This article explains how to use Swif’s built‑in Cloudflare WARP app templates for macOS and Windows, including how Swif automatically creates and wires the required certificate policies for you.

These templates were introduced in:
New: Cloudflare WARP app templates for macOS and Windows

What the Cloudflare templates provide

Swif includes two app templates:

Cloudflare (macOS) – Cloudflare WARP / ZTNA client for managed Macs
Cloudflare (Windows) – Cloudflare WARP / ZTNA client for managed Windows devices

Each template is designed to:

Deploy the Cloudflare WARP app as a managed application.
Automatically create a matching certificate / profile policy:
- macOS: a configuration profile (mobileconfig) that installs the Cloudflare certificate and WARP configuration.
- Windows: a Windows Certificate Install policy that installs the Cloudflare certificate.
Apply the policy via Swif’s pre‑install mechanism so certificates are in place before WARP starts.
Let you edit just a few fields (cert and Cloudflare endpoints/config) rather than building everything from scratch.

You do not have to manually create a separate certificate policy from the policy page. The app templates create the corresponding policy for you; you only edit its fields.

Where to find the Cloudflare app templates

Sign in to the Swif admin console.
Go to Device Management → Applications.
Open Software → App Templates.
Search for “Cloudflare”.

You should see:

Cloudflare (macOS) – Platform: macOS
Cloudflare (Windows) – Platform: Windows

Each template is tagged and categorized as a network / VPN / ZTNA–type security app.

How certificate handling works (high level)

When you create a custom app from a Cloudflare template, Swif will:

Cloudflare (macOS)
- Auto‑create a macOS configuration profile (mobileconfig) that:
  - Installs your Cloudflare root/intermediate certificate into the system trust store.
  - Includes the Cloudflare WARP configuration block (organization, endpoints, protocol, display name, etc.).
- Attach this profile to the Cloudflare app as a pre‑install step so it’s applied before WARP runs.
Cloudflare (Windows)
- Auto‑create a WINDOWS_CERTIFICATE_INSTALL_POLICY that:
  - Installs your Cloudflare certificate using a single encodedCertificate field (base64).
- Use the app’s post‑install script to write the Cloudflare WARP configuration file to:
  - C:\ProgramData\Cloudflare\mdm.xml

Your only responsibility is to edit the auto‑created policy (fill in your cert and Cloudflare values). You don’t need to wire policies or pre‑install steps manually; the app template does that.

Using the Cloudflare (macOS) template

1. Create a custom Cloudflare macOS app from the template

Go to Applications → Add Custom App → From template.
Select Cloudflare (macOS).
In the generated app form:
- Platform is pre‑set to macOS and locked appropriately.
- Installer type defaults to PKG (or the standard macOS installer type in Swif).
- Upload your Cloudflare WARP macOS PKG.
- Check pre‑filled Name, Vendor (“Cloudflare, Inc.”), Description, and tags.

You will see a note explaining that a Cloudflare mobileconfig will be auto‑created and used as a pre‑install profile.

Save the app.

When you save:

Swif automatically creates a macOS configuration profile policy based on the Cloudflare template mobileconfig.
That policy is automatically tied to your Cloudflare app and used in the pre‑install phase.

2. Edit the auto‑created macOS Cloudflare profile policy

The generated profile is based on a template like the sample customer-warp.mobileconfig attached in ST‑7039:
https://api.media.atlassian.com/file/81f0efbb-8be3-48f0-8320-3ae53d98a86f/binary?dl=true&name=customer-warp.mobileconfig

Inside that profile, a small set of fields are parameterized. You’ll typically see placeholders like:

{{CUSTOMER_CERT_BASE64}}
{{organization}}
{{override_api_endpoint}}
{{override_doh_endpoint}}
{{override_warp_endpoint}}
{{warp_tunnel_protocol}}
{{display_name}}

To complete configuration:

Open the auto‑created Cloudflare macOS profile policy from the policy list or directly from the app detail (depending on UI version).
Replace the placeholders with your values:
- CUSTOMER_CERT_BASE64 – base64‑encoded content of your Cloudflare root/intermediate certificate.
- organization – your Cloudflare organization name.
- override_api_endpoint – optional override for the API endpoint.
- override_doh_endpoint – optional override for DNS‑over‑HTTPS endpoint.
- override_warp_endpoint – Cloudflare WARP endpoint, including port if required.
- warp_tunnel_protocol – e.g. wireguard or masque.
- display_name – how this config will appear in WARP (e.g. region or environment).

Swif keeps this profile as a system‑scope profile:

Installed at the system level, not per‑user.
Conforms to macOS configuration profile best practices.

