This guide provides solutions to common problems for SEED. Follow the steps below to troubleshoot and resolve the problems you are experiencing.
If you encounter the CF_DNS_Lookup_Failure
error while using Cloudflare WARP on macOS 15, follow these steps to resolve the issue:
Cloudflare recommends upgrading to macOS 15.1 or later, as macOS 15.1 resolves several issues that could cause the WARP client to misbehave.
- Open System Preferences.
- Select Software Update.
- Follow the on-screen instructions to update to macOS 15.1 or later.
Ensure your firewall settings are properly configured to allow Cloudflare WARP to function.
- Open System Preferences.
- Navigate to Settings > Network > Firewall.
- Turn on the firewall.
Adjust your firewall settings to allow incoming connections.
- Go to Settings > Network > Firewall > Options.
- Ensure "Block all incoming connections" is unchecked.
Enable incoming connections explicitly for the following applications:
- CloudflareWARP located at:
/Applications/CloudflareWARP.app/Contents/Resources/CloudflareWARP
- Cloudflare WARP with the bundle ID:
com.cloudflare.1dot1dot1dot1dot1.macos
After completing these steps, the CF_DNS_Lookup_Failure
error should no longer occur.
If you encounter the screen below:
Follow these steps to diagnose the issue:
-
Check the SEED Dashboard: Start by investigating the reason why access to certain resources is restricted. Ensure the following:
- Your Cloudflare WARP client is connected and enrolled in the
gccgovsg
organisation. - The Tanium Client is installed and running on your device.
- Your Cloudflare WARP client is connected and enrolled in the
Once these conditions are met, you can access the SEED Dashboard on your GMD to further diagnose the issue with your device.
Access to SGTS resources may be blocked for the following reasons:
Issue | Description | Category |
---|---|---|
Malware on the device | The device is infected with malware or exhibits suspicious behavior, causing it to be classified as high-risk and blocking access to SGTS. | Security |
Incorrect Cloudflare configuration | The Cloudflare WARP client is either stopped or not enrolled in the gccgovsg organization, marking the device as misconfigured. |
Configuration |
Incorrect Intune configuration | Device not enrolled in the correct tenants (SG Govt M365 or TECHPASS ), or unable to sync with Intune, blocking access to resources. |
Configuration |
Tanium Client cannot communicate | The Tanium Client is unable to communicate with our servers, leading to blocked access due to lack of necessary status updates. | Configuration |
Check for Tanium Client installation
- Click the Start icon on the taskbar.
- Go to Settings > Apps and search for Tanium Client.
- If you are unable to find it, try to resync your Intune to install the Tanium Client on your device.
Check for Tanium Client installation
- Open Terminal.
- Eun the following command:
sudo ls /Library/Tanium/TaniumClient
- Enter your macOS password when prompted.
- If you see confirmation, as shown in the image below, Tanium Client is installed on your device.
- If you are unable to find it, log into Company Portal to install the Tanium Client on your device. Otherwise, you might need to re-onboard your device following the steps here.
If your device remains blocked after checking all other settings, please try to connect using a mobile hotspot and wait for 15-20 minutes for the Tanium server to find your device.
If your device is unblocked after connecting via mobile hotspot, it is likely that the firewall of the previous network you are connecting to is blocking the Tanium IPs. Whitelist the Tanium IPs to resolve this issue. The IP addresses can be found at this link (accessible via TechPass login).
Ensure that Cloudflare service is installed and running
- Search for Add or Remove Programs in the search bar.
- Ensure that Cloudflare Warp shows up as an installed program.
- Search for Run in the search bar and run services.msc.
- Ensure that Cloudflare WARP is a running service.
- If Cloudflare WARP is not installed or not running, refer to troubleshooting Cloudflare issues.
Ensure that Cloudflare is authenticated and verified
- Open the taskbar, right-click on the Cloudflare Warp icon, and then click on Preference.
- Navigate to Account and ensure that you are authenticated with the team name gccgovsg.
- If Cloudflare WARP is not authenticated to gccgovsg, refer to troubleshooting issues.
For any other Cloudflare issues, refer to the Cloudflare troubleshooting information in the relevant section on this page.
Ensure that Intune is enrolled with the valid tenant
- Search for Access work or school in the search bar.
