OS version

The OS Version device posture attribute checks whether the version of a device’s operating system matches, is greater than or lesser than the configured value.

Prerequisites

• Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to WARP Client Checks.

Enable the OS version check

1. In Zero Trust, go to Settings > WARP Client.
2. Scroll down to WARP client checks and select Add new.
3. Select OS version.
4. Configure the Operating system, Operator, and Value fields to specify the OS version you want devices to match.

Note

The OS version must be specified as a valid Semver. For example, if your device is running OS version 1.2, you must enter 1.2.0.

5. (Optional) Configure additional OS-specific fields:

macos

In Version extra, enter the macOS Rapid Security Response (RSR) version you want devices to match. Be sure to include the parenthesis around the letter.

Example: (a)

ios

In Version extra, enter the iOS Rapid Security Response (RSR) version you want devices to match. Be sure to include the parenthesis around the letter.

Example: (a)

linux

In Distro name and Distro revision, enter the Linux distribution you want devices to match. The distro version always matches with an equal-to operator (==), regardless of the Operator setting.

Example: ubuntu 22.04

6. Select Save.

Next, go to Logs > Posture and verify that the OS version check is returning the expected results.

Determine the OS version

Operating systems display version numbers in different ways. This section covers how to retrieve the version number in each OS, in a format matching what the OS version posture check expects.

macOS

1. Open a terminal window.

2. Use the defaults command to check for the value of SystemVersionStampAsString.

   $ defaults read loginwindow SystemVersionStampAsString

Windows

1. Open a PowerShell window.

2. Use the Get-CimInstance command to get the version property of the Win32_OperatingSystem class.

   (Get-CimInstance Win32_OperatingSystem).version

Linux

OS version

The Linux OS version check returns the system kernel version. For the OS version check to work, the kernel version must be converted to a valid SemVer.

1. Open a Terminal window.

2. Run the uname -r command to get the complete version.

   $ uname -r

3. The valid SemVer would be the first 3 whole numbers of the output you obtain in the previous step. For instance, if the command above returned 5.14.0-25.el9.x86_64, the valid SemVer would be 5.14.0.

Distro version

The WARP client reads Distro name and Distro revision from the /etc/os-release file. The name comes from the ID field, and the revision comes from the VERSION_ID field.

To determine the Linux distro version on your device:

1. Open a Terminal window.

2. Get the OS identification fields that contain ID:

   $ cat /etc/os-release | grep "ID"

3. If the output of the above command contained ID=ubuntu and VERSION_ID=22.04, Distro name would be ubuntu and Distro revision would be 22.04. The WARP client will check these strings for an exact match.

ChromeOS

ChromeOS version numbers consist of four parts: MAJOR.MINOR.BUILD.PATCH. The OS version posture check returns MAJOR.MINOR.BUILD.

To determine the ChromeOS version on your device:

1. Open Chrome browser and go to chrome://system.
2. Find the following values:

   Property	OS version component
   CHROMEOS_RELEASE_CHROME_MILESTONE	MAJOR
   CHROMEOS_RELEASE_BUILD_NUMBER	MINOR
   CHROMEOS_RELEASE_BRANCH_NUMBER	BUILD

3. The OS version in Semver format is MAJOR.MINOR.BUILD (for example, 103.14816.131).