diff --git a/main.tf b/main.tf
index b602c93..bfe8e04 100644
--- a/main.tf
+++ b/main.tf
@@ -35,4 +35,16 @@ resource "cloudflare_access_policy" "email_policy" {
     email = var.allowed_emails
   }
   count = length(var.allowed_emails) == 0 ? 0 : 1
+}
+
+resource "cloudflare_access_policy" "device_policy" {
+  application_id = cloudflare_access_application.application.id
+  zone_id        = var.cloudflare_zone_id
+  name           = "${var.name} Device Policy"
+  precedence     = "10"
+  decision       = var.device_policy_mode
+  include {
+    device_posture = var.device_policy_rules
+  }
+  count = var.device_policy_mode != "disabled" ? 1 : 0
 }
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 675f795..6648182 100644
--- a/variables.tf
+++ b/variables.tf
@@ -83,4 +83,21 @@ variable "github_teams" {
 variable "allowed_emails" {
   type        = list(string)
   description = "List of email addresses permitted to login via OTP"
+}
+
+variable "device_policy_mode" {
+  type        = string
+  description = "Decision mode for the WARP/device policy"
+  default     = "disabled"
+
+  validation {
+    condition     = can(regex("^allow$|^deny$|^non_identity$|^bypass$|^disabled$", var.device_policy_mode))
+    error_message = "Invalid value for device_policy_mode. Must be one of allow, deny, non_identity, bypass, or disabled."
+  }
+}
+
+variable "device_policy_rules" {
+  type        = list(string)
+  default     = []
+  description = "List of WARP/device posture rule IDs to check for the device policy"
 }
\ No newline at end of file