cloudflare · deadlypants1973 · Nov 26, 2025 · Nov 22, 2025 · Nov 25, 2025 · Nov 25, 2025
@@ -132,33 +132,33 @@ Deploy configuration profiles (steps 1, 2, and 3) before the WARP application (s
 
 ### 1. Upload user-side certificate
 
-You must deploy a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) so that devices managed by Intune can establish trust with Cloudflare when their traffic is inspected.
+#### 1.1 Download user-side certificate
 
-1. (Optional) Generate a [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/#generate-a-cloudflare-root-certificate).
+<Render file="intune-download-certificate" product="cloudflare-one" params={{ os: "macOS" }} />
 
-2. In [Cloudflare One](https://one.dash.cloudflare.com), find and [download a root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#download-a-cloudflare-root-certificate) in `.crt` format.
+#### 1.2 Upload user-side certificate to Intune
 
-3. In the [Microsoft Intune admin center](https://intune.microsoft.com), go to **Devices** > select **macOS**.
+1. In the [Microsoft Intune admin center](https://intune.microsoft.com), go to **Devices** > select **macOS**.
 
    ![Intune admin console where you select macOS before creating a policy](~/assets/images/cloudflare-one/connections/intune/devices-macos.png)
 
-4. Under **Manage devices**, select **Configuration**.
+2. Under **Manage devices**, select **Configuration**.
 
    ![Intune admin console where you will create a new policy](~/assets/images/cloudflare-one/connections/intune/manage-devices-configuration.png)
 
-5. Select **Create** > **New Policy**.
+3. Select **Create** > **New Policy**.
 
-6. For **Profile Type**, select _Templates_ > select **Trusted certificate** as the **Template name** > select **Create**.
+4. For **Profile Type**, select _Templates_ > select **Trusted certificate** as the Template name > select **Create**.
 
-7. In **Basics**, input the necessary field(s) and give your policy a name like `Cloudflare certificate` > select **Next**.
+5. In **Basics**, input the necessary field(s) and give your policy a name like `Cloudflare certificate` > select **Next**.
 
-8. For **Deployment Channel**, select **Device Channel**.
+6. For **Deployment Channel**, select **Device Channel**.
 
-9. Upload your file (Intune may request `.cer` format, though `.crt` files are also accepted) > select **Next**.
+7. Upload your file (Intune may request `.cer` format, though `.crt` files are also accepted) > select **Next**.
 
-10. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. This will be the same scope for all steps. Select **Next**.
+8. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. This will be the same scope for all steps. Select **Next**.
 
-11. Review your configuration in **Review + create** and select **Create**.
+9. Review your configuration in **Review + create** and select **Create**.
 
 Sharing this certificate with Intune automates the installation of this certificate on your user devices, creating trust between browsers on a user's device and Cloudflare.
 
@@ -315,7 +315,107 @@ By completing this step, you deliver the WARP client to targeted macOS devices,
 
