Prerequisites
- A device running macOS, Windows, iOS, Android, or Linux.
- An active user account in your organization’s identity provider:
- Microsoft Entra ID (Azure AD) for Microsoft 365 organizations, or
- Google Workspace for Google-based organizations.
- Your organization’s team name (see below).
Team names
- WRLD staff: team name is
wrld. Tenant URL:https://wrld.cloudflareaccess.com. - SLA‑supported clients: use your company shortname issued by WRLD. Tenant URL:
https://<shortname>.cloudflareaccess.com.
Step 1 — Install the Cloudflare WARP client
- macOS
- Windows
- iOS / iPadOS
- Android
- Linux
Download and install from Cloudflare:Or install via Homebrew:After install, launch Cloudflare WARP from
/Applications. Accept the warning about installing a system extension/network filter.Step 2 — Enroll in your organization’s team
Open WARP settings
- Desktop (macOS / Windows / Linux): click the WARP menu-bar / system-tray icon → the gear icon → Preferences → Account.
- Mobile (iOS / Android): open Cloudflare One Agent → Settings (gear) → Account.
Login to Cloudflare Zero Trust
Select Login to Cloudflare Zero Trust (on mobile this may be Login with SSO).
Enter your team name
When prompted for a team name, enter:
wrld— if you’re WRLD staff.<shortname>— your client shortname issued by WRLD (e.g.acme).
Step 3 — Authenticate with your identity provider
- Microsoft Entra ID (Microsoft 365)
- Google Workspace
Choose this if your organization uses Microsoft 365, Azure AD, or Entra ID for user accounts.
Select the Microsoft login option
On the Cloudflare Access login page, click Sign in with Microsoft (or the button labeled with your organization’s Entra ID tenant name).
Authenticate with Microsoft
Enter your work email (e.g.
you@yourcompany.com) and password, then complete MFA (Microsoft Authenticator push, code, or FIDO2 key — whichever your tenant enforces).Consent to the Cloudflare app (first time only)
If this is your first login, you may be asked to accept permissions for the Cloudflare Access app. Your org may have pre‑consented, in which case this step is skipped.
Step 4 — Verify your connection
Check WARP status
The WARP client should show:
- Status: Connected
- Mode: Zero Trust (or similar, depending on client version)
- Account: your work email address
Confirm via Cloudflare trace
Open
https://<team>.cloudflareaccess.com/cdn-cgi/trace in a browser. You should see warp=on and gateway=on in the output.Daily use
- The WARP client re‑authenticates automatically based on your org’s session duration. You may be prompted to sign in again every 24 hours, 7 days, or 30 days depending on policy.
- To temporarily disconnect, toggle WARP off from the menu‑bar/tray icon. Protected apps will stop working until you reconnect.
- To switch between the consumer 1.1.1.1 VPN and your Zero Trust team, use Preferences → Account → Logout from Zero Trust, then log in fresh.
Troubleshooting
'Team name is invalid' / 'Organization not found'
'Team name is invalid' / 'Organization not found'
Double-check you entered the correct team name (no URL, no
https://, no .cloudflareaccess.com suffix). For WRLD staff it’s wrld. For SLA clients, your shortname was issued by WRLD — check your onboarding email or contact helpdesk@wrld.tech.Identity provider button is missing
Identity provider button is missing
'Access denied' after successful SSO login
'Access denied' after successful SSO login
You authenticated successfully, but the Access policy denied you. Common causes:
- Your user account isn’t in the required group (e.g.
WRLD-Staff, or a client-specific group). - Your device doesn’t meet posture requirements (OS version, disk encryption, etc.).
- You’re connecting from a geography or IP the policy excludes.
WARP stuck at 'Registering' or 'Connecting'
WARP stuck at 'Registering' or 'Connecting'
- Fully quit and reopen the WARP client.
- On macOS: check System Settings → Network for a “Cloudflare WARP” interface; toggle it off/on.
- On Windows: restart the Cloudflare WARP service from
services.msc. - Ensure your device clock is accurate — large clock skew breaks TLS.
- If you’re on a restrictive network (e.g. hotel Wi-Fi), it may block MASQUE/WireGuard traffic. Try another network to isolate.
DNS resolution fails after connecting
DNS resolution fails after connecting
WARP overrides DNS. If a specific internal hostname doesn’t resolve:
- Ensure your org’s Gateway policy includes the required domains.
- On macOS, run
scutil --dnsto confirm WARP’s resolver is active. - Contact WRLD support so we can review the Gateway DNS policy.
Conflict with another VPN (e.g. site-to-site WireGuard)
Conflict with another VPN (e.g. site-to-site WireGuard)
Running two VPNs at once often breaks routing. Disconnect your site‑to‑site VPN (see VPN Setup) before connecting WARP, or ask WRLD to carve out split‑tunnel exceptions for the overlapping subnets.
'1.1.1.1' app on mobile doesn't show Zero Trust login option
'1.1.1.1' app on mobile doesn't show Zero Trust login option
On iOS and Android, the standalone “1.1.1.1” app is the consumer WARP client and cannot enroll in a team. Install Cloudflare One Agent instead (links in Step 1).
Need help?
Email helpdesk@wrld.tech with:- Your team name / shortname.
- The platform and WARP client version (visible under Preferences → About).
- Any error message shown, plus the Cloudflare Ray ID if one was displayed.