User manual

• Introduction
• Setup
• Android Management setup
• Apple Management setup (APNs)
• Device provisioning overview
• Device Provisioning - Android
• Supported devices
• Enrollment tokens
• Personally-owned devices
• Company-owned devices for work and personal use
• Company-owned devices for work use only
• Zero-touch
• Authenticate Using Google enrollment
• Device Provisioning - Apple
• Apple provisioning overview
• Apple manual enrollment (Enrollment Profile)
• Apple Automated Device Enrollment (ADE)
• Policies overview
• Policies - Android
• Summary
• App management
• Kiosk mode
• Security
• Multimedia
• Cellular
• Networking
• System
• Location and geofence
• User management
• Personal usage
• Cross-profile policies
• Status reporting
• Misc
• Policy enforcement rules
• Policies - Apple
• Apple policies
• Apple policy: Passcode
• Apple policy: Restrictions
• Apple policy: Apps & profiles
• Device Status
• Device overview
• Commands
• Location map
• Dashboard location map
• Private apps
• Certificate management
• Devices
• Devices
• Users
• Users
• User editor
• Account
• Settings
• Multi-tenancy
• Multi-tenancy overview
• Managed enterprises
• Enterprise switching
• Sub-accounts
• Insights

Introduction

Cerberus Enterprise is a comprehensive EMM solution, designed to help you secure and manage your Android and Apple devices. It has all the right features for effective management of BYOD and company-owned devices in a clean and user-friendly dashboard, and you can get started in minutes.

To effectively use Cerberus Enterprise, you need to understand some key concepts about how the system works.

The system supports both Android and Apple device management:

On Android, Cerberus Enterprise uses Google's official Android Management API to manage devices through the Android Device Policy app (ADP). Most settings are enforced directly by ADP. Some optional features may also require the Cerberus Enterprise companion app, which extends what is possible beyond ADP alone.

On Apple devices, Cerberus Enterprise manages devices through Apple MDM (Mobile Device Management). Apple management requires an APNs certificate and can optionally integrate with Apple Business Manager for automated enrollment and app licensing.

Each device can be enrolled in the system using an Enrollment token or an Enrollment profile (Apple manual enrollment). The enrollment method is associated with a Policy that contains the rules that should be applied to devices. 

IT admins can change the policy associated with a device after enrollment. However, each device can be associated with only one policy at a time.

During the enrollment (provisioning) process, the required management components are installed and configured automatically. On Android, this typically includes the Android Device Policy app (and, depending on your configuration, the Cerberus Enterprise companion app). On Apple devices, management is applied through MDM once the device is enrolled. Consequently, the corresponding policy is automatically applied to the device, and all associated rules are enforced by the platform management system.

A policy can be applied to many devices. In this case, when you modify the policy, all the associated devices will receive the changes.

 

Setup

Android Management setup

To manage Android devices with Cerberus Enterprise, you must first connect your organization to Google Android Enterprise.

The setup process usually takes a few minutes and requires a work email address (for example, name@enterprise.com).

What happens during setup

• You will be redirected to Google Android Enterprise.
• You sign in with your work email address.
• Google creates the Android Management account for your organization.
• You are redirected back to Cerberus Enterprise to complete the setup.

Important information

Make sure to use a work email address, not a personal Gmail account. This email is used to create your Google Admin account for Android Management.

Next steps

After completing the setup, create an Enrollment token and choose the appropriate provisioning method for the device.

Apple Management setup (APNs)

To manage Apple devices, Cerberus Enterprise requires the Apple Push Notification service (APNs) certificate.

Use the Apple ID associated with your organization. The APNs certificate is valid for one year and must be renewed annually to continue managing devices.

Step 1: Download the CSR file

In the dashboard, start the Apple Management setup and download the Vendor-Signed Certificate Signing Request (CSR) file generated by Cerberus Enterprise.

Step 2: Create the Push Certificate on the Apple portal

• Sign in to the Apple Push Certificates Portal with your Apple ID.
• Click "Create a Certificate".
• Upload the CSR file from Step 1.
• Download the created Push Certificate.

Portal link: https://identity.apple.com/

Step 3: Upload the Push Certificate

Upload the Push Certificate you downloaded from Apple back into Cerberus Enterprise to complete the setup.

If the APNs certificate expires, Apple device management will stop working until the certificate is renewed.

Next steps

After APNs is configured, you can proceed with Apple device enrollment. Continue with Apple provisioning overview.

Device provisioning overview

Cerberus Enterprise supports device management for both Android and Apple platforms. You can configure either platform independently, depending on the devices you need to enroll.

1. Complete platform setup in the dashboard

Before enrolling devices, complete the platform setup in the Cerberus Enterprise dashboard. If your account is not configured yet, the dashboard will guide you through the required steps.

Android setup (Google Android Enterprise)

For the complete Android setup procedure, read Android Management setup.

• Go to the dashboard Signup flow and select Setup Android Management.
• You will be redirected to Google to sign in with a work account and authorize Android Enterprise.
• After authorization, you will be redirected back to Cerberus Enterprise to complete the setup.

Apple setup (APNs push certificate)

For the complete Apple setup procedure, read Apple Management setup (APNs).

• Go to the dashboard Signup flow and select Setup Apple Management.
• Download the CSR file from Cerberus Enterprise.
• Create the APNs certificate in the Apple Push Certificates Portal and download the resulting certificate.
• Upload the downloaded certificate back into Cerberus Enterprise to enable Apple device management.

2. Enroll devices

After completing platform setup, choose the enrollment method that matches your device ownership model and the OS.

Android enrollment

For Android, enrollment is driven by Enrollment tokens. Select the appropriate method depending on whether the device is personally-owned or company-owned.

• Personally-owned (BYOD / work profile): follow this guide.
• Company-owned (work and personal use / work profile): follow this guide.
• Company-owned (work use only / fully managed or dedicated): follow this guide.
• Zero-touch: follow this guide.

Apple enrollment

For Apple, start by completing the APNs setup described above, then follow the Apple provisioning guides: Apple provisioning overview.

Device Provisioning - Android

Supported devices

In general, any device running Android 6+ with Google Play Services is compatible with Cerberus Enterprise.

For a better user experience, we suggest using devices that meet the Android Enterprise Recommended requirements.

Some features are limited to specific Android versions, or may behave differently across OS versions. For more information about a specific feature, see the Policies section of the documentation.

Cerberus Enterprise supports both company-owned and personally-owned devices, and two management modes: device owner and profile owner.

Personally-owned devices can be managed through a work profile. This enables a BYOD solution by keeping employees' work data and apps separate from personal data and apps, improving both security and privacy. This option is suitable for devices already owned by employees that you want to enroll in your organization for work use.

Company-owned devices can also be managed through a work profile, but you can also choose the fully managed option, which allows stricter control over the device. Company-owned devices with a work profile are suitable when you provide corporate devices to employees for work, while still allowing personal use. Fully managed devices are better suited for devices that must be used only for work, or for dedicated devices (COSU, corporate-owned single-use), such as kiosks.

For more information on device provisioning, see the Device provisioning overview page.

Enrollment tokens

Cerberus Enterprise uses enrollment tokens to start the Android device enrollment (provisioning) process. The token you select defines the initial policy applied to enrolled devices and influences which provisioning modes are allowed.

The Android enrollment tokens tab is available only after completing Android Management setup.

Where to find enrollment tokens

In the dashboard, open Enrollment tokens. Depending on your account configuration, the page can show multiple tabs (Android tokens, Google sign-in enrollment, Apple manual enrollment, and Apple Automated Device Enrollment).

If your Android enterprise is backed by a managed Google domain (Google Workspace), the dashboard can also show an Authenticate Using Google Enrollment tab. For details on enabling and using it, see Authenticate Using Google enrollment.

Enrollment tokens list (Android)

The Android tokens tab shows a table of all tokens. Clicking a row opens the token details page.

Columns

• Id: internal token identifier.
• Status: Available, Used (one-time token already used), or Expired.
• Expiration: expiration date/time, or Never.
• Policy: the policy assigned to the token (the UI tooltip also shows the policy id).
• Personal usage: Allowed / Disallowed / Dedicated device.
• Allowed usages: Multiple or One time only.
• User: optional user pre-assigned to devices enrolled with the token.

Actions

• Each row has a delete action (Delete enrollment token). Deletion is disabled when the license is expired.
• The table supports multi-row selection: you can enable selection mode, select multiple tokens, and delete them with Delete selected tokens.
• Use the refresh action to reload the list. The table is paginated (10/25/50 items per page).

Create a new enrollment token

On the Android tokens tab, click New enrollment token to open the token creation page. If your license is expired, the create button is disabled.

Token options

1. Policy

Required. The policy automatically applied to all devices enrolled using this token. Select one of your Android policies. If you don't have any policy yet, create one first.

2. User

Optional. If set, newly enrolled devices are automatically associated with this user.

3. Personal usage

Controls whether personal usage is allowed on a device provisioned with this enrollment token:

• Allowed: suitable for personally-owned devices (work profile) and company-owned devices for work and personal use.
• Disallowed: suitable for company-owned devices for work use only (fully managed).
• Dedicated device: suitable for kiosk/dedicated devices (device is not associated with a single user).

4. Allowed usages

Select whether the token can be used multiple times (Multiple) or only once (One time only).

5. Expiration

Select the expiration unit (Minutes, Hours, Days, or Never). When not set to Never, enter the expiration value. The allowed range depends on the selected unit and can go up to 10,000 days.

Provisioning options (QR code only)

These additional options are embedded into the QR code and are applied during provisioning of fully managed devices enrolled by scanning the QR code. They do not apply to work profiles or devices enrolled using the Enrollment URL or Token.

Wi‑Fi configuration

Use this to let a device automatically connect to Wi‑Fi during provisioning, so it can download and initialize the management app. Available fields include SSID, Hidden SSID, Security, and (when needed) Passphrase.

You can also configure an HTTP proxy (Proxy) and, depending on the mode, set Host/Port, PAC URI, and Proxy bypass host.

Other options

Additional options include Locale, Time zone, and Skip encryption.

Enrollment token details

When you open a token, the details page shows the token configuration and usage information:

• Status, Expiration, Usage, Personal usage, and Allowed usages.
• Token: the raw enrollment token value (copyable).
• Enrollment URL: a Google Android Enterprise enrollment URL (copyable and sendable by email).
• QR code: shown on the right side of the page, used to enroll fully managed devices.

For step-by-step provisioning procedures, follow the Android enrollment guides: Personally-owned devices, Company-owned devices for work and personal use, Company-owned devices for work use only, and Zero-touch.

Personally-owned devices

Enrollment token link

Android version

6.0+

Add work profile from "Settings"

Android version

6.0+

Download Android Device Policy

Android version

6.0+

Company-owned devices for work and personal use

• Most app, data, and other management policies apply to the work profile only.
• Employees' personal profiles remain private. However, enterprises can enforce certain device-wide policies and personal usage policies.
• Enterprises can use Block scope to enforce compliance actions on an entire device or only its work profile.
• Device disenrolling and device commands apply to an entire device.

QR code method

Android version

8.0+

Company-owned devices for work use only

QR code method

Android version

7.0+

DPC identifier method

Android version

5.1+

Zero-touch

IT admins can provision company-owned devices using the zero-touch enrollment method, outlined in Zero-touch enrollment for IT admins. When a device is first turned on, the device is automatically forced into the settings defined by the IT admin.

IT admins can preconfigure devices purchased from authorized resellers and manage them using the Cerberus Enterprise dashboard. To link your Zero-touch account, go to Zero-touch section in the dashboard, then follow the instructions.

Android version	Work profile	Fully managed device	Dedicated device
8.0+ (Pixel 7.1+)	✓	✓	✓

Authenticate Using Google enrollment

Authenticate Using Google enrollment (also referred to as Google Authentication for Enrollment) lets users authenticate with their Google Workspace account during Android device enrollment.

This feature is available only for Android enterprises backed by a managed Google domain (Google Workspace).

Where to find it

In the dashboard, open Enrollment tokens and select the Authenticate Using Google Enrollment tab. The tab is shown only when Android Management is configured and the Google Workspace integration is available for your enterprise.

Enable (or disable) Google Authentication

Google Authentication is enabled from the Google Admin console. After changing the setting, return to Cerberus Enterprise and use Refresh Status to reload the current configuration.

1. Log in to your Google Admin console with an administrator account.
2. Open Devices.
3. Go to Mobile & endpoints → Settings → Third-party integrations.
4. Find the Android EMM integration for Cerberus Enterprise and open it.
5. Click Manage EMM providers.
6. Toggle Authenticate Using Google to enable or disable Google authentication for enrollment.
7. Click Save.
8. Return to the Cerberus Enterprise dashboard and click Refresh Status on the Authenticate Using Google Enrollment tab.

Google Authentication Enrollment Token

When Google Authentication is enabled, the dashboard shows a dedicated enrollment token used for this enrollment mode. The page can show a QR code, an Enrollment Token value, and an Enrollment URL (copyable and sendable by email).

Key options

• Allow Personal Usage: controls whether the token can enroll devices for work and personal use (work profile scenarios) or work use only (fully managed / dedicated scenarios).
• Fallback Default Policy: the policy applied when the enrolling user does not have a specific Google Authentication default policy assigned.

Policy interaction

The policy setting Work account setup authentication (workAccountSetupConfig.authenticationType) controls how users authenticate during work account setup, but the Google Admin Console setting Authenticate Using Google and the enrollment token type can still require authentication.

For already enrolled devices, this policy only applies if the device is managed by a managed Google Play account (i.e., enrolled without Authenticate Using Google Enrollment).

Some actions (for example changing token options) can be disabled when the license is expired.

Enroll a device

During enrollment, the user is prompted to authenticate with their Google Workspace account. After a successful enrollment, the device is associated with the authenticated user.