 ## iOS
 
-Refer to the [generic instructions for iOS](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/#ios).
+The following steps outline how to deploy the Cloudflare One Agent (WARP client) on iOS using Microsoft Intune and preconfigure it with MDM parameters.
+
+### Prerequisites
+
+- A [Microsoft Intune account](https://intune.microsoft.com)
+- A Cloudflare account that has a [Zero Trust organization](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name)
+- iOS/iPadOS devices enrolled in Intune
+- [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) enabled in Cloudflare Gateway (if you plan to inspect HTTPS traffic)
+
+### 1. Upload user-side certificate
+
+#### 1.1 Download user-side certificate
+
+<Render file="intune-download-certificate" product="cloudflare-one" params={{ os: "iOS" }} />
+
+#### 1.2 Upload user-side certificate to Intune
+
+1. In the [Microsoft Intune admin center](https://intune.microsoft.com), go to **Devices** > select **iOS/iPadOS**.
+
+   ![Intune admin console where you select iOS/iPadOS before creating a policy](~/assets/images/cloudflare-one/connections/intune/devices-iOS.png)
+
+2. Under **Manage devices**, select **Configuration**.
+
+   ![Intune admin console where you will create a new policy](~/assets/images/cloudflare-one/connections/intune/manage-devices-configuration-iOS.png)
+
+3. Select **Create** > **New Policy**.
+
+4. For **Profile Type**, select _Templates_ > select **Trusted certificate** as the Template name > select **Create**.
+
+5. In **Basics**, input the necessary field(s) and give your policy a name like `Cloudflare certificate` > select **Next**.
+
+6. For **Deployment Channel**, select **Device Channel**.
+
+7. Upload your file (Intune may request `.cer` format, though `.crt` files are also accepted) > select **Next**.
+
+8. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. This will be the same scope for all steps. Select **Next**.
+
+9. Review your configuration in **Review + create** and select **Create**.
+
+Sharing this certificate with Intune automates the installation of this certificate on your user devices, creating trust between browsers on a user's device and Cloudflare.
+
+### 2. Add Cloudflare One Agent app to Intune configuration
+
+1. In the [Microsoft Intune admin center](https://intune.microsoft.com), select **Apps** > **iOS/iPadOS**.
+
+2. Select **Create**.
+
+3. For App type, select _iOS store app_ > select **Select** to continue.
+
+4. Select **Search the App Store** and search for the [Cloudflare One Agent](/cloudflare-one/team-and-resources/devices/warp/download-warp/#ios). After you have found the Cloudflare One Agent, select it and select **Select** to continue.
+
+	:::caution[Add the right app]
+
+	Make sure to add the [Cloudflare One Agent](/cloudflare-one/team-and-resources/devices/warp/download-warp/#ios) application. Do not add the 1.1.1.1 app.
+
+	:::
+
+5. The fields in **App information** will be filled in automatically. Select **Next** to continue.
+
+6. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. Select **Next**.
+
+7. Review your configuration in **Review + create** and select **Create**.
+
+By completing this step, you deliver the WARP client to targeted iOS devices, either automatically (assignment scope set as **Required**) or on-demand (assignment scope as **Available**) through your company portal.
+
+### 3. Configure Cloudflare One Agent app
+
+1. In the [Microsoft Intune admin center](https://intune.microsoft.com), select **Apps** > **Manage apps** > **Configuration**.
+
+2. Select **Create** > _Managed devices_.
+
+3. In **Basics**, input the necessary field(s) and give your policy an easily identifiable name like `Cloudflare One Agent`. Select _iOS/iPadOS_ for Platform and target the Cloudflare One Agent app. Select **Next**.
+
+4. In **Settings**, select _Enter XML data_ and copy and paste the following:
+
+	```xml
+	<dict>
+		<key>organization</key>
+		<string>YOUR_TEAM_NAME_HERE</string>
+		<key>auto_connect</key>
+		<integer>1</integer>
+	</dict>
+	```
+
+	Replace `YOUR_TEAM_NAME_HERE` with your [team name](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name). Review the definitions of the above parameters in the [Parameters documentation](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters/).
+
+	:::tip[Successfuly complete your registration]
+
+	You should set the [`auto_connect`](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters/#auto_connect) parameter to `1` to ensure the WARP client auto-connects to Cloudflare. If you set this parameter to `0` or exclude it, the client will not auto-connect, and registration will not complete successfully.
+
+	If you do not include this parameter, registration will not be complete without manual intervention by the user. Manual intervention requires opening the WARP application and attempting to connect.
+
+	:::
+
+5. In **Assignments**, select an option (for example, **Add all devices** or **Add all users**) that is valid for your scope. Select **Next**.
+
+6. Review your configuration in **Review + create** and select **Create**.
+
+By completing this step, you preconfigure the Cloudflare One Agent with your [Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization) and connection settings so that enrolled iOS devices automatically apply a consistent WARP configuration when the app installs.
+
+### Intune configuration
 
 Intune allows you to insert [predefined variables](https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-ios#tokens-used-in-the-property-list) into the XML configuration file. For example, you can set the [`unique_client_id`](/cloudflare-one/team-and-resources/devices/warp/deployment/mdm-deployment/parameters/#unique_client_id) key to `{{deviceid}}` for a [device UUID posture check](/cloudflare-one/reusable-components/posture-checks/warp-client-checks/device-uuid/) deployment.
 

@@ -0,0 +1,10 @@
+---
+params:
+  - os
+---
+
+You must deploy a [user-side certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) so that {props.os} devices managed by Intune can establish trust with Cloudflare when their traffic is inspected.
+
+1. (Optional) Generate a [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/#generate-a-cloudflare-root-certificate).
+
+2. In [Cloudflare One](https://one.dash.cloudflare.com), find and [download a root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#download-a-cloudflare-root-certificate) in `.crt` format.