Pretty much the same as this question. warp-cli’s “teams-enroll” subcommand can supposedly take a client id–client secret pair to do noninteractive enrollment. I’m on a free plan which supposedly doesn’t support generating service tokens. I can, though, generate them from the “Access” page in the Cloudflare dashboard, but then warp-cli won’t accept them:

Failed to enroll: Custom { kind: Other, error: “InvalidResponse” }

What is the “official” way to enroll devices without a GUI? Is this just an unsupported scenario?

This would require a service token. Are you running the command like this?

warp-cli-teams-enroll --access-client-id [client-id] --access-client-secret [client-secret]

From the help output:

warp-cli-teams-enroll
Enroll with Cloudflare for Teams

USAGE:
    warp-cli teams-enroll [OPTIONS] <team>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
        --access-client-id <CLIENT_ID>            Client ID for non-interactive authentication.
        --access-client-secret <CLIENT_SECRET>    Client secret for non-interactive authentication.

ARGS:
    <team>

Enrollment fails when I use service tokens generated form the dashboard.

8a8edb0a-6541-4787-8e75-29e889b099af1078×758 114 KB

# warp-cli teams-enroll [scrubbed] --access-client-id '[scrubbed].access' --access-client-secret '[scrubbed]'
Failed to enroll: Custom { kind: Other, error: "InvalidResponse" }

Other than from the dashboard I’m not sure where I can generate service tokens. I’m on a free plan.

Alright, I’ve figured it out: you need to add a rule in your device enrollment policy to allow for the service token you want to use, and the rule’s action should be “service auth” (not “allow”).

b92cc3f9-8e31-4840-a4a1-5b1669958d2e__11481×737 85.7 KB

b92cc3f9-8e31-4840-a4a1-5b1669958d2e__21252×385 44.5 KB