Work profile (personally-owned devices)

• Share the Enrollment URL with the user. When the user opens it on their Android device, they are guided through work profile setup and Google authentication.
• Alternatively, the user can start from Android Settings and choose the work profile setup flow, then scan the QR code or enter the enrollment token when prompted.

Company-owned devices

• QR code method: on a new or factory-reset device, tap the screen multiple times in the same spot until the QR code prompt appears, then scan the QR code shown in the dashboard.
• DPC identifier method (when QR scanning is not available): follow the setup wizard, connect to Wi‑Fi, then when prompted to sign in enter afw#setup and proceed by scanning the QR code or entering the enrollment token. When prompted, authenticate with the Google Workspace account.

For general Android provisioning procedures (work profile vs fully managed), see the standard Android enrollment pages in this manual.

Device Provisioning - Apple

Apple provisioning overview

Cerberus Enterprise supports enrolling and managing Apple devices. Apple provisioning requires an APNs certificate and can be performed using different enrollment methods.

Prerequisite: configure Apple Management (APNs)

Before enrolling any Apple device, complete Apple Management setup (APNs).

Choose an enrollment method

Manual enrollment (Enrollment Profile)

This method provides an enrollment URL and a configuration profile file (mobileconfig) that you install on the device. Read Apple manual enrollment.

Automated Device Enrollment (ADE)

This method integrates with Apple Business Manager to automate enrollment for company-owned devices. Read Apple Automated Device Enrollment (ADE).

You can use manual enrollment and ADE in parallel, depending on your device fleet and purchasing process.

Apple manual enrollment (Enrollment Profile)

Cerberus Enterprise supports manual enrollment for Apple devices using an enrollment URL and an enrollment profile file.

Manual enrollment is available when Apple Management (APNs) is configured. If you have not completed APNs setup yet, read Apple Management setup (APNs).

Get the enrollment URL and profile

• Open the Enrollment section in the dashboard and select the Apple manual enrollment (Enrollment Profile) tab.
• Copy the Enrollment URL, or use the send-by-email action.
• Download the Enrollment Profile (mobileconfig file).

How to enroll an iPhone or iPad

iOS/iPadOS 15.0+

1. Send the enrollment profile file (enroll.mobileconfig) to the device, or open the Enrollment URL in Safari on the device.
2. On the device, open Settings → Profile Downloaded → Install, then follow the instructions.
3. After enrollment, you can verify the status in Settings → General → VPN & Device Management (or Profiles & Device Management).

Only install enrollment profiles that you obtained from your Cerberus Enterprise dashboard.

Apple Automated Device Enrollment (ADE)

Automated Device Enrollment (ADE) integrates with Apple Business Manager (ABM) to automatically enroll company-owned devices when they are turned on for the first time (or after a factory reset).

ADE requires Apple Management (APNs) to be configured first. If needed, read Apple Management setup (APNs).

How to enroll devices automatically

1. Add devices to your Apple Business Manager account.
2. After adding new devices to your ABM account, sync them in Cerberus Enterprise from the Devices section using the Sync from ABM action.
3. Create an ADE profile in the dashboard from Enrollment → Apple Automated Device Enrollment (ADE) → New ADE profile.
4. Assign an ADE profile to a device from the device details page using the ADE profile field.

ADE profile settings (overview)

An ADE profile controls how the device is enrolled and how Setup Assistant behaves. In Cerberus Enterprise, an ADE profile includes a name, an optional initial policy, and some enrollment options.

Profile name

A human-readable name for the profile (for example, Default ADE profile).

Policy

The policy initially applied to enrolled devices. You can assign a policy when creating a new ADE profile.

Enrollment options

• MDM removable: controls whether the MDM payload can be removed from the device.
• Allow pairing: controls whether pairing is allowed (deprecated by Apple in iOS 13).
• Auto-advance setup: automatically advances Setup Assistant through its screens.
• Await device configured: blocks Setup Assistant until the server marks the device as configured.
• Mandatory: prevents skipping profile application during setup.
• Multi user (Shared iPad): configures the device for Shared iPad.
• Supervised: requests supervision for the device.

After a device has an ADE profile assigned, it is ready to be automatically enrolled.

Policies overview

The Policies section of the dashboard (Dashboard → Policies) lists all policies in your account and lets you create, copy, edit, and delete them.

Policy list

Policies are displayed in a table. Clicking a row opens the corresponding policy editor.

Columns

• Id: internal policy identifier.
• MDM: the platform for the policy (Android or Apple).
• Name: policy name.
• Description: policy description.
• Devices: number of enrolled devices currently assigned to the policy.

Filters and search

• If both Android Management and Apple Management are configured, you can filter the list by All, Android, or Apple.
• You can enable Search and search by policy name or description.

Refresh and pagination

• Use the refresh action to reload the list.
• The table is paginated (10/25/50 items per page).

Create a new policy

At the bottom of the Policies page you can create a new policy. Depending on which platform is configured in your account, you may see one or both of these actions:

• Create new Android policy
• Create new Apple policy

If your license is expired, policy creation (and other write actions) are disabled.

Copy and delete policies

Each policy row has an actions menu that includes Copy policy and Delete policy.

Delete policy warnings

When deleting a policy, the dashboard may show additional warnings depending on how the policy is used.

• If the policy is assigned to enrolled devices, deleting it will disenroll the associated devices and wipe their apps and data.
• If the policy is assigned to enrollment tokens, those tokens may no longer be able to complete enrollment.
• If the policy is set as a default for Google Authentication enrollment (globally or for some users), deleting it can cause enrollments to fail.

Delete multiple policies

The Policies list supports multi-row selection for bulk deletion. In multi-select mode, you can select multiple policies and delete them in one action.

Bulk deletion is only enabled when all selected policies belong to the same platform (all Android or all Apple).

Next: edit policy settings

The Policies list is the entry point. To configure policy settings, use the appropriate editor documentation: Policies → Android and Policies → Apple.

Policies referenced by enrollment tokens are applied automatically during device enrollment.

Policies - Android

Summary

Android policies are the core entities of the system: they define the rules that are applied and enforced on managed devices.

You can browse your policies and create new ones from the Policies section of the dashboard. To open an Android policy, click the policy row in the table: the system opens the Policy Editor page.

A policy can be associated with an enrollment token, so it will be automatically applied to devices during the provisioning process. You can also change the policy assigned to a device after provisioning.

Each device can be associated with only one policy at a time.

Many policy options only apply to specific device types (fully managed, dedicated, work profile) and Android versions. Unsupported settings may be ignored by the device, or reported as non-compliant.

Policy Editor layout

The Policy Editor is organized as a set of expandable sections. At the top of the page you can always edit:

• Name (required)
• Id (read-only)
• Description (optional)

The sections below match the Policy Editor panels (for example: App management, Security, Networking, System, Personal usage, Cross-profile policies, and more). Use the chapter pages of this manual to understand each panel in detail.

Save, delete, and associated devices

Use Save policy to apply your changes. The button is disabled when there are no pending edits, or when the license is expired.

If you opened an existing policy (it has an Id), the page shows a Delete policy action and an Associated devices list at the bottom, so you can see how many devices are currently using the policy.

App management

In this section, you can set policies related to app availability, installation, updates, and permission management.

Managed Google Play Accounts are automatically created when devices are provisioned.

 

1. Play Store mode

This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.

Whitelist (default): Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device. The Play Store will only show available apps.

Blacklist: All apps are available and any app that should not be on the device should be explicitly marked as blocked in the applications policy. The Play Store will show all apps, except blocked ones.

 

2. Untrusted apps policy

The policy for untrusted apps (apps from unknown sources) enforced on the device. This option controls the Android system setting that determines whether a user can install apps from outside the Play Store (sideloading).

Disallow (default): Disallow untrusted app installs on the entire device.

Personal profile only: For devices with work profiles, allow untrusted app installs in the device's personal profile only.

Allow: Allow untrusted app installs on the entire device.

 

3. Google Play Protect

Whether Google Play Protect app verification is enforced.

Enforced (default): Force-enables app verification.

User choice: Allows the user to choose whether to enable app verification.

 

4. Default permission policy

The policy for granting runtime permission requests to apps.

Prompt (default): Prompt the user to grant a permission.

Grant: Automatically grant a permission.

Deny: Automatically deny a permission.

 

5. App functions

Controls whether apps on fully managed devices or in work profiles are allowed to expose app functions. Requires Android 16 or above.

Allowed (default): Apps on fully managed devices or in work profiles can expose app functions.

Disallowed: Apps on fully managed devices or in work profiles cannot expose app functions.

 

6. Install apps disabled

Whether user installation of apps is disabled.

 

7. Uninstall apps disabled

Whether user uninstallation of applications is disabled.

 

8. Permission policies

Explicit permission or group grants or denials for all apps. These values override the Default permission policy setting.

Use Add permission policy to create entries and remove them with the delete action.

Each entry includes:

Android permission/group: The Android permission or group (required), for example android.permission.READ_CALENDAR or android.permission_group.CALENDAR.

Policy: Grant / Deny / Prompt (uses the same policy options as Default permission policy).

 

9. Applications

List of applications that must be included in the policy. The behavior of the list's content depends on the value set on Play Store mode.

If Play Store mode is set to whitelist, only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device.

If Play Store mode is set to blacklist, all apps are available and any app that should not be on the device should be explicitly marked as blocked in the applications policy.

To add a new app, click on the Add applications button (or the Add applications icon), then choose the app from Play Store and click on the Select button in the app card.

All apps that are published on the Play Store in your country are available for selection by default. To select your own private or web apps, you must upload them to the system first. For more information read the Private apps page.

Each app can be configured with its own settings, that are visually contained in a card:

9.1. Install type

The type of installation to perform for an app.

Available: The app is available to install.

Preinstalled: The app is automatically installed and can be removed by the user.

Force installed: The app is automatically installed and can't be removed by the user.

Blocked: The app is blocked and can't be installed. If the app was installed under a previous policy, it will be uninstalled.

Required for setup: The app is automatically installed and can't be removed by the user and will prevent setup from completion until installation is complete.

Kiosk: The app is automatically installed in kiosk mode: it's set as the preferred home intent and whitelisted for lock task mode. Device setup won't complete until the app is installed. After installation, users won't be able to remove the app. You can only set this install type for one app per policy. When this is present in the policy, status bar will be automatically disabled. For more information please read the dedicated Kiosk mode page.

9.2. Install constraints

Defines a set of restrictions for the app installation. When multiple constraints are selected, all of them must be satisfied for the app to be installed.

This option is shown only when the Install type is Preinstalled or Force installed.

Unmetered network: Install the app only when the device is connected to an unmetered network (e.g. Wi‑Fi).

Charging: Install the app only when the device is charging.

Idle: Install the app only when the device is idle.

9.3. Auto-update mode

Controls the auto-update mode for the app.

Default: The app is automatically updated with low priority to minimize the impact on the user. The app is updated when all of the following constraints are met: (1) the device is not actively used, (2) the device is connected to an unmetered network, (3) the device is charging. The device is notified about a new update within 24 hours after it is published by the developer, after which the app is updated the next time the constraints above are met.

Postponed: The app is not automatically updated for a maximum of 90 days after the app becomes out of date. 90 days after the app becomes out of date, the latest available version is installed automatically with low priority (see Default Auto-update mode). After the app is updated, it is not automatically updated again until 90 days after it becomes out of date again. The user can still manually update the app from the Play Store at any time.

High priority: The app is updated as soon as possible. No constraints are applied. The device is notified immediately about a new update after it becomes available.

9.4. Minimum version code

The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a Non compliance detail with Non compliance reason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.

9.5. Delegated scopes

The scopes delegated to the app from Android Device Policy. You can grant other apps a selection of special Android permissions:

Certificate installation: Grants access to certificate installation and management.

Managed configurations: Grants access to managed configurations management.

Block uninstall: Grants access to blocking uninstallation.

Permissions: Grants access to permission policy and permission grant state.

Package access: Grants access to package access state.

System app: Grants access for enabling system apps.

9.6. Preferential Network

The preferential network service to use for this app. If set, the app will use the specified enterprise network slice for its connections when available. This must match a network slice configured in the 5G Network Slicing Configuration section of the Cellular panel.

9.7. Default permission policy

The default policy for all permissions requested by the app. If specified, this overrides the policy-level Default permission policy which applies to all apps. It does not override the Permission policies which applies to all apps.

Prompt (default): Prompt the user to grant a permission.

Grant: Automatically grant a permission.

Deny: Automatically deny a permission.

9.8. Connected work and personal app

Controls whether the app can communicate with itself across a device's work and personal profiles, subject to user consent (Android 11+).

Disallowed (default): Prevents the app from communicating cross-profile.

Allowed: Allows the app to communicate across profiles after receiving user consent.

9.9. Always On VPN lockdown exemption

Specifies whether the app is allowed networking when the VPN is not connected and lockdown enabled is active. Only supported on devices running Android 10 and above.

Enforced (default): The app respects the always-on VPN lockdown setting.

Exempt: The app is exempt from the always-on VPN lockdown setting.

9.10. Work profile widgets

Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.

Allowed: The application can add widgets to the home screen.

Disallowed: The application cannot add widgets to the home screen.

9.11. User control settings

Specifies whether user control is permitted for a given app. User control includes user actions like force-stopping and clearing app data (Android 11+). If extensionConfig is enabled for an app, user control is disallowed regardless of this setting. For kiosk apps, you can use Allowed to allow user control.

Unspecified: Uses the default behavior of the app to determine if user control is allowed or disallowed.

Allowed: User control is allowed for the app.

Disallowed: User control is disallowed for the app.

9.12. Disabled

Whether the app is disabled. When disabled, the app data is still preserved.

