Skip to main content
WRLD uses Cloudflare Zero Trust (also known as Cloudflare One) to protect internal applications and client environments. This guide walks you through installing the Cloudflare WARP client on your device and authenticating to your organization’s tenant via single sign‑on (SSO).

Prerequisites

  • A device running macOS, Windows, iOS, Android, or Linux.
  • An active user account in your organization’s identity provider:
    • Microsoft Entra ID (Azure AD) for Microsoft 365 organizations, or
    • Google Workspace for Google-based organizations.
  • Your organization’s team name (see below).
Team names
  • WRLD staff: team name is wrld. Tenant URL: https://wrld.cloudflareaccess.com.
  • SLA‑supported clients: use your company shortname issued by WRLD. Tenant URL: https://<shortname>.cloudflareaccess.com.
If you aren’t sure of your shortname, check your onboarding email or contact helpdesk@wrld.tech.

Step 1 — Install the Cloudflare WARP client

Download and install from Cloudflare:Or install via Homebrew:
brew install --cask cloudflare-warp
After install, launch Cloudflare WARP from /Applications. Accept the warning about installing a system extension/network filter.

Step 2 — Enroll in your organization’s team

1

Open WARP settings

  • Desktop (macOS / Windows / Linux): click the WARP menu-bar / system-tray icon → the gear icon → PreferencesAccount.
  • Mobile (iOS / Android): open Cloudflare One AgentSettings (gear) → Account.
2

Login to Cloudflare Zero Trust

Select Login to Cloudflare Zero Trust (on mobile this may be Login with SSO).
3

Enter your team name

When prompted for a team name, enter:
  • wrld — if you’re WRLD staff.
  • <shortname> — your client shortname issued by WRLD (e.g. acme).
You enter only the team name, not the full URL. Cloudflare will route you to https://<team>.cloudflareaccess.com automatically.
4

Continue in browser

A browser window opens to https://<team>.cloudflareaccess.com. You’ll see a list of available identity providers. Proceed to the appropriate section below.

Step 3 — Authenticate with your identity provider

Choose this if your organization uses Microsoft 365, Azure AD, or Entra ID for user accounts.
1

Select the Microsoft login option

On the Cloudflare Access login page, click Sign in with Microsoft (or the button labeled with your organization’s Entra ID tenant name).
2

Authenticate with Microsoft

Enter your work email (e.g. you@yourcompany.com) and password, then complete MFA (Microsoft Authenticator push, code, or FIDO2 key — whichever your tenant enforces).
3

Consent to the Cloudflare app (first time only)

If this is your first login, you may be asked to accept permissions for the Cloudflare Access app. Your org may have pre‑consented, in which case this step is skipped.
4

Return to WARP

After successful login, the browser displays a “You may close this window” / “Success” page. Return to the WARP client — it should now show Connected with your user identity.

Step 4 — Verify your connection

1

Check WARP status

The WARP client should show:
  • Status: Connected
  • Mode: Zero Trust (or similar, depending on client version)
  • Account: your work email address
2

Confirm via Cloudflare trace

Open https://<team>.cloudflareaccess.com/cdn-cgi/trace in a browser. You should see warp=on and gateway=on in the output.
3

Try reaching a protected app

Navigate to an internal application covered by your org’s Access policy. You should be allowed in without seeing the Access login page again (SSO is now cached in WARP).

Daily use

  • The WARP client re‑authenticates automatically based on your org’s session duration. You may be prompted to sign in again every 24 hours, 7 days, or 30 days depending on policy.
  • To temporarily disconnect, toggle WARP off from the menu‑bar/tray icon. Protected apps will stop working until you reconnect.
  • To switch between the consumer 1.1.1.1 VPN and your Zero Trust team, use Preferences → Account → Logout from Zero Trust, then log in fresh.

Troubleshooting

Double-check you entered the correct team name (no URL, no https://, no .cloudflareaccess.com suffix). For WRLD staff it’s wrld. For SLA clients, your shortname was issued by WRLD — check your onboarding email or contact helpdesk@wrld.tech.
Your tenant may only have one IdP configured, in which case the login page might go directly to that provider without showing a picker. If you expect to see both Microsoft and Google options and don’t, ask WRLD support to confirm which IdPs are enabled for your tenant.
You authenticated successfully, but the Access policy denied you. Common causes:
  • Your user account isn’t in the required group (e.g. WRLD-Staff, or a client-specific group).
  • Your device doesn’t meet posture requirements (OS version, disk encryption, etc.).
  • You’re connecting from a geography or IP the policy excludes.
Capture the Ray ID shown on the denial page and send it to helpdesk@wrld.tech.
  • Fully quit and reopen the WARP client.
  • On macOS: check System Settings → Network for a “Cloudflare WARP” interface; toggle it off/on.
  • On Windows: restart the Cloudflare WARP service from services.msc.
  • Ensure your device clock is accurate — large clock skew breaks TLS.
  • If you’re on a restrictive network (e.g. hotel Wi-Fi), it may block MASQUE/WireGuard traffic. Try another network to isolate.
WARP overrides DNS. If a specific internal hostname doesn’t resolve:
  • Ensure your org’s Gateway policy includes the required domains.
  • On macOS, run scutil --dns to confirm WARP’s resolver is active.
  • Contact WRLD support so we can review the Gateway DNS policy.
Running two VPNs at once often breaks routing. Disconnect your site‑to‑site VPN (see VPN Setup) before connecting WARP, or ask WRLD to carve out split‑tunnel exceptions for the overlapping subnets.
On iOS and Android, the standalone “1.1.1.1” app is the consumer WARP client and cannot enroll in a team. Install Cloudflare One Agent instead (links in Step 1).

Need help?

Email helpdesk@wrld.tech with:
  • Your team name / shortname.
  • The platform and WARP client version (visible under Preferences → About).
  • Any error message shown, plus the Cloudflare Ray ID if one was displayed.

References