- Ensure that you have an account added with a techpass.gov.sg domain (for vendors) or a <agency_name>.gov.sg domain (for all Public officers).
- Click the account > Info.
- Ensure that the top of the page shows either Managed by SG Govt M365 for public officers or Managed by TechPass for vendors.
- If there is no enrollment, refer to the following links for help on how to enroll your device to Intune:
Ensure that the Defender service is running
- Search for Run in the search bar and type services.msc.
- Ensure that Microsoft Defender Antivirus Service and Microsoft Defender Core Service are running.
- If the services are not running, reboot your system and verify again, or try to start them manually by right-clicking and click Start.
- If your services are unable to start after multiple attempts, raise a service request
Ensure that real-time protection and cloud protection are turned on
- Search for Windows Security in the search bar.
- Navigate to Virus & threat protection > Manage Settings under Virus & threat protection settings.
- Ensure that Real-time protection and Cloud-delivered protection are enabled.
- If they cannot be enabled, navigate to the previous page and click Check for Updates under Virus & threat protection Updates, and install the updates, if any.
- If it is still not enabled, raise a service request, and state Disabled Real-Time protection and Cloud-delivered protection in the description.
Ensure that Defender has a valid tenant
- Go to the Start menu and enter Powershell.
- Right-click on the search result for PowerShell and select Run as Administrator
- On Powershell, run the following command:
$reg64 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)
$OrgID = $reg64.OpenSubKey("SOFTWARE\MICROSOFT\Windows Advanced Threat Protection\Status").GetValue("OrgID")
echo $OrgID
- Take note of the value displayed for OrgID.
- Ensure that the value is one of the following:
- Public officers: faa36a5e-2da6-4225-8e27-226177c801a0
- Vendors: 49237d71-42ac-425a-a803-881b92cc18ce
- If the values are different, check with your IT administrator to identify which Defender tenant you are currently under and offboard from that tenant before attempting to re-onboard.
Ensure that Cloudflare service is installed and running
- Access the Application folder.
- Ensure that Cloudflare WARP is appearing as an installed program.
- Open Terminal.
- Type
sudo launchctl list | grep -i cloudflare
and ensure the service is running. - If Cloudflare WARP is not installed or not running, refer to the Cloudflare troubleshooting information in the relevant section on this page.
Note: Spotlight is used to detect the existence of applications. If you have disabled Spotlight, we would not be able to detect Cloudflare WARP on your device.
Ensure that Cloudflare is authenticated and verified
- Click the Cloudflare WARP icon on the taskbar > Preference.
- Navigate to Account and ensure that you are authenticated with the team name gccgovsg.
- If Cloudflare WARP is not authenticated to gccgovsg, refer to troubleshooting issues.
Ensure that Intune is enrolled with the valid tenant
- Log into Company Portal using your
<agency_name>.gov.sg
ortechpass.gov.sg
username. - Ensure that your device is shown as managed.
- Ensure that the top left-hand corner shows SG Govt M365 or TechPass to show it is managed by the correct tenant.
-
If there is no enrollment, refer to the following links for help on how to enroll to Intune:
Note: Perform a sync to check that the device is able to communicate with Intune.
Ensure that the Defender service is installed
- Access the Application folder.
Ensure that the Defender service is running and is healthy
- Open Terminal.
- Run
ps aux | grep -i "Defender"
. - Ensure you see the following output:
If the service is not running, refer to the following steps:
- Open Terminal.
- Run the following command to start the services:
sudo launchctl kickstart -k system/com.microsoft.wdav
sudo launchctl kickstart -k system/com.microsoft.wdav.enterprise
- Run
ps aux | grep -i "Defender"
to verify if the services are running now. - If the issue persists, raise a service request
Ensure that Defender has real-time protection enabled
- Open Terminal.
- Run
mdatp health --field real_time_protection_enabled
. - Ensure that the value is true.
Ensure that Defender is cloud enabled
- Open Terminal.
- Run
mdatp health --field cloud_enabled
. - Ensure that the value is true.
Ensure that Defender has a valid tenant
- Open Terminal.
