Skip to content

OS version

The OS Version device posture attribute checks whether the version of a device’s operating system matches, is greater than or lesser than the configured value.

Prerequisites

  • Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to WARP Client Checks.

Enable the OS version check

  1. In Zero Trust, go to Settings > WARP Client.
  2. Scroll down to WARP client checks and select Add new.
  3. Select OS version.
  4. Configure the Operating system, Operator, and Value fields to specify the OS version you want devices to match.

5. (Optional) Configure additional OS-specific fields:

In Version extra, enter the macOS Rapid Security Response (RSR) version you want devices to match. Be sure to include the parenthesis around the letter.

Example: (a)

  1. Select Save.

Next, go to Logs > Posture and verify that the OS version check is returning the expected results.

Determine the OS version

Operating systems display version numbers in different ways. This section covers how to retrieve the version number in each OS, in a format matching what the OS version posture check expects.

macOS

  1. Open a terminal window.

  2. Use the defaults command to check for the value of SystemVersionStampAsString.

    Terminal window
    $ defaults read loginwindow SystemVersionStampAsString

Windows

  1. Open a PowerShell window.

  2. Use the Get-CimInstance command to get the version property of the Win32_OperatingSystem class.

    Terminal window
    (Get-CimInstance Win32_OperatingSystem).version

Linux

OS version

The Linux OS version check returns the system kernel version. For the OS version check to work, the kernel version must be converted to a valid SemVer.

  1. Open a Terminal window.

  2. Run the uname -r command to get the complete version.

    Terminal window
    $ uname -r
  3. The valid SemVer would be the first 3 whole numbers of the output you obtain in the previous step. For instance, if the command above returned 5.14.0-25.el9.x86_64, the valid SemVer would be 5.14.0.

Distro version

The WARP client reads Distro name and Distro revision from the /etc/os-release file. The name comes from the ID field, and the revision comes from the VERSION_ID field.

To determine the Linux distro version on your device:

  1. Open a Terminal window.

  2. Get the OS identification fields that contain ID:

    Terminal window
    $ cat /etc/os-release | grep "ID"
  3. If the output of the above command contained ID=ubuntu and VERSION_ID=22.04, Distro name would be ubuntu and Distro revision would be 22.04. The WARP client will check these strings for an exact match.

ChromeOS

ChromeOS version numbers consist of four parts: MAJOR.MINOR.BUILD.PATCH. The OS version posture check returns MAJOR.MINOR.BUILD.

To determine the ChromeOS version on your device:

  1. Open Chrome browser and go to chrome://system.
  2. Find the following values:
    PropertyOS version component
    CHROMEOS_RELEASE_CHROME_MILESTONEMAJOR
    CHROMEOS_RELEASE_BUILD_NUMBERMINOR
    CHROMEOS_RELEASE_BRANCH_NUMBERBUILD
  3. The OS version in Semver format is MAJOR.MINOR.BUILD (for example, 103.14816.131).