going to **Teams & Resources** > **Devices** > select a device > **View details** > scroll down to **Users** and review users who enrolled on this device. +Review how many device registrations are associated with a device by logging into [Cloudflare One](https://one.dash.cloudflare.com/) and going to **Teams & Resources** > **Devices** > select a device > **View details** > scroll down to **Users** and review users who enrolled on this device. ::: @@ -54,8 +54,8 @@ To check your device status: Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device. -- **Revocation** disallows the device from connecting to Cloudflare's network. The public key remains on the device during revocation. -- **Unrevocation** reuses the same public key and re-authenticates the device to grant access again. +- Revoking disallows the device from connecting to Cloudflare's network. The public key remains on the device during revocation. +- Unrevoking reuses the same public key and re-authenticates the device to grant access again. TODO: add revoke and unrevoke instructions From 16242b5531e8a79a77683e3ca50452a1d6314051 Mon Sep 17 00:00:00 2001 From: deadlypants1973 Date: Wed, 26 Nov 2025 18:25:39 -0800 Subject: [PATCH 4/4] updates --- ...ice-status.mdx => device-registration.mdx} | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) rename src/content/docs/cloudflare-one/team-and-resources/devices/{device-status.mdx => device-registration.mdx} (84%) diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/device-registration.mdx similarity index 84% rename from src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx rename to src/content/docs/cloudflare-one/team-and-resources/devices/device-registration.mdx index b1f501bef85782e..28eda60df71b64c 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/device-status.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/device-registration.mdx @@ -1,13 +1,13 @@ --- pcx_content_type: reference -title: Device status and registration +title: Device registration sidebar: order: 3 --- import { TabItem, Tabs } from "~/components"; -A device registration is made when a user, approved by the Zero Trust organization, puts a device onto Cloudflare. A device status indicates the current state of a device registration, such as `Active`, `Revoked`, or `Deleted`. +A device registration is made when a user, approved by the Zero Trust organization, puts a device onto Cloudflare. A device registration status indicates the current state of a device registration, such as `Active`, `Revoked`, or `Deleted`. ## Device registration @@ -27,28 +27,35 @@ Whether the WARP client is installed manually by a user or deployed through an M | Concept | Definition | |--------|------------| -| User | A human identity that consumes a [seat](/cloudflare-one/team-and-resources/users/seat-management/) after any authentication event. | +| User | An IdP-backed human identity that can connect new devices to your Zero Trust organization. | +| Seat | definition needed | | [Service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) | Used by automated systems (a non-human identity) to authenticate against your Cloudflare One policies. | -| Device registration | An public key, associated to a user and device, used by WARP to connect to Cloudflare's network. | +| Device registration | A public key, associated to a user and device, used by WARP to connect to Cloudflare's network. | | [Session](/cloudflare-one/access-controls/access-settings/session-management/) | JSON Web Tokens (JWTs) that are generated when Access validates user identity against your Access policies and determines how long a user can access an Access application without re-authenticating. | -## Device statuses +## Device registration statuses Registrations can have the following statuses: | Status | Description | | --- | --- | | **Active** | Registered and able to connect via WARP. This is the expected operational state. | -| **Revoked** | The registration's public key is invalidated, preventing the device from connecting. The device still appears in your device list and can be unrevoked. | +| **Revoked** | The registration's public key is invalidated, preventing the device from connecting. The device registration can be unrevoked manually or via WARP re-authentication. | | **Deleted** | The registration is permanently removed from the account and no longer appears in your device list. Deletion is permanent and requires re-registering the device. | +:::caution[Revocation has no practical usefulness] + +The WARP clients automatically re-registers when it detects that a device registration has been revoked. As a result, the **Unrevoke** action has no practical effect and will be phased out in the near future. + +::: + To check your device status: 1. Log into [Cloudflare One](https://one.dash.cloudflare.com/). 2. Go to **Teams & Resources** > **Devices**. 3. Select the device and select **View details**. 4. Scroll down to **Users** and find the user associated with the device. -5. Review the status (`Active` or `Revoked`) of the device registration under **Status**. +5. Review the status (such as `Active` or revoked) of the device registration under **Status**. ## Revoke and unrevoke access