DevicePostureRule

Source: src/Cloudflare/Devices/PostureRule.ts

A Cloudflare Zero Trust device posture rule — a periodic check the WARP client runs on enrolled devices (OS version, firewall status, disk encryption, file presence, or a third-party security provider’s verdict). Posture results can then gate Access policies and Gateway rules.

Everything except type is mutable in place (full PUT). Changing type replaces the rule.

Infrastructure-free checks

Require a minimum Windows version

const rule = yield* Cloudflare.DevicePostureRule("WindowsOsVersion", {
  type: "os_version",
  description: "Require Windows 10.0.19045+",
  match: [{ platform: "windows" }],
  schedule: "5m",
  input: {
    operatingSystem: "windows",
    operator: ">=",
    version: "10.0.19045",
  },
});

Require the OS firewall to be enabled

yield* Cloudflare.DevicePostureRule("Firewall", {
  type: "firewall",
  match: [{ platform: "windows" }, { platform: "mac" }],
  input: { enabled: true, operatingSystem: "windows" },
});

Require disk encryption on all drives

yield* Cloudflare.DevicePostureRule("DiskEncryption", {
  type: "disk_encryption",
  match: [{ platform: "mac" }],
  input: { requireAll: true },
});