- Run
mdatp health --field org_id
. - Ensure that the value is one of the following:
- Public officers: faa36a5e-2da6-4225-8e27-226177c801a0
- Vendors: 49237d71-42ac-425a-a803-881b92cc18ce
- If the values are different, please check with your IT administrator to identify which Defender tenant you are currently under and offboard from that tenant before attempting to re-onboard.
Ensure that Defender definitions are updated
- Open Microsoft Defender.
- Under Virus & threat protection updates, click Check for updates.
- Click Help > Check for product updates.
- Click Update All.
When using SGTS products with Cloudflare WARP turned off, you might encounter an error message saying, That account does not have access.
- Turn on Cloudflare WARP Client and access the application.
If you are facing an issue with your Cloudflare WARP, please follow the solutions in this page. Alternatively, raise a service request for assistance.
If your Cloudflare WARP is stuck in the connecting status, please follow these steps to resolve the issue:
-
Click the Start icon in the taskbar.
-
Navigate to Settings > Apps.
-
Search for Cloudflare WARP and select Uninstall.
After uninstalling, proceed to download Cloudflare WARP
For a smooth experience, download the following versions:
- Windows: Version 2024.3.409.0
- macOS: Version 2024.3.444.0
Once downloaded, follow these steps:
-
Click the gear icon > Preferences > Account.
-
Log in with Cloudflare for Teams.
-
Enter gccgovsg in the organisation name field.
-
Test using incognito mode using Google Chrome or Microsoft Edge browser and test using your personal hotspot or home Wi-Fi.
Ensure to re-authenticate your Cloudflare WARP client with the following steps:
-
Clear your browsing history/cache on Chrome.
-
Click the Cloudflare WARP icon.
- Click the gear icon.
- Navigate to Preferences > Account.
- Click Re-authenticate with Cloudflare zero trust.
-
Reboot your machine.
When using SGTS products with Cloudflare WARP, you might encounter an error message saying, That account does not have access.
-
First, check the following:
- Have you received the successfully onboarded email from SEED?
- Are you using one of the supported browsers?
- Is your Cloudflare WARP client connected and up to date?
- Open Cloudflare WARP Settings and ensure "Gateway with WARP" is selected.
- For Windows users, check if Tanium is listed in the Start menu.
- For macOS users, look for Tanium in Finder > Applications.
- Ensure your device's operating system is up to date.
- Make sure Defender is updated and running.
- Check if your TechPass account has the necessary permissions for GCC 2.0 CMP or a specific SGTS service.
Note:
- SEED does not support running other VPN clients alongside Cloudflare WARP.
- It is recommended not to use WARP and a VPN simultaneously.
-
If you are running a VPN client along with WARP, ensure that the VPN configuration doesn't route all traffic and DNS queries to the VPN server.
-
If the issues persist, generate a diagnostic report and upload it to the service request.
Cloudflare has reported connectivity problems for users with macOS and Windows WARP. Users may experience intermittent connectivity issues while trying to access websites.
- To uninstall the existing WARP client, open the Terminal app and run the following command.
sudo /bin/sh /Applications/Cloudflare\ WARP.app/Contents/Resources/uninstall.sh
- Enter your macOS password when prompted. You will be prompted to confirm the uninstallation.
Do you want to uninstall Cloudflare WARP app? Enter Y to proceed or N to exit.
-
Enter
Y
. When WARP is successfully uninstalled, the messageFinished uninstallation!
is displayed. -
Proceed to download Cloudflare WARP.
- macOS: Version 2024.3.444.0
- To uninstall the existing WARP client, click the Start icon on the taskbar.
- Go to Settings > Apps and search for Cloudflare WARP.
- Choose Cloudflare WARP and click Uninstall.
- Proceed to download Cloudflare WARP.
- Windows: Version 2024.3.409.0
Once downloaded, follow the steps below:
-
Click the gear icon > Preferences > Account.
-
Log in with Cloudflare for Teams.
-
Enter gccgovsg in the organisation name field.
-
Test using incognito mode using Google Chrome or Microsoft Edge browser and test using your personal hotspot or home Wi-Fi.
Ensure to re-authenticate your Cloudflare WARP client with the following steps:
-
Clear your browsing history/cache on Chrome.
-
Click the Cloudflare WARP icon.
- Click the gear icon.
- Navigate to Preferences > Account.
- Click Re-authenticate with Cloudflare zero trust.
-
Reboot your machine.