Get device settings profile by ID

client.zeroTrust.devices.policies.custom.get(, , ?): SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 27 more } | null

GET/accounts/{account_id}/devices/policy/{policy_id}

Fetches a device settings profile by ID.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

ParametersExpand Collapse

policyId: string

maxLength36

params: CustomGetParams { account_id }

account_id: string

ReturnsExpand Collapse

SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 27 more } | null

allow_mode_switch?: boolean

Whether to allow the user to switch WARP between modes.

allow_updates?: boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: boolean

Whether to allow devices to leave the organization.

auto_connect?: number

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: number

Turn on the captive portal after the specified amount of time.

default?: boolean

Whether the policy is the default policy for an account.

description?: string

A description of the policy.

maxLength500

disable_auto_fallback?: boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes?: Array<DNSSearchSuffix>

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: string

The DNS search suffix to append when resolving short hostnames.

description?: string

A description of the DNS search suffix.

enabled?: boolean

Whether the policy will be applied to matching devices.

exclude?: Array<SplitTunnelExclude>

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips?: boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains?: Array<FallbackDomain { suffix, description, dns_server } >

suffix: string

The domain suffix to match when resolving locally.

description?: string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server?: Array<string>

A list of IP addresses to handle domain resolution.

gateway_unique_id?: string

global_acceleration?: GlobalAcceleration | null

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: Array<string>

IP:port entries for the API endpoints.

enabled: boolean

Global acceleration settings are used only when “enabled”.

masque_endpoints: Array<string>

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: Array<string>

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include?: Array<SplitTunnelInclude>

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description?: string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

lan_allow_minutes?: number

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size?: number

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match?: string

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500

name?: string

The name of the device settings profile.

maxLength100

policy_id?: string

maxLength36

precedence?: number

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns?: boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2?: ServiceModeV2 { mode, port }

mode?: string

The mode to run the WARP client under.

port?: number

The port number when used with proxy mode.

support_url?: string

The URL to launch when the Send Feedback button is clicked.

switch_locked?: boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests?: Array<TargetTest>

id?: string

The id of the DEX test targeting this policy.

name?: string

The name of the DEX test targeting this policy.

tunnel_protocol?: string

Determines which tunnel protocol to use.

virtual_networks?: VirtualNetworks | null

Virtual network access settings for the device.

allowed: Array<string>

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: string

The default virtual network ID. Must be included in the allowed list.

formatuuid

Get device settings profile by ID

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

const settingsPolicy = await client.zeroTrust.devices.policies.custom.get(
  'f174e90a-fafe-4643-bbbc-4a0ed4fc8415',
  { account_id: '699d98642c564d2e855e9661899b7252' },
);

console.log(settingsPolicy.gateway_unique_id);

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "allow_mode_switch": true,
    "allow_updates": true,
    "allowed_to_leave": true,
    "auto_connect": 0,
    "captive_portal": 180,
    "default": false,
    "description": "Policy for test teams.",
    "disable_auto_fallback": true,
    "dns_search_suffixes": [
      {
        "suffix": "internal.corp",
        "description": "Example internal domains"
      }
    ],
    "enabled": true,
    "exclude": [
      {
        "address": "192.0.2.0/24",
        "description": "Exclude testing domains from the tunnel"
      }
    ],
    "exclude_office_ips": true,
    "fallback_domains": [
      {
        "suffix": "example.com",
        "description": "Domain bypass for local development",
        "dns_server": [
          "1.1.1.1"
        ]
      }
    ],
    "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
    "global_acceleration": {
      "api_endpoints": [
        "198.51.100.1:443"
      ],
      "enabled": true,
      "masque_endpoints": [
        "198.51.100.1:443"
      ],
      "wireguard_endpoints": [
        "198.51.100.1:2408"
      ]
    },
    "include": [
      {
        "address": "192.0.2.0/24",
        "description": "Include testing domains in the tunnel"
      }
    ],
    "lan_allow_minutes": 30,
    "lan_allow_subnet_size": 24,
    "match": "identity.email == \"test@cloudflare.com\"",
    "name": "Allow Developers",
    "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "precedence": 100,
    "register_interface_ip_with_dns": true,
    "sccm_vpn_boundary_support": false,
    "service_mode_v2": {
      "mode": "proxy",
      "port": 3000
    },
    "support_url": "https://1.1.1.1/help",
    "switch_locked": true,
    "target_tests": [
      {
        "id": "id",
        "name": "name"
      }
    ],
    "tunnel_protocol": "wireguard",
    "virtual_networks": {
      "allowed": [
        "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      ],
      "default": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    }
  },
  "success": true
}

Returns Examples

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "allow_mode_switch": true,
    "allow_updates": true,
    "allowed_to_leave": true,
    "auto_connect": 0,
    "captive_portal": 180,
    "default": false,
    "description": "Policy for test teams.",
    "disable_auto_fallback": true,
    "dns_search_suffixes": [
      {
        "suffix": "internal.corp",
        "description": "Example internal domains"
      }
    ],
    "enabled": true,
    "exclude": [
      {
        "address": "192.0.2.0/24",
        "description": "Exclude testing domains from the tunnel"
      }
    ],
    "exclude_office_ips": true,
    "fallback_domains": [
      {
        "suffix": "example.com",
        "description": "Domain bypass for local development",
        "dns_server": [
          "1.1.1.1"
        ]
      }
    ],
    "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
    "global_acceleration": {
      "api_endpoints": [
        "198.51.100.1:443"
      ],
      "enabled": true,
      "masque_endpoints": [
        "198.51.100.1:443"
      ],
      "wireguard_endpoints": [
        "198.51.100.1:2408"
      ]
    },
    "include": [
      {
        "address": "192.0.2.0/24",
        "description": "Include testing domains in the tunnel"
      }
    ],
    "lan_allow_minutes": 30,
    "lan_allow_subnet_size": 24,
    "match": "identity.email == \"test@cloudflare.com\"",
    "name": "Allow Developers",
    "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "precedence": 100,
    "register_interface_ip_with_dns": true,
    "sccm_vpn_boundary_support": false,
    "service_mode_v2": {
      "mode": "proxy",
      "port": 3000
    },
    "support_url": "https://1.1.1.1/help",
    "switch_locked": true,
    "target_tests": [
      {
        "id": "id",
        "name": "name"
      }
    ],
    "tunnel_protocol": "wireguard",
    "virtual_networks": {
      "allowed": [
        "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      ],
      "default": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    }
  },
  "success": true
}