Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Devices
Policies
Custom

Update a device settings profile

zero_trust.devices.policies.custom.edit(strpolicy_id, CustomEditParams**kwargs) -> SettingsPolicy
PATCH/accounts/{account_id}/devices/policy/{policy_id}

Updates a configured device settings profile.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Zero Trust Write
ParametersExpand Collapse
account_id: str
policy_id: str
maxLength36
allow_mode_switch: Optional[bool]

Whether to allow the user to switch WARP between modes.

allow_updates: Optional[bool]

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Optional[bool]

Whether to allow devices to leave the organization.

auto_connect: Optional[float]

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Optional[float]

Turn on the captive portal after the specified amount of time.

description: Optional[str]

A description of the policy.

maxLength500
disable_auto_fallback: Optional[bool]

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes: Optional[Iterable[DNSSearchSuffix]]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: str

The DNS search suffix to append when resolving short hostnames.

description: Optional[str]

A description of the DNS search suffix.

enabled: Optional[bool]

Whether the policy will be applied to matching devices.

exclude: Optional[Iterable[SplitTunnelExcludeParam]]

List of routes excluded in the WARP client’s tunnel. Both ‘exclude’ and ‘include’ cannot be set in the same request.

One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
exclude_office_ips: Optional[bool]

Whether to add Microsoft IPs to Split Tunnel exclusions.

global_acceleration: Optional[GlobalAcceleration]

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: Sequence[str]

IP:port entries for the API endpoints.

enabled: bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: Sequence[str]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: Sequence[str]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include: Optional[Iterable[SplitTunnelIncludeParam]]

List of routes included in the WARP client’s tunnel. Both ‘exclude’ and ‘include’ cannot be set in the same request.

One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
lan_allow_minutes: Optional[float]

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: Optional[float]

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: Optional[str]

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500
name: Optional[str]

The name of the device settings profile.

maxLength100
precedence: Optional[float]

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Optional[bool]

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Optional[bool]

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Optional[ServiceModeV2]
mode: Optional[str]

The mode to run the WARP client under.

port: Optional[float]

The port number when used with proxy mode.

support_url: Optional[str]

The URL to launch when the Send Feedback button is clicked.

switch_locked: Optional[bool]

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: Optional[str]

Determines which tunnel protocol to use.

virtual_networks: Optional[VirtualNetworks]

Virtual network access settings for the device.

allowed: Sequence[str]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: str

The default virtual network ID. Must be included in the allowed list.

formatuuid
ReturnsExpand Collapse
class SettingsPolicy:
allow_mode_switch: Optional[bool]

Whether to allow the user to switch WARP between modes.

allow_updates: Optional[bool]

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Optional[bool]

Whether to allow devices to leave the organization.

auto_connect: Optional[float]

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Optional[float]

Turn on the captive portal after the specified amount of time.

default: Optional[bool]

Whether the policy is the default policy for an account.

description: Optional[str]

A description of the policy.

maxLength500
disable_auto_fallback: Optional[bool]

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes: Optional[List[DNSSearchSuffix]]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: str

The DNS search suffix to append when resolving short hostnames.

description: Optional[str]

A description of the DNS search suffix.

enabled: Optional[bool]

Whether the policy will be applied to matching devices.

exclude: Optional[List[SplitTunnelExclude]]

List of routes excluded in the WARP client’s tunnel.

One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
exclude_office_ips: Optional[bool]

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: Optional[List[FallbackDomain]]
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

gateway_unique_id: Optional[str]
global_acceleration: Optional[GlobalAcceleration]

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: List[str]

IP:port entries for the API endpoints.

enabled: bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: List[str]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: List[str]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include: Optional[List[SplitTunnelInclude]]

List of routes included in the WARP client’s tunnel.

