What is the name of the domain?
Not applicable
What is the error number?
No errors
What is the error message?
No error
What is the issue you’re encountering
zero touch configuration for iOS does not work
What steps have you taken to resolve the issue?
It’s 2024 and zero touch configuration for iOS still seems broken. Per-App VPN is now actually supported, which is great, but whatever I do, the VPN won’t actually connect until the user opens the Cloudflare One app for the first time. This makes sense for a user registration, but I’m using auth_client_id and auth_client_secret successfully.
Addtionally, setting unique_client_id via MDM using Intune’s existing {{deviceid}} does not work (as suggested by documentation). It works for Okta Verify, but Cloudflare doesn’t actually use it. This is painful because, without this, there’s zero possibility to understand which device belongs to an end-user when using a Service Token.
The app configuration itself is working, because other settings are taking.
Other app configurations are working with {{deviceid}}.
Deploying the VPN Profile exactly as described in the documenation.
AutoConnect is disabled for the WARP client, as documented.
What are the steps to reproduce the issue?
Using iOS 17.7.2. Device is Supervised, registered in Apple Business Manager.
Using VPP to Deploy Cloudflare One 1.8, silently, via Intune; Apple MDM itself is pretty darn standardized, so I suspect this is an issue with the iOS client itself.
Try hitting a url (defined in the VPN profile) via Safari, and watch it fail. Open the Cloudflare app, let it load, try the same url in Safari again and it works.
Notice that the Device ID in the Cloudflare Portal doesn’t remotely resemble the Intune Device ID.
Delete everything, try again, same thing happens (with yet another new Device ID).
