[CF1] WARP device status #26692
[CF1] WARP device status #26692
Conversation
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
|
Preview URL: https://f7fc3cdd.preview.developers.cloudflare.com Files with changes (up to 15) |
|
|
||
| | Concept | Definition | | ||
| |--------|------------| | ||
| | User | A human identity that consumes a [seat](/cloudflare-one/team-and-resources/users/seat-management/) after any authentication event. | |
There was a problem hiding this comment.
not sure if this is the correct way to talk about seats, considering the multi-user feature. seat will be a device, containing multiple registrations (users)
| |--------|------------| | ||
| | User | A human identity that consumes a [seat](/cloudflare-one/team-and-resources/users/seat-management/) after any authentication event. | | ||
| | [Service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) | Used by automated systems (a non-human identity) to authenticate against your Cloudflare One policies. | | ||
| | Device registration | An public key, associated to a user and device, used by WARP to connect to Cloudflare's network. | |
|
|
||
| ## Revoke and unrevoke access | ||
|
|
||
| Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device. |
There was a problem hiding this comment.
"if a work laptop is stolen"
"if a device is stolen"?
| | Status | Description | | ||
| | --- | --- | | ||
| | **Active** | Registered and able to connect via WARP. This is the expected operational state. | | ||
| | **Revoked** | The registration's public key is invalidated, preventing the device from connecting. The device still appears in your device list and can be unrevoked. | |
There was a problem hiding this comment.
The device cannot be unrevoked, only the registration.
Devices appear or not on the device list depending on the number of active registrations - if a device has 1 registration then revoking it will make the device disappear from the list (when using default filters which exclude devices with no active registrations).
|
|
||
| ## Revoke and unrevoke access | ||
|
|
||
| Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device. |
There was a problem hiding this comment.
IMO there is no scenario where revocation is useful and we're planning to remove this action in the coming months. E.g. in the case of a stolen laptop it would be better to delete the registration (or the whole device).
|
|
||
| Revoke access when you need to prevent a device from connecting (for example, if a work laptop is stolen) while still allowing the user to register a new device. | ||
|
|
||
| - Revoking disallows the device from connecting to Cloudflare's network. The public key remains on the device during revocation. |
There was a problem hiding this comment.
this isn't accurate. revoking/deleting a registration will cause warp client to re-register (re-authenticate) - if the user authenticates successfully then the connection will be possible. Additionally the device can connect when using multi-user using other registrations.
Also - if the device is using service tokens I believe that revocation/deletion has no real effect as the device can re-register without user interaction.
|
|
||
| ## Delete a registration | ||
|
|
||
| Deleting a registration permanently removes it from your account. If you delete a registration, you will need to re-register the device to connect to your organization. |
There was a problem hiding this comment.
note: devices attempt to re-register automatically when they detect that the registration has been deleted (or revoked)
4 participants
Summary
PCX-11011
Screenshots (optional)
Documentation checklist