You don’t need to duplicate or build your own profile if you’re using the template.

3. Assign and verify on macOS devices

Assign the Cloudflare macOS app to your macOS device group(s).
- The attached profile policy will be used automatically as a pre‑install step.
On a test Mac:
- Confirm the Cloudflare certificate is in the System keychain/trust store.
- Confirm the Cloudflare WARP app is installed.
- Verify that WARP launches and uses your configured endpoints/organization without TLS trust errors.

Using the Cloudflare (Windows) template

1. Create a custom Cloudflare Windows app from the template

Go to Applications → Add Custom App → From template.
Select Cloudflare (Windows).
In the app form:
- Platform is pre‑set to Windows.
- Installer type defaults to MSI/EXE according to the template.
- Upload your Cloudflare WARP Windows installer (MSI/EXE).
- Verify pre‑filled metadata (name, vendor, description, tags).

You’ll see a note that a Windows Certificate Install policy will be created automatically and used for pre‑install certificate handling, and that configuration is handled via a post‑install script.

Save the app.

When you save:

Swif automatically creates a WINDOWS_CERTIFICATE_INSTALL_POLICY for this app.
That policy is wired into the deployment flow so certs are installed before WARP runs.

2. Edit the auto‑created Windows certificate policy

The generated policy is similar to the sample in ST‑7039:

{ "policyName": "CustomerWarpTest", "policyType": "WINDOWS_CERTIFICATE_INSTALL_POLICY", "policy": { "encodedCertificate": "..." }, "description": "This policy configures certificate installation settings on the device. This Windows policy can be used for BYOD or company-owned." }

You only need to:

Open the Cloudflare Windows certificate policy auto‑created for the app.
Paste your base64‑encoded Cloudflare certificate into the encodedCertificate field.

There is just one field to edit, so configuration load is minimal.

3. Cloudflare configuration file (mdm.xml) via post‑install script

The Windows app template includes a post‑install PowerShell script that:

Ensures C:\ProgramData\Cloudflare exists.
Creates C:\ProgramData\Cloudflare\mdm.xml if it does not already exist.
Writes the Cloudflare WARP XML configuration into that file.

Example:

$targetDir = "C:\ProgramData\Cloudflare"
$targetFile = "$targetDir\mdm.xml"

$xmlContent = @"
<array>
  <dict>
    <key>organization</key>
    <string>opuspro</string>
    <key>override_api_endpoint</key>
    <string>101.52.222.239</string>
    ...
  </dict>
  ...
</array>
"@

if (-not (Test-Path -Path $targetDir)) {
  New-Item -ItemType Directory -Path $targetDir -Force | Out-Null
}

if (-not (Test-Path -Path $targetFile)) {
  Set-Content -Path $targetFile -Value $xmlContent -Encoding UTF8
}

In the shipped template, customer‑specific values (like organization, endpoints, display names) are parameterized or can be edited to match your environment.

The post‑install script is for configuration only. Certificate handling is done via the auto‑created Windows certificate policy, not via this script.

4. Assign and verify on Windows devices

Assign the Cloudflare Windows app to your Windows device group(s).
- The attached Windows certificate policy is used automatically in the pre‑install step.
On a test Windows device:
- Confirm your Cloudflare certificate appears in Trusted Root / Intermediate certificate stores.
- Confirm C:\ProgramData\Cloudflare\mdm.xml exists and contains the expected XML configuration.
- Verify Cloudflare WARP installs and can connect using that configuration.

Multi‑customer, multi‑environment usage

The templates are intentionally generic:

App templates define:
- Installer type, platform, vendor, and baseline scripts.
- The fact that a companion policy is auto‑created and attached.
Policies and config fields are where customer‑specific values live:
- macOS: the mobileconfig profile fields (CUSTOMER_CERT_BASE64, organization, endpoints, etc.).
- Windows: encodedCertificate and any organization/endpoints used in the XML written by the post‑install script.

This allows:

Multiple organizations to use the same Cloudflare templates.
Separate prod/stage configurations by editing the fields in the auto‑created policies or adjusting the configuration XML/values.

Summary

You don’t need to manually create certificate policies when using the Cloudflare app templates.
For each custom app you create from the templates:
- Swif auto‑creates:
  - A macOS configuration profile (mobileconfig) for certificates + WARP config, or
  - A Windows certificate install policy for certificate deployment.
- These policies are pre‑wired into the app’s deployment flow using pre‑install (and post‑install for Windows config file).
You only:
- Upload the WARP installer.
- Edit a small set of fields (certificate base64, organization, endpoints, protocol, display names).