9.13. Allow Credential Provider

Whether the app is allowed to act as a credential provider on Android 14 and above.

9.14. Managed configuration

To configure the app's managed settings, click on the Enable managed configuration button. If a managed configuration is already set for the app, you can modify the configuration with the Managed configuration button, or delete it with the Remove configuration button.

Managed configuration option is available only for apps that supports this functionality.

9.15. Permission policies

Explicit permission grants or denials for the app. These values override the Default permission policy and Permission policies which apply to all apps.

Use Add permission policy to add one or more permission rules for the app card and remove them with the delete action.

9.16. Track IDs

List of the app’s closed testing track IDs that a device can access. If multiple track IDs are selected, devices receive the latest version among all accessible tracks. If no track IDs is selected, devices only have access to the app’s production track.

Track IDs option is available only for apps that have at least one track ID available for your organization. For more details on how to add your organization to a closed testing track for a specific app please read here. 

 

10. Default application settings

Set default apps for supported types. When a default app is set for at least one type, users are prevented from changing default apps in that profile.

Only one default application setting is allowed per Default application type. The list of default applications must not contain duplicates.

10.1. Default application type

Select the app category to configure (for example Browser, Dialer, SMS, Wallet, or Assistant). Availability depends on Android version and management mode.

10.2. Default application scopes

Select where the default app should apply (Fully managed, Work profile, or Personal profile). Only scopes supported by the selected type can be chosen.

If none of the selected scopes are applicable to the device’s management mode, the device reports a non‑compliance detail.

10.3. Default applications

List of apps that can be set as default for the selected type. The first installed and eligible app is set as the default.

If scopes include Fully managed or Work profile, each app must also exist in the Applications list with Install type not set to Blocked.

 

11. Private key selection

Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in Choose private key rules.

For devices below Android P, setting this may leave enterprise keys vulnerable.

 

12. Choose private key rules

Controls apps' access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey, without first having to call KeyChain.choosePrivateKeyAlias. When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.

Use Add private key rule to create entries and remove them with the delete action.

12.1. Private key alias

The alias of the private key to be used.

12.2. URL pattern

The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern.

12.3. Package names

The package names to which this rule applies. The hash of the signing certificate for each app is verified against the hash provided by Play. If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.

Use Add package name to add entries and remove them with the delete action.

 

To delete an app, click on the trashbin icon, on the bottom of the app's card. 

 

 

Kiosk mode

With kiosk mode, you can restrict a device's functionality to a single app or multiple apps. Choosing between single-app and multi-app kiosk mode depends on your business goals.

In single-app kiosk mode, a device is configured for a single application and does not allow end-users to access other apps on the device. They also cannot exit the app, making it a dedicated device for that specific app. To enable this mode, specify an app in the App management section with Install type set to Kiosk.

In multi-app kiosk mode, devices are allowed access to multiple applications. End-users can navigate between multiple apps  through a custom launcher. To enable this mode, turn on the Kiosk custom launcher option.

When kiosk mode is enabled, you can also configure whether end users can access certain system features, such as system settings and the status bar.

 

Kiosk custom launcher

Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the App management setting. Apps appear on a single page in alphabetical order.

 

Power button actions

Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.

Available (default): The power menu (e.g. Power off, Restart) is shown when a user long-presses the Power button of a device in kiosk mode.

Blocked: The power menu (e.g. Power off, Restart) is not shown when a user long-presses the Power button of a device in kiosk mode. Note: this may prevent users from turning off the device.

 

System error warnings

Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the "close app" option on the UI.

Blocked (default): All system error dialogs, such as crash and app not responding (ANR) are blocked. When blocked, the system force-stops the app as if the user closes the app from the UI.

Enabled: All system error dialogs such as crash and app not responding (ANR) are displayed.

System navigation

Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.

Disabled (default): The home and Overview buttons are not accessible.

Home only: Only the home button is enabled.

Enabled: Home and overview buttons are enabled.

 

Status bar

Specifies whether system info and notifications are disabled in kiosk mode.

Disabled (default): System info and notifications are disabled in kiosk mode.

System only: Only system info is shown on the status bar.

Enabled: System info and notifications are shown on the status bar in kiosk mode. Note: For this policy to take effect, the device's home button must be enabled using kioskCustomization.systemNavigation.

 

Device settings

Specifies whether the Settings app is allowed in kiosk mode.

Allowed (default): Access to the Settings app is allowed in kiosk mode.

Blocked: Access to the Settings app is not allowed in kiosk mode.

Security

In this section, you can configure security-related policies.

 

Security risk actions

Choose what to do when a device reports a SecurityRisk in status reports.

 

Supported SecurityRisk types:

Unknown OS: Play Integrity API detects that the device is running an unknown OS (basicIntegrity check succeeds but ctsProfileMatch fails).

Compromised OS: Play Integrity API detects that the device is running a compromised OS (basicIntegrity check fails).

Hardware-backed evaluation failed: Play Integrity API detects that the device does not have a strong guarantee of system integrity, if the MEETS_STRONG_INTEGRITY label doesn't show in the device integrity field.

 

Available actions:

Wipe corporate data (default): Disenroll and wipe work data (entire device if fully managed, or only work profile for profile-owned).

No action: Leave the device enrolled and do nothing automatically.

 

When you select Wipe corporate data, you can also configure wipe options:

Preserve factory-reset protection: Preserve Factory Reset Protection (FRP) data when wiping the device.

Wipe external storage: Additionally wipe the device's external storage (such as SD cards) when performing the wipe.

Wipe eSIMs: For company-owned devices, this removes all eSIMs from the device when the device is wiped. In personally-owned devices, this will remove managed eSIMs (eSIMs which are added via the ADD_ESIM command) on the devices and no personally owned eSIMs will be removed.

 

1. Max time to lock

Maximum time (in seconds) for user activity until the device locks. A value of 0 means there is no restriction.

 

2. Stay on when charging

The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear Maximum time to lock so that the device doesn't lock itself while it stays on.

AC charger: Power source is an AC charger.

USB port: Power source is a USB port.

Wireless charger: Power source is wireless.

 

3. Keyguard disabled

If true, this disables the Lock Screen for primary and/or secondary displays. This policy is supported only in dedicated device management mode.

 

4. Password requirements

Password requirement policies.

Use Configure Password Requirements to add one or more password requirement blocks. Use Clear All to remove all configured password requirements.

Password requirements can use Auto scope (single requirement) or separate Device/Work profile scopes. Complexity-based requirements must be coupled with quality-based requirements for the same scope.

4.1. Scope

The scope that the password requirement applies to.

Auto: The scope is unspecified. The password requirements are applied to the work profile for work profile devices and the whole device for fully managed or dedicated devices.

Device: The password requirements are only applied to the device.

Work profile: The password requirements are only applied to the work profile.

4.2. Password history length

The length of the password history. After setting this field, the user won't be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.

4.3. Max failed passwords for wipe

Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.

4.4. Password expiration timeout (days)

This setting forces the user to periodically update their password, after the specified number of days.

4.5. Require password unlock

The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.

Device’s default: The timeout period is set to the device’s default.

Every day: The timeout period is set to 24 hours.

4.6. Password quality

The required password quality.

Complexity high: Define the high password complexity band as: On Android 12 and above: PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8; alphabetic, length at least 6; alphanumeric, length at least 6.

Complexity medium: Define the medium password complexity band as: PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4; alphabetic, length at least 4; alphanumeric, length at least 4.

Complexity low: Define the low password complexity band as: pattern; PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences.

None: There are no password requirements.

Weak: The device must be secured with a low-security biometric recognition technology, at minimum. This includes technologies that can recognize the identity of an individual that are roughly equivalent to a 3-digit PIN (false detection is less than 1 in 1,000).

Any: A password is required, but there are no restrictions on what the password must contain.

Numeric: The password must contain numeric characters.

Numeric complex: The password must contain numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences.

Alphabetic: The password must contain alphabetic (or symbol) characters.

Alphanumeric: The password must contain both numeric and alphabetic (or symbol) characters.

Complex: The password must meet the minimum requirements specified in passwordMinimumLength, passwordMinimumLetters, passwordMinimumSymbols, etc. For example, if passwordMinimumSymbols is 2, the password must contain at least two symbols.

4.7. Minimum length

The minimum allowed password length. A value of 0 means there is no restriction.

4.8. Minimum letters

Minimum number of letters required in the password.

4.9. Minimum lower case letters

Minimum number of lower case letters required in the password.

4.10. Minimum upper case letters

Minimum number of upper case letters required in the password.

4.11. Minimum non letter characters

Minimum number of non-letter characters (numerical digits or symbols) required in the password.

4.12. Minimum numerical digits

Minimum number of numerical digits required in the password.

4.13. Minimum symbols

Minimum number of symbols required in the password.

4.14. Unified lock

Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This has no effect on other devices.

Allow unified lock: A common lock for the device and the work profile is allowed.

Require separate work lock: A separate lock for the work profile is required.

 

5. Factory reset disabled

Whether factory resetting from settings is disabled. Only apply to fully managed devices.

 

6. Factory reset protection

Email addresses of device administrators for factory reset protection. When the device experiences an unauthorized factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won't provide factory reset protection. Only apply to fully managed devices.

Administrator emails: use Enable Factory Reset Protection to start configuring administrators. Then use Add administrator email to add addresses and remove them with the delete action.

 

7. Keyguard features

Keyguard (lock screen) features that can be disabled.

7.1. Disable all

Disable all current and future keyguard customizations.

7.2. Disable camera

Disable the camera on secure keyguard screens (e.g. PIN).

7.3. Disable notifications

Disable showing all notifications on secure keyguard screens.

7.4. Disable unredacted notifications

Disable unredacted notifications on secure keyguard screens.

7.5. Ignore trust agent state

Ignore trust agent state on secure keyguard screens.

7.6. Disable fingerprint

Disable fingerprint sensor on secure keyguard screens.

7.7. Disable text entry into notifications

Disable text entry into notifications on secure keyguard screens.

7.8. Disable face authentication

Disable face authentication on secure keyguard screens.

7.9. Disable iris authentication

Disable iris authentication on secure keyguard screens.

7.10. Disable all biometric authentication

Disable all biometric authentication on secure keyguard screens.

7.11. Disable all shortcuts

Disable all shortcuts on secure keyguard screen on Android 14 and above.

Multimedia

In this section, you can configure camera/microphone behavior, USB data access, printing, and display-related restrictions.

 

1. Camera access

Controls the use of the camera and whether the user can access the camera access toggle (Android 12+). In general, disabling the camera applies device-wide on fully managed devices, and only inside the work profile on work profile devices.

User choice (default): Default device behavior. Cameras are available and (Android 12+) the user can toggle camera access.

Disabled: All cameras are disabled (fully managed: device-wide; work profile: only for work profile apps). The camera access toggle has no effect in the managed scope.

Enforced: Cameras are available. On fully managed devices running Android 12+, the user cannot toggle camera access. On other devices/versions this behaves like User choice.

 

2. Microphone access

On fully managed devices, controls the use of the microphone and whether the user can access the microphone access toggle (Android 12+). This setting has no effect on devices that are not fully managed.

User choice (default): Default behavior. Microphone is available and (Android 12+) the user can toggle microphone access.

Disabled: Microphone is disabled (device-wide). The microphone access toggle has no effect.

Enforced: Microphone is available. On Android 12+, the user cannot toggle microphone access. On Android 11 or below, this behaves like User choice.

 

3. USB data access

Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.

Disallow file transfer (default): File transfers are disallowed, but other USB data connections (e.g. mouse/keyboard) are allowed.

Disallow data transfer: All types of USB data transfers are prohibited (Android 12+ with USB HAL 1.3+). If unsupported, the device falls back to Disallow file transfer.

Allow data transfer: All types of USB data transfers are allowed.

 

4. Printing

Controls whether printing is allowed (Android 9+).

Allowed (default): Printing is allowed.

Disallowed: Printing is disallowed (Android 9+).

 

5. Screen brightness settings

Controls the screen brightness mode and (optionally) the brightness value.

Screen brightness mode:

User choice (default): The user is allowed to configure screen brightness.

Automatic: Brightness is automatic and the user cannot change it. You can still set a brightness value, which is used as part of automatic adjustment (fully managed Android 9+; work profiles on company-owned Android 15+).

Fixed: Brightness is set to the configured value and the user cannot change it. The brightness value is required (fully managed Android 9+; work profiles on company-owned Android 15+).

Screen brightness:

Value from 1 to 255 (1 = lowest, 255 = highest). A value of 0 means no brightness value is set.

 

6. Screen timeout settings

Controls whether the user can configure the screen timeout and, when enforced, the timeout value.

The Screen timeout mode field selects between user-controlled and enforced behavior.

User choice (default): The user is allowed to configure the screen timeout.

Enforced: Screen timeout is set to the configured value and the user cannot change it (fully managed Android 9+; work profiles on company-owned Android 15+).

Screen timeout:

Timeout duration in seconds. The value must be greater than 0. If it is greater than Maximum time to lock, the system may clamp it and report non-compliance.

 

7. Screen capture disabled

Whether screen capture is disabled.

 

8. Adjust volume disabled

Whether adjusting the master volume is disabled.

 

9. Mount physical media disabled

Whether mounting physical external media is disabled.

Cellular

In this section, you can configure cellular-related policies.

 

1. Airplane mode

Controls whether airplane mode can be toggled by the user or not.

User choice (default): The user is allowed to toggle airplane mode on or off.

Disabled: Airplane mode is disabled. The user is not allowed to toggle airplane mode on. Supported on Android 9 and above.

 

2. Cellular 2G

Controls whether cellular 2G setting can be toggled by the user or not.

User choice (default): The user is allowed to toggle cellular 2G on or off.

Disabled: Cellular 2G is disabled. The user is not allowed to toggle cellular 2G on via settings. Supported on Android 14 and above.