One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
lan_allow_minutes: Optional[float]

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: Optional[float]

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: Optional[str]

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500
name: Optional[str]

The name of the device settings profile.

maxLength100
policy_id: Optional[str]
maxLength36
precedence: Optional[float]

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Optional[bool]

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Optional[bool]

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Optional[ServiceModeV2]
mode: Optional[str]

The mode to run the WARP client under.

port: Optional[float]

The port number when used with proxy mode.

support_url: Optional[str]

The URL to launch when the Send Feedback button is clicked.

switch_locked: Optional[bool]

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests: Optional[List[TargetTest]]
id: Optional[str]

The id of the DEX test targeting this policy.

name: Optional[str]

The name of the DEX test targeting this policy.

tunnel_protocol: Optional[str]

Determines which tunnel protocol to use.

virtual_networks: Optional[VirtualNetworks]

Virtual network access settings for the device.

allowed: List[str]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: str

The default virtual network ID. Must be included in the allowed list.

formatuuid

Update a device settings profile

import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
settings_policy = client.zero_trust.devices.policies.custom.edit(
    policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    account_id="699d98642c564d2e855e9661899b7252",
)
print(settings_policy.gateway_unique_id)
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "allow_mode_switch": true,
    "allow_updates": true,
    "allowed_to_leave": true,
    "auto_connect": 0,
    "captive_portal": 180,
    "default": false,
    "description": "Policy for test teams.",
    "disable_auto_fallback": true,
    "dns_search_suffixes": [
      {
        "suffix": "internal.corp",
        "description": "Example internal domains"
      }
    ],
    "enabled": true,
    "exclude": [
      {
        "address": "192.0.2.0/24",
        "description": "Exclude testing domains from the tunnel"
      }
    ],
    "exclude_office_ips": true,
    "fallback_domains": [
      {
        "suffix": "example.com",
        "description": "Domain bypass for local development",
        "dns_server": [
          "1.1.1.1"
        ]
      }
    ],
    "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
    "global_acceleration": {
      "api_endpoints": [
        "198.51.100.1:443"
      ],
      "enabled": true,
      "masque_endpoints": [
        "198.51.100.1:443"
      ],
      "wireguard_endpoints": [
        "198.51.100.1:2408"
      ]
    },
    "include": [
      {
        "address": "192.0.2.0/24",
        "description": "Include testing domains in the tunnel"
      }
    ],
    "lan_allow_minutes": 30,
    "lan_allow_subnet_size": 24,
    "match": "identity.email == \"test@cloudflare.com\"",
    "name": "Allow Developers",
    "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "precedence": 100,
    "register_interface_ip_with_dns": true,
    "sccm_vpn_boundary_support": false,
    "service_mode_v2": {
      "mode": "proxy",
      "port": 3000
    },
    "support_url": "https://1.1.1.1/help",
    "switch_locked": true,
    "target_tests": [
      {
        "id": "id",
        "name": "name"
      }
    ],
    "tunnel_protocol": "wireguard",
    "virtual_networks": {
      "allowed": [
        "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      ],
      "default": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    }
  },
  "success": true
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "allow_mode_switch": true,
    "allow_updates": true,
    "allowed_to_leave": true,
    "auto_connect": 0,
    "captive_portal": 180,
    "default": false,
    "description": "Policy for test teams.",
    "disable_auto_fallback": true,
    "dns_search_suffixes": [
      {
        "suffix": "internal.corp",
        "description": "Example internal domains"
      }
    ],
    "enabled": true,
    "exclude": [
      {
        "address": "192.0.2.0/24",
        "description": "Exclude testing domains from the tunnel"
      }
    ],
    "exclude_office_ips": true,
    "fallback_domains": [
      {
        "suffix": "example.com",
        "description": "Domain bypass for local development",
        "dns_server": [
          "1.1.1.1"
        ]
      }
    ],
    "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
    "global_acceleration": {
      "api_endpoints": [
        "198.51.100.1:443"
      ],
      "enabled": true,
      "masque_endpoints": [
        "198.51.100.1:443"
      ],
      "wireguard_endpoints": [
        "198.51.100.1:2408"
      ]
    },
    "include": [
      {
        "address": "192.0.2.0/24",
        "description": "Include testing domains in the tunnel"
      }
    ],
    "lan_allow_minutes": 30,
    "lan_allow_subnet_size": 24,
    "match": "identity.email == \"test@cloudflare.com\"",
    "name": "Allow Developers",
    "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "precedence": 100,
    "register_interface_ip_with_dns": true,
    "sccm_vpn_boundary_support": false,
    "service_mode_v2": {
      "mode": "proxy",
      "port": 3000
    },
    "support_url": "https://1.1.1.1/help",
    "switch_locked": true,
    "target_tests": [
      {
        "id": "id",
        "name": "name"
      }
    ],
    "tunnel_protocol": "wireguard",
    "virtual_networks": {
      "allowed": [
        "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      ],
      "default": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    }
  },
  "success": true
}