 

3. Override APNs

Controls whether override APNs are enabled or disabled. When enabled, only the configured override APNs are used and all other APNs on the device are ignored.

Disabled (default): All configured APN settings are saved on the device, but they are disabled and have no effect. All other APNs on the device remain in use.

Enabled: Only the override APNs are used, all other APNs are ignored. This setting can only be configured on fully managed devices with Android 10 and above.

 

4. APN settings

Configure one or more APN entries. Use Add APN to create an entry and Remove APN to delete it.

Each APN has required fields:

APN Types: Select one or more traffic types for this APN (availability depends on management mode and Android version).

APN Name: The APN identifier provided by your carrier.

Display Name: Friendly name shown in UI.

 

Optional APN fields:

Auth Type, Username, Password: Configure carrier authentication (if required).

Protocol and Roaming Protocol: IP protocol configuration.

Network Types: Restrict the cellular technologies the APN may use (for example LTE/5G NR).

Proxy Address and Proxy Port: HTTP proxy for data traffic (if applicable).

MMS Proxy Address, MMS Proxy Port, MMSC (MMS Center URI): MMS-related settings.

Numeric Operator ID (MCC+MNC) and Carrier ID: Carrier identification fields.

Always On Setting: Whether the PDU session activated by this APN should be always-on. Supported on Android 15 and above.

MVNO Type: Mobile virtual network operator identifier type.

MTU IPv4 and MTU IPv6: Maximum Transmission Unit for IPv4/IPv6 routes. Supported on Android 13 and above.

 

5. Cell broadcast config disabled

Whether configuring cell broadcast is disabled.

 

6. Mobile networks config disabled

Whether configuring mobile networks is disabled.

 

7. Roaming data disabled

Whether roaming data services are disabled.

 

8. Outgoing calls disabled

Whether outgoing calls are disabled.

 

9. SMS disabled

Whether sending and receiving SMS messages is disabled.

 

10. 5G Network Slicing Configuration

Configure preferential network service settings to enable enterprise 5G network slicing. You can set up to 5 enterprise slices and assign applications to specific networks for optimized traffic routing.

10.1. Default Preferential Network

Default preferential network ID for applications that are not in the applications list, or if an app’s Preferential Network is not set. Must have a configuration for the specified network ID (unless set to No Preferential Network).

Note: Critical apps like com.google.android.apps.work.clouddpc and com.google.android.gms are excluded from this default setting.

 

10.2. Network Service Configurations

Use Add Network Configuration to create a slice configuration. You can add up to 5 configurations. Each configuration has:

Preferential Network ID (Auto-assigned): Network ID is automatically assigned and cannot be changed.

Fallback to Default Connection: Whether fallback to the device-wide default network is allowed. If disallowed, apps cannot access the internet if the 5G slice is unavailable.

Non-Matching Networks: Whether apps subject to this configuration can use networks other than the preferential service. If set to Disallowed, Fallback to Default Connection must also be Disallowed. Requires Android 14 and above.

Networking

In this section, you can configure networking-related policies.

Wi‑Fi configurations can be provisioned and managed by the system via WiFi configurations. Depending on the value set on Configure Wi‑Fi, users may have limited or no control over adding/modifying networks.

 

Device radio state

1. Wi‑Fi state

Controls current state of Wi‑Fi and if the user can change its state.

User choice (default): User is allowed to enable/disable Wi‑Fi.

Enabled: Wi‑Fi is on and the user is not allowed to turn it off (Android 13+).

Disabled: Wi‑Fi is off and the user is not allowed to turn it on (Android 13+).

 

2. Minimum Wi‑Fi security level

The minimum required security level of Wi‑Fi networks that the device can connect to. Supported on Android 13 and above, for fully managed devices and work profiles on company-owned devices.

Open network (default): The device can connect to all types of Wi‑Fi networks.

Personal network: Disallows open Wi‑Fi networks; requires at least personal security (for example WPA2‑PSK).

Enterprise network: Requires enterprise EAP networks; disallows Wi‑Fi networks below this security level.

192‑bit enterprise network: Requires 192‑bit enterprise networks; strictest option.

 

3. Ultra wideband (UWB) state

Controls the state of the ultra wideband setting and whether the user can toggle it on or off.

User choice (default): The user is allowed to toggle UWB on or off.

Disabled: UWB is disabled and the user is not allowed to toggle it via settings (Android 14+).

 

Device connectivity management

4. Bluetooth sharing

Controls whether Bluetooth sharing is allowed.

Allowed: Bluetooth sharing is allowed (default on fully managed devices, Android 8+).

Disallowed: Bluetooth sharing is disallowed (default on work profiles, Android 8+).

 

5. Configure Wi‑Fi

Controls Wi‑Fi configuring privileges. Depending on the selected option, the user has full, limited, or no control in configuring Wi‑Fi networks.

Allow configuring Wi‑Fi (default): The user is allowed to configure Wi‑Fi.

Disallow add Wi‑Fi config: Adding new Wi‑Fi configurations is disallowed. The user can switch between already configured networks (Android 13+; fully managed and company-owned work profiles).

Disallow configuring Wi‑Fi: Disallows configuring Wi‑Fi networks. For fully managed devices this removes user-configured networks and retains only networks configured via WiFi configurations. For company-owned work profiles, existing networks are not affected but users cannot add/remove/modify Wi‑Fi networks.

When configuring Wi‑Fi is disabled and the device cannot connect at boot time, the system can show the network escape hatch to let the user temporarily connect and refresh policy.

 

6. Wi‑Fi direct settings

Controls configuring and using Wi‑Fi direct settings. Supported on company-owned devices running Android 13 and above.

Allow (default): The user is allowed to use Wi‑Fi direct.

Disallow: The user is not allowed to use Wi‑Fi direct.

 

7. Tethering settings

Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.

Allow all tethering (default): Allows configuration and use of all forms of tethering.

Disallow Wi‑Fi tethering: Disallows the user from using Wi‑Fi tethering (company-owned Android 13+).

Disallow all tethering: Disallows all forms of tethering (fully managed + company-owned work profiles).

 

8. Wi‑Fi SSID policy

Restrictions on which Wi‑Fi SSIDs the device can connect to (this does not affect which networks can be configured on the device). Supported on company-owned devices running Android 13 and above.

SSID denylist (default): The device cannot connect to any Wi‑Fi network whose SSID is listed, but can connect to other networks.

SSID allowlist: The device can connect only to the SSIDs listed. The SSID list must not be empty.

Use Add SSID to add entries. Depending on the selected policy type, the list is interpreted as allowed or denied SSIDs.

In the Policy Editor UI, the SSID list is labeled Allowed Wi‑Fi SSIDs for allowlists and Denied Wi‑Fi SSIDs for denylists.

 

9. Wi‑Fi roaming settings

Configure Wi‑Fi roaming mode per SSID. Use Add Wi‑Fi roaming setting to create entries.

Each entry includes:

SSID: The SSID to which the roaming setting applies (required).

Wi‑Fi roaming mode: Default / Disabled / Aggressive. Disabled and Aggressive require Android 15+ and are supported only on fully managed devices and work profiles on company-owned devices.

 

Network restrictions

10. Bluetooth disabled

Whether bluetooth is disabled. Prefer this setting over Bluetooth config disabled because Bluetooth config disabled can be bypassed by the user.

 

11. Bluetooth contact sharing disabled

Whether bluetooth contact sharing is disabled.

 

12. Bluetooth config disabled

Whether configuring bluetooth is disabled.

 

13. Network reset disabled

Whether resetting network settings is disabled.

 

14. Outgoing beam disabled

Whether using NFC to beam data from apps is disabled.

 

VPN

15. Always On VPN app

Specify an Always On VPN package name to ensure that data from specified managed apps will always go through a configured VPN.

Note: This feature requires deploying a VPN client that supports both Always On and per-app VPN features.

 

16. VPN lockdown

Disallows networking when the VPN is not connected.

 

17. VPN config disabled

Whether configuring VPN is disabled.

 

Proxy and network services

18. Preferential network service

Controls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that work data is sent via a carrier network service dedicated for enterprise use (for example, an enterprise slice on 5G networks). This has no effect on fully managed devices.

Disabled: Preferential network service is disabled on the work profile.

Enabled: Preferential network service is enabled on the work profile.

If you use enterprise network slicing, also configure 5G Network Slicing Configuration under the Cellular policy panel and assign apps to a slice using their Preferential Network setting.

 

19. Recommended global proxy

The network-independent global HTTP proxy. Typically, proxies should be configured per-network in WiFi configurations. A global proxy may be useful for unusual configurations like general internal filtering. The global proxy is only a recommendation and some apps may ignore it.

Disabled

Direct proxy

Proxy auto-config (PAC)

19.1. Host

The host of the direct proxy.

19.2. Port

The port of the direct proxy.

19.3. PAC URI

The URI of the PAC script used to configure the proxy.

19.4. Excluded hosts

For a direct proxy, the hosts for which the proxy is bypassed. Host names may contain wildcards such as *.example.com.

Use Add excluded host to add entries (available for direct proxy only).

 

WiFi configurations

Define Wi‑Fi network configurations that the system will apply on devices. Use Add Wi‑Fi configuration to create an entry and remove it with the delete action.

20. Wi‑Fi configuration fields

Each configuration includes:

Configuration name: Required.

SSID: Required.

Auto connect: Whether the network should be connected to automatically when in range.

Fast Transition: Whether the client should attempt to use Fast Transition (IEEE 802.11r-2008) with the network.

Hidden SSID: Whether the SSID will be broadcast.

MAC randomization mode: Hardware or Automatic (Android 13+).

 

20.1. Security

Wi‑Fi security options:

WEP‑PSK: WEP (Pre-Shared Key).

WPA‑PSK: WPA/WPA2/WPA3-Personal (Pre-Shared Key).

WPA‑EAP: WPA/WPA2/WPA3-Enterprise (Extensible Authentication Protocol).

WPA3 192-bit mode: WPA‑EAP network allowing only WPA3 192-bit mode.

20.2. Passphrase (Pre‑Shared Key)

Shown when Security is WEP‑PSK or WPA‑PSK. The passphrase is required.

20.3. EAP method (Enterprise)

Shown when Security is WPA‑EAP or WPA3 192-bit mode. Select one EAP outer method:

EAP‑TLS

EAP‑TTLS

PEAP

EAP‑SIM

EAP‑AKA

20.4. Phase 2 authentication

Shown for tunneling outer methods (EAP‑TTLS and PEAP).

MSCHAPv2

PAP

20.5. EAP credentials from users

When enabled, the system automatically applies EAP credentials on devices on a per-user basis. You can configure user credentials in the Users section.

20.6. Client certificate

For EAP‑TLS, you can assign a client certificate used for Wi‑Fi authentication. For more information read the Certificate management page.

If a certificate is already assigned, you can use Open certificate to view it or Change certificate to select a different one.

Alternatively, you can specify Client certificate key pair alias, which references a client certificate stored in the Android keychain and allowed for Wi‑Fi authentication.

If both Client certificate and Client certificate key pair alias are set, the key pair alias is ignored.

20.7. Identity

Identity of user. For tunneling outer protocols (PEAP, EAP‑TTLS), this is used to authenticate inside the tunnel, and Anonymous identity is used for the EAP identity outside the tunnel. For non-tunneling outer protocols, this is used for the EAP identity.

20.8. Anonymous identity

For tunneling protocols only, this indicates the identity of the user presented to the outer protocol.

20.9. Password

Password of user. If not specified, defaults to prompting the user.

20.10. Server CA certificates

List of CA certificates to be used for verifying the host’s certificate chain. At least one CA certificate must match. For more information read the Certificate management page.

Use Add Server CA certificate to add entries and remove them with the delete action.

20.11. Domain suffix matches

A list of constraints for the server domain name. The entries are used as suffix match requirements against the DNS name(s) of the alternative subject name of an authentication server certificate.

 

System

In this section, you can configure system-related policies.

 

1. Minimum API level

The minimum allowed Android API level.

 

2. Encryption policy

Whether encryption is enabled.

Default: This value is ignored, i.e. no encryption required.

Enabled without password: Encryption required but no password required to boot.

Enabled with password: Encryption required with password required to boot.

 

3. Auto date and time

Whether auto date, time, and time zone is enabled on a company-owned device.

User choice (default): Auto date, time, and time zone are left to user's choice.

Enforced: Enforce auto date, time, and time zone on the device.

 

4. Developer settings

Controls access to developer settings: developer options and safe boot.

Disabled (default): Disables all developer settings and prevents the user from accessing them.

Allowed: Allows all developer settings. The user can access and optionally configure the settings.

 

5. Common Criteria Mode

Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (CC). Enabling Common Criteria Mode increases certain security components on a device (for example: AES-GCM encryption of Bluetooth Long Term Keys, additional validation for some network certificates, and cryptographic policy integrity checks). Common Criteria Mode is supported only on company-owned devices running Android 11 or above. Warning: Common Criteria Mode enforces a strict security model typically only required for highly sensitive organizations. Standard device use may be affected; enable it only if required.

Disabled (default): Disables Common Criteria Mode.

Enabled: Enables Common Criteria Mode.

 

6. Memory Tagging Extension (MTE)

Controls Memory Tagging Extension (MTE) on the device.

User choice (default): The user can choose to enable or disable MTE on the device (if supported by the device).

Enforced: MTE is enabled and the user is not allowed to change it (Android 14+; supported on fully managed devices and work profiles on company-owned devices).

Disabled: MTE is disabled and the user is not allowed to change it (Android 14+; supported on fully managed devices only).

 

7. Content protection

Controls whether content protection (which scans for deceptive apps) is enabled. This is supported on Android 15 and above.

Disabled (default): Content protection is disabled and the user cannot change this.

Enforced: Content protection is enabled and the user cannot change this (Android 15+).

User choice: Content protection is not controlled by the policy; the user can choose (Android 15+).

 

8. Assist content

Controls whether AssistContent is allowed to be sent to a privileged app such as an assistant app (for example, Circle to Search). AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.

Allowed (default): Assist content is allowed to be sent to a privileged app (Android 15+).

Disallowed: Assist content is blocked from being sent to a privileged app (Android 15+).

 

9. Create windows disabled

Whether creating windows besides app windows is disabled. This option prevents the following system UIs from being displayed: toasts and snackbars, phone activities (such as incoming calls) and priority phone activities (such as ongoing calls), system alerts, system errors and system overlays.

 

10. Network escape hatch

Whether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.

 

11. Default activities

A list of default activities for handling intents that match a particular intent filter. For example, this feature would allow IT admins to choose which browser app automatically opens web links, or which launcher app is used when tapping the home button.

Use Add default activity to create entries. Within an entry, use Add action and Add category to build the intent filter.

11.1. Receiver activity

The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.

11.2. Action

The intent actions to match in the filter. If any actions are included in the filter, then an intent's action must be one of those values for it to match. If no actions are included, the intent action is ignored.

11.3. Category

The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.

 

12. Permitted input methods

Specifies permitted input methods.

All allowed: No restriction applied. All input methods are allowed.

Only system's: Only system's built-in input methods are allowed.

Only system's and provided: Only the provided and the system's built-in input methods are allowed.

12.1. Allowed input methods

Input method package names that are allowed. Only applies when Permitted input methods is set to Only system's and provided.

Use Add input method to add entries and remove them with the delete action.

 

13. Permitted accessibility services

Specifies permitted accessibility services.

All allowed: Any accessibility service can be used.

Only system's: Only the system's built-in accessibility services can be used.

Only system's and provided: Only the provided and the system's built-in accessibility services can be used.

13.1. Allowed accessibility services

Allowed accessibility services. Only applies when Permitted accessibility services is set to Only system's and provided.

Use Add accessibility service to add entries and remove them with the delete action.

 

14. System update policy

Configuration for managing system updates.

Default: Follow the default update behavior for the device, which typically requires the user to accept system updates.

Automatic: Install automatically as soon as an update is available.

Windowed: Install automatically within a daily maintenance window. This also configures Play apps to be updated within the window. This is strongly recommended for kiosk devices because this is the only way apps persistently pinned to the foreground can be updated by Play.

Postpone: Postpone automatic install up to a maximum of 30 days.

 

14.1. Maintenance window (Windowed only)

When System update policy is set to Windowed, you can define the daily maintenance window using the from and to fields.

 

14.2. System update freeze periods

An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days. Each freeze period must not exceed 90 days.

Use Add system update freeze period to create entries.

 

15. Credential providers default

Controls which apps are allowed to act as credential providers on Android 14 and above.

Disallowed (default): Apps with credentialProviderPolicy unspecified are not allowed to act as a credential provider.

Disallowed except system: Apps with credentialProviderPolicy unspecified are not allowed to act as a credential provider, except for the OEM default credential providers.

Location and geofence

This panel groups the Android policy settings that control device location reporting, location enforcement, and geofence definitions. Use it when you want Cerberus Enterprise to collect device locations or detect when devices enter or leave configured areas.

Location reporting

Report location

Enables device geolocation reporting. Location data collected through this setting is used by the dashboard location map, the device overview location history, and geofence processing.

On devices that are not fully managed, location data may still depend on the Cerberus Enterprise app having the required location permissions and on location services being enabled on the device.

Location mode

Controls the device location setting on company-owned devices.

• User choice: location services are not restricted by the policy.
• Enforced: location services are enabled on the device.
• Disabled: location services are disabled on the device.

Share location disabled

Disables location sharing for work apps. On profile-owner devices, this affects the work profile. On fully managed devices, it disables location for the whole device and overrides the device location mode.

Automatic behavior with active geofences

Active geofences require location reporting to work. When at least one geofence is active, Cerberus Enterprise automatically keeps the related location settings consistent.

• Report location is forced on while active geofences exist.
• Location mode is forced to Enforced.
• Share location disabled is forced off.

If you try to disable Report location while one or more geofences are active, Cerberus Enterprise shows a confirmation dialog. If you continue, all active geofences in the policy are deactivated.

Geofence list

A policy can contain up to 10 geofences. Geofence names must be unique within the policy.

Use Add geofence to create a new entry. Each geofence contains these main fields:

• Name: required and unique.
• Latitude and Longitude: the center of the area.
• Radius (m): required, from 100 to 10000 meters.
• Description: optional notes for administrators.
• Report enter and Report exit: choose which transition events should be generated.
• Active: enables or disables the geofence without deleting it.

At least one of Report enter or Report exit must stay enabled for each geofence.

Map editing tools

Each geofence card includes a map preview of the area. You can edit the geometry from the map or from the numeric fields.

• Click the map to move the geofence center when area editing is unlocked.
• Use the Current location button to center the map on your current browser position.
• Use the Recenter map button to restore the preferred viewport for that geofence.
• Use the lock button to prevent accidental changes to the geofence geometry.

Where geofence data appears

Geofence transitions can be reviewed in the Android Device overview page, inside the Geofence tab of the location panel. That tab shows transitions on a dedicated map together with filtering tools and the transition list.

User management

Add user disabled

Whether adding new users and profiles is disabled. For devices where managementMode is DEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.

 

Modify accounts disabled

Whether adding or removing accounts is disabled.

 

User credentials config disabled

Whether configuring user credentials is disabled.

 

Remove user disabled

Whether removing other users is disabled.

 

Set user icon disabled

Whether changing the user icon is disabled.

 

Set wallpaper disabled

Whether changing the wallpaper is disabled.

 

Work account setup authentication

Controls how users authenticate during work account setup. This option is available only for Android enterprises backed by a managed Google domain (Google Workspace).

During device setup/enrollment, this policy influences whether a work account sign-in is required, but the Google Admin Console setting Authenticate Using Google and the enrollment token type can still require authentication.

For already enrolled devices, this policy only applies if the device is managed by a managed Google Play account (i.e., enrolled without Authenticate Using Google Enrollment).

For more details and troubleshooting, refer to Authenticate Using Google enrollment.

 

Blocked account types

Account types that can't be managed by the user. This option prevents device users from adding unapproved accounts.

Use Add blocked account type to add one or more account types.

Each entry has an Account type field (required). Enter a string such as com.google. Remove an entry using the delete action.

Personal usage

When provisioning a company-owned device for work and personal use, you can specify some rules to limit how the user can operate the device for personale usage, outside the work profile.

This section only apply to company-owned devices with work profile. They will have no effect on fully manged or personally-owned devices.

1. Camera disabled

Whether camera is disabled.

 

2. Screen capture disabled

Whether screen capture is disabled.

 

3. Max days with work off

Controls how long the work profile can stay off.

 

4. Bluetooth sharing

Controls whether bluetooth sharing is allowed in the personal profile of a company-owned device with a work profile.

 

5. Private space

Controls whether a private space is allowed on the device.

 

6. Play Store mode

This mode controls which apps are allowed or blocked to the user in the personal profile's Play Store.

Blocklist (default): All apps are available and any app that should not be on the device should be explicitly marked as Blocked in the Applications section.

Allowlist: Only apps explicitly specified in the Applications section with Install type set to Available are allowed to be installed in the personal profile.

 

7. Applications

List of applications that must be allowed or blocked on the personal profile. The behavior of the list's content depends on the value set on Play Store mode.

To add a new app from Play Store, click on the + icon.

7.1. Install type

Types of installation behaviors a personal profile application can have.

Blocked: The app is blocked and can't be installed in the personal profile.

Available: The app is available to install in the personal profile.

 

8. Blocked account types

Account types that can't be managed by the user. This option prevent device users from adding unapproved accounts on their personal profile.

Cross-profile policies

Only applies to devices with personal and work profiles.

Cross-profile copy/paste

Whether text copied from one profile (personal or work) can be pasted in the other profile.

Disallowed (default): Prevents users from pasting into the personal profile text copied from the work profile. Text copied from the personal profile can be pasted into the work profile.

Allowed: Text copied in either profile can be pasted in the other profile.

 

Cross-profile data sharing

Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste,
or connected work & personal apps, are configured separately.

Disallowed: Prevents data from being shared from both the personal profile to the work profile and the work profile to the personal profile.

Work to Personal disallowed (default): Prevents users from sharing data from the work profile to apps in the personal profile. Personal data can be shared with work apps.

Allowed: Data from either profile can be shared with the other profile.

 

Work profile widgets default

Default behavior for work profile widgets. If a specific app does not define a widgets policy, it follows the default set here.

 

Cross-profile app functions

Controls whether personal profile apps can invoke app functions from work profile apps. This requires Android 16 or above.

This setting depends on the policy-level App functions option (in the App management section). If App functions is set to Disallowed, the API will reject Cross-profile app functions set to Allowed.

 

Work contacts in personal profile

Whether contacts stored in the work profile can be shown in personal profile contact searches and incoming calls.

Allowed (default): Allows work profile contacts to appear in the personal profile.

Disallowed: Prevents personal apps from accessing work profile contacts and looking up work contacts.

Disallowed except system: Prevents most personal apps from accessing work profile contacts, except for the OEM default Dialer, Messages, and Contacts apps (Android 14+).

When Work contacts in personal profile is configured, you can optionally define a list of Exempted package name entries. Depending on the selected mode, these exemptions behave as allowlist or blocklist for personal apps.

Status reporting

In this section, you can configure which data should be retrieved from the device. The status data can be viewed in the Device status dashboard page.

 

Application reports

Whether app reports are enabled. (Information reported about an installed app.)

This option is required by the system (for companion-app integration) and is always enabled; it can't be disabled.

 

Include removed apps

Whether removed apps are included in application reports.

 

Device settings

Whether device settings reporting is enabled. (Information about security related device settings on device.)

 

Software info

Whether software info reporting is enabled. (Information about device software.)

 

Memory info

Whether memory reporting is enabled. (An event related to memory and storage measurements.)

 

Network info

Whether network info reporting is enabled. (Device network info.)

 

Display info

Whether displays reporting is enabled. Report data is not available for personally-owned devices with work profiles. (Device display information.)

 

Power management events

Whether power management event reporting is enabled. Report data is not available for personally-owned devices with work profiles.

 

Hardware status

Whether hardware status reporting is enabled. Report data is not available for personally-owned devices with work profiles.

 

System properties

Whether system properties reporting is enabled.

 

Common Criteria Mode

Whether Common Criteria Mode reporting is enabled.

Misc

1. Easter egg game disabled

Whether the Easter egg game in Settings is disabled.

 

2. Skip first use hints

Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.

 

3. Short support message

A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated.

 

4. Long support message

A message displayed to the user in the device administrators settings screen.

 

5. Owner lock screen info

The device owner information to be shown on the lock screen.

 

6. Setup actions

Actions to take during the setup process. During the enrollment, you can require the user to open one or more apps that are needed for device setup.

Use Add setup action to create entries and remove them with the delete action.

6.1. Launch app

Package name of app to be launched

6.2. Title

Provides a user-facing message, to explain to the user why the app is required to be launched.

6.3. Description

Provides a user-facing message, to explain to the user why the app is required to be launched.

 

7. Enterprise display name visibility

Controls whether the enterprise display name is visible on the device (for example, as a lock screen message on company-owned devices).

Visible (default): The enterprise display name is visible on the device (supported on work profiles on Android 7+ and fully managed devices on Android 8+).

Hidden: The enterprise display name is hidden on the device.

Policy enforcement rules

If a device or work profile fails to comply with any of the policy settings listed below, Android Device Policy immediately blocks usage of the device or work profile by default:

• Password requirements
• Encryption policy
• Keyguard disabled
• Permitted input methods
• Permitted accessibility services

If the device or work profile remains not compliant after 10 days, Android Device Policy will factory-reset the device or delete the work profile.

In this section, you can override the default compliance enforcement rules or add new ones.

Rules

List of rules that define the behavior when a particular policy cannot be applied to a device.

Use Add rule to create a new rule. Each rule card can be removed using the delete action.

Setting name

The top-level policy to enforce. For example, Applications or Password requirements.

Required. The value must match a supported top-level policy name; otherwise the field is marked as invalid.

Block after days

Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. Block after days must be less than Wipe after days. Only applicable to devices that are company-owned.

Allowed range: 0–300.

Block scope

Specifies the scope of block action. Only applicable to devices that are company-owned.

Default (new rule): Work profile.

Work profile: Block action is only applied to apps in the work profile. Apps in the personal profile are unaffected.

Entire device: Block action is applied to the entire device, including apps in the personal profile.

Wipe after days

Number of days the policy is non-compliant before the device or work profile is wiped.
Wipe after days must be greater than Block after days. Only applicable to devices that are company-owned.

Required. Default (new rule): 1.

Allowed range: 1–300.

Preserve factory-reset protection

Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles.

Default (new rule): enabled.

Policies - Apple

Apple policies

Apple policies define management settings that Cerberus Enterprise applies to Apple devices via MDM. These settings are configured from the dashboard in the Apple policy editor.

Before you start

Apple device management requires Apple Management (APNs) to be configured. If needed, read the Apple Management setup (APNs) page.

Open the Apple Policy Editor

In the dashboard, open Policies and click Create new Apple policy. To edit an existing Apple policy, click its row in the policies table.

Editor layout

The Apple Policy Editor is organized as a set of expandable sections. At the top of the page you can always edit:

• Name (required)
• Id (read-only)
• Description (optional)

Policy sections

The sections below match the panels currently available in the Apple Policy Editor:

• App management: configure app-related restrictions and managed apps.
• Passcode settings: configure passcode requirements and related rules.
• Security: control features such as Auto Unlock and biometric unlocking.
• iCloud: allow or disallow specific iCloud services (backup, keychain sync, private relay, etc.).
• Multimedia: allow/disallow camera and related features.
• Cellular: control cellular-related settings (app cellular data settings, eSIM, plan changes).
• Networking: control AirDrop/AirPrint/AirPlay and other connectivity settings.
• Accounts: restrict account modification and (optionally) configure Google and Mail accounts.

Many options in the Apple Policy Editor include a tooltip that documents requirements and supported OS versions.

Save, delete, and associated devices

Use Save policy to apply your changes. The button is disabled when there are no pending edits, or when the license is expired.

When editing an existing policy, the page also shows a Delete policy action. The editor can show an Associated devices list at the bottom, so you can see how many devices are currently using the policy.

Next pages

• Passcode: configure passcode requirements and related security options.
• Restrictions: define allowed features and OS-level limitations.
• Apps & profiles: configure installed apps and configuration profiles.

Apple policy: Passcode

The Passcode settings section controls device passcode requirements and related security rules (for example, minimum length and complexity).

Options

In the Apple Policy Editor, passcode options are configured using a mix of toggles and numeric fields. Many fields include tooltips that indicate supported OS versions and supervision requirements.

Passcode toggles

• ChangeAtNextAuth: force a password reset the next time the user authenticates.
• RequireAlphanumericPasscode: require at least one alphabetic character and one number.
• RequireComplexPasscode: require a “complex” passcode (no repeating/sequential patterns and at least one non-alphanumeric character).
• RequirePasscode: require a passcode without additional length/quality requirements. Note: setting other passcode keys implicitly requires a passcode.

Numeric fields

• FailedAttemptsResetInMinutes: minutes before the failed-attempts counter resets (requires MaximumFailedAttempts).
• MaximumFailedAttempts: failed attempts allowed before the device is erased/locked (range: 2–11).
• MaximumGracePeriodInMinutes: how long the device can be unlocked without requiring the passcode (0 = none).
• MaximumInactivityInMinutes: idle time before the device locks (range: 0–15).
• MaximumPasscodeAgeInDays: max passcode age before a forced change (range: 0–730).
• MinimumComplexCharacters: minimum number of “complex” characters (range: 0–4).
• MinimumLength: minimum passcode length (range: 0–16).
• PasscodeReuseLimit: passcode history length to prevent reusing old passcodes (range: 1–50).

Apple policy: Restrictions

The Restrictions sections control which OS features are allowed on managed Apple devices. In the Apple Policy Editor, these options are exposed as grouped panels with multiple toggles.

Many restrictions are only supported on specific OS versions and may require supervised devices. Use the tooltips in the dashboard for authoritative requirements.

Security

• Allow auto unlock
• Allow Fingerprint for Unlock
• Allow Fingerprint Modification

iCloud

• Allow iCloud address book
• Allow iCloud backup
• Allow iCloud bookmarks
• Allow iCloud calendar
• Allow iCloud desktop and documents
• Allow iCloud document sync
• Allow iCloud Freeform
• Allow iCloud keychain sync
• Allow iCloud Mail
• Allow iCloud Notes
• Allow iCloud Photo Library
• Allow iCloud Private Relay
• Allow iCloud Reminders

Multimedia

• Allow camera
• Allow File Sharing Modification
• Allow Files USB Drive Access

Cellular

• Allow app cellular data modification
• Allow cellular plan modification
• Allow eSIM modification
• Allow eSIM outgoing transfers

Networking

• Allow AirDrop
• Allow AirPlay incoming requests
• Allow AirPrint
• Allow AirPrint credentials storage
• Allow AirPrint iBeacon discovery
• Allow Bluetooth modification
• Allow Bluetooth Sharing modification
• Allow Files Network Drive Access
• Allow Internet Sharing Modification

Accounts (restriction)

The Accounts panel contains both a restriction and (optionally) account configuration. The restriction toggle controls whether the user can modify system accounts.

• Allow account modification

Apple policy: Apps & profiles

This section documents how to configure managed applications and account payloads for Apple devices.

App management

The App management panel contains both general app-related restrictions and a list of managed apps.

General app restrictions

• Allow app clips
• Allow app installation
• Allow app removal
• Allow automatic app downloads
• Allow apps to be hidden
• Allow apps to be locked
• Allow In-App Purchases

Managed apps

Use Add application to add an app to the policy. Each managed app is displayed as a card. You can expand the card to edit its settings and remove the app using the delete action.

• App Store ID: the App Store identifier of the managed app.
• Bundle ID: the app bundle identifier.
• Install behavior: controls whether the app must remain installed or can be installed/removed by the user.
• Assignment: license assignment type.
• VPP license: VPP license type used for installation through the App Store.

Accounts

The Accounts panel lets you configure accounts that are applied to managed devices. It also includes a restriction toggle for account modification.

Restriction

• Allow account modification: when disabled, users cannot modify accounts such as Apple Accounts and internet accounts.

Add accounts

Use Add Google account or Add mail account to add account payloads to the policy. Each account appears as a card with its configuration fields.

Account credentials from users

Both Google and Mail account cards provide a Account credentials from users toggle. When enabled, the system applies account credentials on a per-user basis. When disabled, you enter the account identity in the policy.

Google account fields

• Visible name: the name shown to the user for the account.
• Google email address: the user email address.
• Full name: the user’s full name.

Mail account fields

Mail accounts include identity fields plus incoming/outgoing server configuration. Host names are required.

• Visible name: the name shown to the user for the mail account.
• Email address: the user email address.
• Full name: the user’s full name.

Incoming server

• Server type: mail protocol (for example IMAP or POP).
• Authentication Method: authentication method for the server.
• IMAP path prefix: shown only when Server type is IMAP.
• Host name: required.
• Port: server port (1–65535).

Outgoing server

• Authentication Method
• Host name: required.
• Port: server port (1–65535).

S/MIME options

For Mail accounts, you can also configure S/MIME encryption and signing behavior.

Encryption

• S/MIME encryption
• Identity user-overrideable
• Per-message switch enabled
• User overrideable

Signing

• S/MIME Signing
• Identity user-overrideable
• User overrideable

Account and restriction options include tooltips in the dashboard that document prerequisites and supported OS versions.

Device Status

Device overview

Open a device from Dashboard → Devices by clicking the device row. The page title shows the device Model (when available) and the internal Id.

Historical data vs current enrollment

When a device has multiple enrollments, Cerberus Enterprise can show a read-only historical record. In that case, the page displays a Historical data banner and a button to return to the current enrollment data.

Top fields

The top section summarizes the device identity, assignment, and management state. Some fields are platform-specific and appear only for Android or Apple devices.

• Id and Model: read-only identifiers.
• User: shows the currently assigned user (if any). From the user menu you can Open user or Change user, or assign a user when none is set.
• Management mode and Ownership: displayed with tooltips in the UI.
• State: current device state (with icon and tooltip details).
• ADE profile (Apple only): shows the assigned Automated Device Enrollment profile (if any) and lets you open or change it.
• Policy: shows the assigned policy and lets you open or change it, or assign one when none is set.
• Policy compliance status (when a policy is assigned): indicates whether the device is compliant.
• Policy version (when a policy is assigned): indicates whether the device has the latest policy version applied.
• Enrolled on and Last status report: timestamps for enrollment and last reported status.
• Disenrolled on: shown when the device has been disenrolled.

Some data and panels are available only when the corresponding category is enabled in the device policy. For more information read the Status reporting and Location and geofence pages.

Panels

The Device editor is organized in expandable sections. Depending on platform and state, you may see one or more of the following panels:

• Location map: a tabbed panel with Location history for the current device and, on Android devices, a Geofence tab for geofence transitions when geofence data is available.
• Commands: send commands to the device and view command history (platform-specific).
• Security posture (Android only): posture, Play Integrity verdict, and security risks.
• Application reports (Android only): installed apps and feedback/error reports.
• Managed applications (Apple only): managed app state and installation details.
• Non compliance details: shown when a device is not compliant; lists the policy settings that are out of compliance.
• Status reports: additional data reported by the device, displayed as a tree of categories and values.
• Enrollment history: previous enrollments for this same physical device, shown as a list.

Location panel tabs

The Location map panel now uses tabs so location history and geofence transitions stay separated.

• Location: shows history filters, a date-range search, location markers, the accuracy circle, and live tracking controls for the current device.
• Geofence (Android only): shows geofence transition history on a dedicated map, with period filters, an optional archived-geofence toggle, and a side list of transitions.

For the full behavior of these tabs, see Location map.

Actions

At the bottom of the page you can refresh data and perform actions depending on the platform, device state, and license status.

• Refresh data: reload the device record.
• Disable device / Enable device (Android only): available in supported states.
• Disenroll device: removes management from the device. The exact behavior depends on platform and ownership (for example, Android may wipe a work profile or factory reset).
• Delete device: available when the device is already disenrolled and its record can be removed.

Commands

The Device editor provides a Commands panel to send remote commands to a managed device. Available commands depend on the platform (Android or Apple) and device state.

If the device is not currently online, the command will be delivered and executed as soon as the device connects to the Internet. For Android commands you can set the Duration parameter to determine for how long an undelivered command remains valid.

Android (AMAPI) commands

For Android devices, the Commands panel includes a Duration field (value + unit) and a Command selector. Some commands require additional parameters, which appear dynamically when you select the command.

Common parameters

• Duration: how long the command is valid if it cannot be executed immediately.
• Command: choose which action to send to the device.

Commands with additional fields

• Reset password: requires New password and Confirm new password. Optional toggles include Lock now, Require entry, and Do not ask for credentials on boot.
• Clear app data: requires the target Package name.
• Start lost mode: requires a Lost message and supports optional contact fields (street address, organization, phone number, email).
• Request device info: requires selecting which device information to request.
• Add eSIM: requires an Activation code and an Activation state.
• Remove eSIM: requires the eSIM ICCID.
• Wipe: supports a Wipe reason message (shown to users on personal devices) and optional wipe flags.

Command history

Below the send controls, the dashboard shows a command history table. The table is sortable and supports pagination. Some rows can be expanded to view additional parameters or execution details.

Android history columns

• Creation date
• Command
• Validity
• Status
• Error
• Execution date

Apple (MDM) commands

For Apple devices, the Commands panel provides a Command selector. Some commands require additional inputs. As with Android, a command history table is shown below.

Commands with additional fields

• InstallApplication: requires the application Bundle ID.
• SendNotification: requires a Notification message (maximum length 200 characters).

Apple history columns

• Creation date
• Command
• Status
• Status time

Refresh

Use the refresh action in the Commands panel to reload the command history.

Location map

This page documents the device-specific location tools available in Device overview. The panel contains a Location tab for position history and, on Android devices, a Geofence tab for geofence transitions.

Prerequisites

Device location data is shown only when location reporting is enabled in the device policy. To enable it, open the policy and turn on Location and geofence → Report location. For more details, see Location and geofence.

On devices that are not fully managed, location data may still depend on the Cerberus Enterprise app having the required location permissions and on location services being enabled on the device.

For the global multi-device map available from the dashboard, see Dashboard location map.

Loading and no-data state

• While location data is loading, the panel shows a loading overlay on the map.
• If the device has no location data available, the panel shows a message stating No location data available together with a reminder to enable location reporting in the assigned policy.
• If a date filter is active and no samples match it, the panel shows No data available in the selected date range.

Location tab

Open the Location tab to inspect the history for a single device. The available filters include the last known location, recent history ranges, a custom date range, and live tracking.

• Last: shows the last known location.
• Today, Last 7 days, and Last 30 days: show recorded locations for the selected period.
• Search: lets you choose a custom date range.
• Live: starts or stops live tracking for the current device.

Marker details

When you click a location marker, an information window opens with:

• The timestamp of the location record.
• The reported accuracy (in meters).
• The reported speed, when the device provides it.
• The reported heading or bearing, when the device provides it.

Accuracy circle

When the information window is open, an accuracy circle is displayed around the marker. The circle radius corresponds to the reported accuracy (in meters). Closing the information window hides the circle.

Live tracking

In the device history view, selecting the Live filter starts a real-time tracking request for that specific device. Cerberus Enterprise asks for confirmation before starting the request.

• Live tracking runs for up to 15 minutes.
• The device shows a notification while live tracking is active.
• While live tracking is active, the panel keeps refreshing the latest location and the live indicator stays visible.
• Selecting the live filter again lets you stop live tracking before the timeout ends.

Geofence tab

On Android devices, the second tab shows geofence transitions generated from the geofences defined in the assigned policy. This tab is available when geofence data exists for the device.

• The map shows the current geofence areas together with the recorded transition points.
• The transition list on the right lets you inspect enter and exit events.
• The available filters are Today, Last 7 days, Last 30 days, and a custom date-range search.
• Include archived also shows transitions related to old geofence definitions that are no longer present in the current policy.

Geofence transition details

Selecting a transition opens its details on the map and highlights the corresponding list entry. When available, Cerberus Enterprise also shows the device coordinates and reported accuracy for that transition.

Dashboard location map

The dashboard location map provides a global view of the latest known position of devices that are reporting location data. Open it from Dashboard to review multiple devices on the same Google map.

Prerequisites

A device appears on this map only when location reporting is enabled in its assigned policy. To enable it, open the policy and turn on Location and geofence → Report location. For more details, see Location and geofence.

On devices that are not fully managed, location data may still depend on the Cerberus Enterprise app having the required location permissions and on location services being enabled on the device.

For the per-device history and geofence transitions available in the device editor, see Location map.

Loading and no-data state

• While location data is loading, the map shows a loading overlay.
• If no devices currently have location data available, the page shows a No location data available message.

Markers and clusters

Each device with available location data is shown as a marker. When many devices are close together, markers are clustered automatically to keep the map readable.

Devices that are currently in live tracking are highlighted with an animated marker so they are easier to spot on the map.

Map controls

When the map contains device locations, Cerberus Enterprise shows action buttons in the top-right corner of the map.

• Current location: uses your browser location to move the map to your current position and fit the reported accuracy area.
• Recenter map: fits the map again around the currently displayed device markers.
• Tracked live-tracking pill: appears when one or more devices are being live tracked and shows how many are currently active.
• Stop all live tracking: the icon button inside the live-tracking pill stops live tracking for all currently tracked devices after confirmation.

Marker details

Clicking a marker opens an information window with:

• The device Model and internal Id.
• The timestamp of the latest reported location.
• The reported accuracy in meters.
• The reported speed, when available.
• The reported heading or bearing, when available.

The device identifier in the information window is a link that opens the corresponding Device overview page.

Info window actions

Each information window also includes action buttons for the selected device.

• Device link: the device name and Id at the top of the info window open the corresponding device overview page.
• Zoom in: centers the map on the selected device and fits the reported accuracy circle more closely around it.
• Live: starts live tracking for that device. If live tracking is already active, the same button stops it after confirmation.
• Live tracking active: when present, this status line indicates that the selected device is already being tracked in real time.

Accuracy circle

When a marker is selected, the map displays an accuracy circle around the location. The radius of the circle matches the reported accuracy.

Live tracking behavior

Starting live tracking from an information window sends a real-time tracking request to that device. Cerberus Enterprise then refreshes the map automatically while the session is active.

• Each live tracking session runs for up to 15 minutes.
• The device shows a notification while live tracking is active.
• Live tracking can be stopped either from the selected device info window or from the global Stop all live tracking button on the map.

Private apps

From this section of the dashboard, you can upload your own private Android apps or create web apps to distribute on your devices.

The only details you need to provide are an app's title and APK. Private apps are automatically approved for your organization and are typically ready for distribution within 10 minutes. You can upload a total of 15 private apps per day. Note that web apps also count towards this total.

The first time you publish a private app, you'll need to provide an email address to receive notifications from the Play Console about your apps and Google Play developer account. Also, managed Play automatically creates a Play Developer account on behalf of your organization. You don't need to pay a registration fee for this account.

Private apps published from the iframe:

• Aren't subject to the same checks as other apps. As a result, they can't be converted to public apps.
• Are non-transferrable. You can't transfer ownership of an app to a different Play Developer account.

For more details please visit the Managed Google Play Help 

Certificate management

The dashboard includes a Certificates section to import, view, and delete certificates. Clicking a certificate row opens the certificate editor.

Certificates list

Certificates are displayed in a sortable, paginated table. The list includes both client certificates and Certificate Authorities (CA).

Filters

At the top of the page you can enable filters using the chip list. Some filters are mutually exclusive.

• All: show all certificates.
• Client: show client certificates only.
• Certificate Authority (CA): show CA certificates only.
• Search: shows a text field (label Name or filename) to search by certificate name or imported filename.
• Without user: show client certificates not associated with any user.

Table columns

• Name
• Type
• Expiration
• User (shown for client certificates)
• Imported filename
• Import date

Actions

• Open certificate: click a row to open the certificate editor.
• Delete certificate: available only when the certificate is not associated with users/policies and is not used by devices. The action can also be disabled when the license is expired.
• Multi-row selection: you can enable multi-row selection to delete multiple certificates at once. Only deletable certificates can be selected.
• Refresh: reload the certificates list.

Import certificates

To import certificates, click Import certificate and select one or more files. Supported formats are shown in the tooltip of the import button.

Clients

Supported format: Base64-encoded PKCS#12 (.p12 / .pfx).

Client certificates identify a user or a device on the enterprise network. Client certificates can be associated with a specific user.

Each client certificate can be optionally assigned to a specific user: this allows deploying the same Wi‑Fi EAP configuration on many devices. You can do that in the policy's network configuration section, using the EAP credentials from users option.

Alternatively, you can assign a certificate to a user from the Users page.

Certificate Authorities (CA)

Supported formats: Base64-encoded X.509 (.crt / .pem / .cer / .der).

CA certificates identify a Certificate Authority and indicate to the device that any certificates issued by the CA should be trusted. The dashboard validates that an imported X.509 certificate is a CA.

Certificate editor

When you open a certificate, the editor shows its main fields and a read-only Certificate information panel.

Main fields

• Name (required)
• Id (read-only)
• Type (read-only)
• Expiration (read-only)
• Import date (read-only)
• Imported filename (read-only)

User association (client certificates)

For Client certificates, the editor shows a User field. If a user is assigned, a menu allows you to Open user, Change user, or Disassociate user. If no user is assigned, you can assign one using the user action button.

Delete certificate

The delete action is disabled when the certificate is currently associated with a user or used in policies. It can also be disabled when the license is expired.

Devices

Devices

The Devices section of the dashboard (Dashboard → Devices) lists all enrolled devices in your account. From this page, you can filter the list, open a device record, and perform device actions such as disabling or disenrolling.

Filters

At the top of the page you can enable one or more filters using the chip list. Selected chips represent the currently active filters.

Available filters

• All: show all devices.
• Android: show Android devices only.
• Apple: show Apple devices only.
• Company-owned: show company-owned devices only.
• Personally-owned: show personally-owned devices only.
• Profile owner: show Android work profile devices only.
• Device owner: show Android fully-managed devices only.
• Active: show devices in active state.
• Compliant: show devices that are policy-compliant.
• Not compliant: show devices that are not policy-compliant.
• Secure: show devices with a secure posture.
• Not secure: show devices with a non-secure posture.
• Policy not updated: show devices that have pending policy changes.
• Status not updated: show devices that have not reported status in the last 72 hours.
• Apps error: show devices whose apps have sent error feedback.
• Search: enable a text search field.

Search

When you enable the Search filter, a text field appears with the label Id, Model or User. The list is updated automatically after you stop typing.

Device table

Devices are displayed in a sortable, paginated table. Clicking a row opens the device editor.

Columns

• Id: internal device identifier.
• MDM: platform (Android or Apple).
• Model: device model.
• Ownership: company-owned or personally-owned (with tooltip details).
• Management mode: management mode (with tooltip details).
• Policy: currently assigned policy.
• User: associated user (name, email, or id depending on availability).
• Last status report: most recent status report timestamp (when available).
• State: device state (with tooltip details).
• Compliance: compliance status indicator.
• Security: security posture (with tooltip details).
• Apps error: apps error indicator.

Refresh and pagination

• Use the refresh action to reload the list.
• The table is paginated (10/25/50 items per page).

Device actions

Each device row can provide actions, depending on the platform and device state. Some actions are disabled when your license is expired or terminated.

Per-device actions

• Disable device / Enable device: available for Android devices in supported states.
• Disenroll device: removes management. On Android this can wipe the work profile or factory reset (depending on ownership); on Apple this removes policy settings.
• Delete device: available for devices that were already disenrolled (removes the record from the system).

Multi-row selection

You can enable multi-row selection from the action bar below the table. When enabled, you can select multiple rows and apply bulk actions (disable, enable, disenroll, or delete), depending on which devices are selected.

Apple Business Manager sync

If Apple Management is configured and an Automated Device Enrollment token is present, the page may show the Sync from ABM action to import devices from Apple Business Manager.

Enroll a device

Use Enroll a device to open the Enrollment tokens section and start enrolling a new device.

Users

Users

The Users section of the dashboard (Dashboard → Users) lists all users configured in your account. From this page, you can search for users, open the user editor, create new users, and delete users that are not currently associated with devices.

Search

At the top of the page there is a search field with the label Search and the placeholder Name, username or email. The list updates automatically after you stop typing.

Users table

Users are displayed in a sortable, paginated table. Clicking a row opens the user editor.

Columns

• Id: internal user identifier.
• First name: user first name.
• Last name: user last name.
• Username: username (often a directory username).
• Email: user email address.
• Devices: number of devices currently associated with the user.
• WiFi certificate: indicator showing whether a Wi‑Fi certificate is assigned to the user.

Refresh and pagination

• The refresh action reloads the list.
• The table is paginated (10/25/50 items per page).

User actions

Create new user

Use Create new user to open the user creation dialog. This action is disabled when your license is expired.

Sync from Google Workspace

If Google Workspace directory sync is available for your account, the page shows Sync from Google Workspace. When you start a sync, a progress indicator is shown while the request is running.

Delete a user

You can delete a user only when the user is not associated with any device (the Devices column must be 0). The delete action is disabled when your license is expired or terminated.

Multi-row selection and bulk deletion

From the action bar below the table you can enable multi-row selection. In this mode you can select multiple users and delete them in bulk.

• Eligibility: only users with Devices = 0 can be selected for deletion.
• Select all: the All checkbox selects all eligible rows on the current page.
• Bulk delete: Delete selected users is disabled when no rows are selected, or when your license is expired or terminated.

Wi‑Fi certificates and EAP

The WiFi certificate column shows whether a certificate is currently assigned to a user. User certificates are typically used for Wi‑Fi EAP (for example EAP‑TLS) configurations. For certificate assignment and management, see Certificate management.

User editor

The user editor is available from Dashboard → Users by clicking a user row. It lets you edit user details, configure per-user Wi‑Fi EAP credentials, and view the user’s associated devices.

User details

The top section contains the user’s main fields. Some fields are required and the editor shows validation errors when they are missing or invalid.

• Id: read-only identifier.
• First name: required.
• Last name: required.
• Username: required.
• Email: required and must be a valid email address.
• Telephone number: optional.
• Google account: optional and must be a valid email address when provided.

Google Authentication Default Policy

In Google Workspace environments with Google Authentication enabled, the editor can show Google Authentication Default Policy. This is the policy applied to devices enrolled using Google Authentication by this user.

• Change policy: opens the policy selection dialog.
• Open policy: opens the selected policy in the policy editor (when a policy is set).
• After selecting a new default policy, you must save the user to apply the change. The editor shows a notification reminding you to save.

Wi‑Fi EAP credentials

The WiFi EAP credentials section is used to configure per-user credentials that are automatically installed on the user’s devices when their assigned policy contains a Wi‑Fi EAP configuration that requires them. The Wi‑Fi EAP configuration is part of the Android policy network configuration.

Client certificate

You can optionally assign a client certificate to a user. When a certificate is assigned, it is shown in the Client certificate field and a menu provides actions. When no certificate is assigned, the field shows No certificate assigned and you can assign one.

• Assign certificate: opens the certificate selection dialog.
• Open certificate: opens the certificate editor.
• Change certificate: selects a different client certificate.
• Disassociate certificate: removes the certificate from the user. The system also removes the certificate from all devices associated with this user.

For certificate import and management, see Certificate management.

Identity, anonymous identity, and password

• Identity: identity of the user. For tunneling outer protocols (PEAP, EAP‑TTLS) this is used inside the tunnel.
• Anonymous identity: used for tunneling outer protocols as the identity presented outside the tunnel. When not specified, it defaults to an empty string.
• Password: the user password for EAP methods that require it. If not specified, the device can prompt the user. A show/hide action toggles password visibility.

Associated devices

The Associated devices section shows the list of devices currently linked to the user. If the user has one or more associated devices, the user cannot be deleted.

Save and delete

• Save user: enabled only when the form is valid, there are pending changes, and the license is active. A progress indicator is shown while saving.
• Delete user: disabled when the user is associated with devices or when the license is expired/terminated. When deletion is allowed, a confirmation dialog is shown. If the user is assigned to enrollment tokens, the dialog warns that devices enrolled with those tokens will no longer be assigned to a user.

Unsaved changes warning

If you have unsaved changes and try to leave the page, the dashboard asks whether you want to discard the changes.

Account

Settings

The Settings page (Dashboard → Settings) summarizes account and license information, and provides actions to manage billing, platform setup (Android Management and Apple Management), and optional directory/token integrations.

License banner (expiring / expired)

When your license is expiring, expired, or terminated, a prominent banner is shown at the top of the page. Depending on your subscription state, it provides either a Manage billing action (Stripe customer portal) or a Buy license action.

When the license is expired, the account becomes limited to device disenrolling only. After the grace period, the account may be canceled and devices can be automatically disenrolled.

Account information

The Account Information card shows read-only fields:

• Username
• Enterprise name
• Enterprise id

Change password

If you are not signed in with Google or Apple, the card also shows a Change password action. This opens a dialog to continue with the password change flow.

License information

The License Information card shows the current license state and your device limit. It also provides actions to contact sales and to manage billing or buy a license.

• License status: shown as Active or Expired (with an icon badge and tooltip).
• Free trial: shown when the account is currently in trial mode.
• Licensed devices: maximum number of devices allowed by the license. The need more devices? link opens a message to contact support.
• Next scheduled renewal: shown for active subscriptions that renew automatically. Otherwise the card shows the Expiration date.

Android Management

The Android Management card shows Android Management status for your enterprise. If Android Management is not configured yet, the card provides a Setup Android Management action that opens the setup flow.

Configured state

When Android Management is configured, the card can show:

• Management id
• Synced with Google Workspace (badge shown when directory sync is active)
• Managed Google Play account settings (link to Google Play admin settings, when applicable)
• Google Admin Console (link, when applicable)
• Sync with Google Workspace (shown when directory sync is not configured; opens the instructions panel at the bottom of the page)

Apple Device Management

The Apple Device Management card shows Apple device management (MDM) status for your enterprise. If Apple management is not configured yet, the card provides a Setup Apple Management action that opens the setup flow.

Configured state

When Apple management is configured, the card can show:

• Apple id
• Apple Push Certificate expiration: shows the expiration date and an icon badge. If the certificate is expiring/expired, the badge is clickable and opens renewal instructions.
• ABM Token expiration: shows the Apple Business Manager token expiration (with a clickable badge when action is required).
• VPP Token: shows organization name and expiration for the Apple Volume Purchase Program token (with a clickable badge when action is required).
• Apple Business Manager Portal: link shown when an ABM token is present.
• Sync with Apple Business Manager and Sync with Apple Volume Purchase Program: shown when tokens are missing.

Apple management requires the APNs certificate setup. If needed, see Apple Management setup (APNs).

Preferences & Privacy

The Preferences & Privacy card contains a marketing preference toggle and links to the Terms of Service and Privacy Policy. Use Save preferences to apply changes (a progress indicator is shown while saving).

Send feedback

When subscriptions are enabled for the account, the page can show a Send feedback card with links to: Make a feature request and external review platforms.

Inline setup and renewal instructions

At the bottom of the page, the dashboard can show expandable instruction panels depending on the current state (for example when a certificate/token is missing or expiring).

Renew Apple Push Certificate (APNs)

When the APNs certificate is expiring or expired, the page shows a panel with steps to download a CSR, renew the certificate on Apple’s portal, and upload the new certificate into Cerberus Enterprise.

Sync with Apple Business Manager (ABM)

When the ABM token is missing, expired, or expiring, the page shows a panel with steps to download a token from Apple Business Manager and upload it into Cerberus Enterprise.

Sync with Apple Volume Purchase Program (VPP)

When the VPP token is missing, expired, or expiring, the page shows a panel with steps to download a content token from Apple Business Manager and upload it into Cerberus Enterprise.

Sync with Google Workspace

When Google Workspace directory sync is not configured, the page shows a panel that explains the integration and provides an authorization button. It also lists the required Google OAuth scope: https://www.googleapis.com/auth/admin.directory.user.readonly.

For initial Android setup, see Android Management setup.

Multi-tenancy

Multi-tenancy overview

The Multi-tenancy section is available to MSP and enterprise manager accounts that manage multiple customer enterprises from a single login. This chapter explains the enterprise scope model, enterprise switching, managed enterprise administration, and sub-accounts.

To request a multi-tenancy account, contact enterprise@cerberusapp.com.

Core concepts

• Main multi-tenancy account: the primary manager account that can access the global multi-tenancy workspace.
• Sub-account: a delegated manager account created by the main account, with selectable enterprise assignments.
• Selected enterprise context: the active enterprise currently open in the dashboard for day-to-day operations.
• Delegation: permission granted by an enterprise owner that allows a manager account to enter and manage that enterprise.

Navigation model

When no enterprise context is selected, the side navigation shows multi-tenancy areas such as Enterprises and, for main accounts, Sub-accounts. After entering an enterprise, the dashboard switches to the standard single-enterprise navigation (Home, Users, Devices, Enrollment, Policies, and more).

Ownership and delegation

Each managed enterprise has an owner. The owner can always access that enterprise. Non-owner manager accounts can access an enterprise only when delegation is granted.

Owner and delegation state are shown directly on enterprise cards to make access scope explicit before entering an enterprise.

License and billing actions

Multi-tenancy views expose license status, device limits, and enterprise billing actions. Depending on enterprise subscription state and your permissions, the card can show Manage billing or Buy license.

For enterprises created by a multi-tenancy account, licensing is managed by multi-tenancy users. The main account can always manage licensing, while sub-accounts can manage licensing only when the main account enables Can manage license for that sub-account.

Pages in this chapter

• Managed enterprises: search, filters, card details, and enterprise creation.
• Enterprise switching: top switcher behavior and scope transitions.
• Sub-accounts: delegated operators, assignments, and credentials management.

Managed enterprises

The Enterprises page (Dashboard → Enterprises) is the control center for managed enterprise access. It lists all enterprises visible to your multi-tenancy account and lets you filter, inspect ownership/delegation, enter an enterprise context, and create new managed enterprises (main accounts only).

Search and filters

• Search enterprise: filters by enterprise name or enterprise ID.
• Delegation: All, Delegated, or Not delegated.
• License status: All, Valid, Expiring, Expired, or Terminated.

Enterprise cards

Each enterprise card shows key management metadata:

• License status with icon badge and contextual tooltip.
• Licensed devices (enterprise device limit).
• Next scheduled renewal or Expiration date, depending on subscription state.
• Delegation state (Owner, Granted, or Not granted).
• Owner display name and username.

Recently selected enterprises

Enterprises that you accessed recently are pinned to a Recently selected section to speed up repeated context switching.

Enterprise actions

• Enter enterprise: opens the selected enterprise context when delegation/ownership allows access.
• Manage billing: opens enterprise billing management when available and permitted.
• Buy license: opens enterprise purchase flow when billing is not active.

Who can manage licenses

For enterprises created by a multi-tenancy account, license management is controlled by multi-tenancy users. The main account can always manage billing and license actions for those enterprises.

Sub-accounts can manage billing and license actions only if the main account grants the Can manage license permission in the Sub-accounts page.

Create managed enterprise

Main multi-tenancy accounts can expand Create managed enterprise from the bottom action area.

• Enterprise name is required.
• Create per-enterprise admin user controls ownership mode.
• When enabled, Admin username (email format) and Admin name are required.
• Before creation, a confirmation dialog summarizes the operation and, when applicable, warns that temporary credentials are sent by email to the new admin user.

Ownership mode

• Per-enterprise admin enabled: the new admin user owns the enterprise and can delegate management to your multi-tenancy account.
• Per-enterprise admin disabled: the enterprise is owned directly by your multi-tenancy account.

Enterprise quota

If the account reaches the configured enterprise quota, creation is blocked and the form shows a support contact message with current and maximum enterprise count.

When the enterprise quota is reached, you cannot create additional managed enterprises until your limit is increased.

Enterprise switching

The enterprise switcher in the top toolbar lets multi-tenancy users move between delegated enterprises without logging out. It is available when at least one enterprise context can be selected.

Switcher behavior

• The trigger shows the current enterprise name (or enterprise ID if no name is available).
• The menu lists delegated/accessible enterprises and marks the current enterprise as already selected.
• During switching, switcher actions are temporarily disabled to prevent concurrent scope changes.

Exit enterprise

The switcher menu includes Exit enterprise, which clears the current enterprise context and returns you to the global multi-tenancy workspace.

Context reset rules

Switching enterprise or exiting enterprise resets the dashboard scope. Enterprise-specific pages and data refresh for the newly selected context, and menu visibility adapts to whether an enterprise is currently selected.

Use the switcher for fast operational context changes, but verify the selected enterprise name before running sensitive actions such as policy updates or device commands.

Sub-accounts

The Sub-accounts page (Dashboard → Sub-accounts) is available to main multi-tenancy accounts. It lets you create delegated manager users, assign managed enterprises, control billing permissions, and maintain sub-account credentials.

Sub-account list

Each sub-account card shows identity and management controls:

• Name and username/email.
• Managed enterprises multi-select assignment.
• Can manage license permission toggle.
• Reset password and Delete actions.

Managed enterprises assignment

Enterprise assignments are edited through the Managed enterprises multi-select field. When you close the selector after changes, the dashboard asks for confirmation before saving updates.

License management permission

The Can manage license toggle controls whether a sub-account can access enterprise billing/license management actions.

For enterprises created by the multi-tenancy account, the main account always has license management rights. Sub-accounts receive license management rights only when this toggle is enabled by the main account.

Password reset

Reset password generates a new temporary password and sends it to the sub-account by email after confirmation.

Delete sub-account

Deleting a sub-account requires confirmation and permanently removes delegated access for that account.

Create sub-account

Use the bottom action panel Create sub-account to add a new delegated manager.

• Email: required and validated as email format.
• Name: required display name.
• Can manage license: optional initial billing permission.
• Before creation, a confirmation dialog warns that a temporary password email is sent to the provided address.

Insights

Here are some articles that delve into how MDM can help your business:

What is Kiosk Mode? A Guide to Locking Down Android & Apple Devices for Business

Kiosk mode turns standard phones and tablets into focused business tools. Cerberus Enterprise helps organizations lock devices to one app or a small approved set of apps for use cases such as retail POS, guest-facing check-in, and fleet navigation, while keeping those specialized devices easier to secure, support, and manage at scale.

How to Choose the Right MDM Solution: A 7-Point Checklist for Small Businesses

Choosing MDM late in the buying process is easier when the comparison stays practical. This checklist helps small businesses evaluate vendors across the seven criteria that usually matter most in real deployments: security, Android and Apple support, ease of use for lean teams, scalability, privacy boundaries, total cost of ownership, and day-to-day supportability.

Creating a Safe and Focused Digital Classroom: A Guide to MDM for K-12 Schools

School-managed devices work best when they stay centered on learning. Cerberus Enterprise helps K-12 organizations keep student devices focused through managed apps, kiosk-style restrictions, standardized shared or loaned device setups, and remote recovery actions that reduce loss, drift, and classroom disruption.

Equipping Your Field Technicians: How MDM Boosts On-Site Efficiency and Security

Field technicians depend on mobile devices for schedules, service notes, technical references, customer history, and job updates while working on site. Cerberus Enterprise helps keep those devices ready through managed apps, standardized device models, remote support commands, and location-aware visibility that can improve dispatch coordination while strengthening security in the field.

Beyond the Map: Using MDM for Smarter Fleet Management and Driver Safety

Fleet operations rely on mobile devices for navigation, dispatch, messaging, logging, and field execution. Cerberus Enterprise helps keep those devices focused on approved workflows through managed apps, kiosk and dedicated-device controls, secure communication policies, remote troubleshooting, and location-aware supervision that can reduce downtime and support safer driving operations.

How Geofences, Live Tracking, and Location Maps Improve Enterprise Operations

Location-aware features in Cerberus Enterprise help organizations move from simple device visibility to more practical operational control. Periodic location reporting, live tracking, geofence transitions, and interactive maps can support logistics, field service, healthcare, retail, construction, and other distributed teams that need better insight into where work is happening and when devices enter or leave important areas.

How Multi-Tenancy Helps MSPs Scale MDM Services and Create New Revenue Streams

Multi-tenancy allows MSPs, resellers, and multi-company organizations to manage multiple enterprises from a single Cerberus Enterprise account while keeping each environment separate. This model reduces operational friction, improves service scalability, and supports delegated access through sub-accounts and explicit customer-controlled administration. It also creates stronger business opportunities for providers that want to combine software licensing with onboarding, support, compliance, and managed mobility services.

Enhancing Enterprise Operativity with MDM Solutions

Mobile Device Management centralizes control of company devices, simplifying enrollment, configuration, and maintenance. Automated provisioning and bulk operations reduce manual IT work and ensure consistent policies across all devices. Security features such as encryption, compliance monitoring, and remote wipe protect corporate data. Overall, MDM improves productivity while reducing support costs and operational complexity.

Advanced Security in Android Enterprise Management

Android Enterprise uses a work profile to isolate corporate apps and data from personal content on the same device. This containerization creates separate encrypted environments managed independently by IT administrators. Security policies can control corporate data sharing without affecting personal apps. The architecture protects business data even if personal applications are compromised.

Apple iPhone MDM and Automated Enrollment

Apple's MDM framework enables centralized management of iPhones in enterprise environments. Combined with Apple Business Manager, devices can automatically enroll and configure themselves when first activated. Administrators can silently deploy and configure corporate apps, enforce security settings, and monitor compliance. This automation ensures consistent device configuration and reduces setup errors.

Understanding Mobile Device Management

Mobile Device Management provides a centralized platform to monitor, secure, and control mobile devices accessing corporate systems. Core capabilities include enforcing security policies, managing applications, and remotely locking or wiping lost devices. MDM helps protect corporate data while maintaining device compliance. It enables organizations of any size to securely manage growing mobile workforces.

Enterprise Device Deployment Models

Organizations can adopt multiple device ownership models such as BYOD, CYOD, COPE, COBO, and COSU. Each model balances cost, user flexibility, and security control differently. BYOD prioritizes user convenience, while COBO and COSU maximize corporate control and security. Choosing the correct model depends on regulatory requirements, workforce needs, and IT management capacity.

MDM vs. EMM vs. UEM

MDM focuses on managing and securing mobile devices through policy enforcement, configuration control, and remote management. EMM expands this scope to include application and content management, while UEM attempts to manage all endpoints including laptops and desktops. For many SMBs, full EMM or UEM suites add unnecessary complexity. In practice, robust MDM capabilities often meet most mobile management requirements.

MDM on Personal Phones and Employee Privacy

Modern MDM systems use containerization to separate work and personal data on employee-owned devices. Employers can only manage and monitor the work environment, including corporate apps and device compliance information. Personal data such as photos, messages, and browsing history remain inaccessible to the company. This technical separation enables secure BYOD programs while preserving employee privacy.

MDM ROI and Business Value

MDM should be evaluated as a strategic investment rather than a simple security expense. It generates financial returns through reduced device loss, lower IT support costs, and improved operational efficiency. Automated management also increases employee productivity and reduces downtime. Additionally, stronger security reduces the risk and financial impact of data breaches.

HIPAA-Compliant Device Management

Healthcare organizations must protect electronic patient data according to HIPAA security requirements. MDM helps enforce encryption, authentication controls, secure data transmission, and detailed audit logs. It also enables remote wipe and centralized policy enforcement for devices accessing medical systems. These controls reduce compliance risks while enabling mobile workflows in healthcare environments.

MDM for Retail Operations and Security

Retail organizations rely on mobile devices for POS systems, inventory management, and in-store operations. MDM ensures these devices remain secure, updated, and compliant with standards such as PCI-DSS. Centralized management reduces downtime and simplifies device deployment across multiple locations. The result is improved operational efficiency and reduced risk of payment-related security incidents.