IT admins can change the policy associated with a device after enrollment. However, each device can be associated with only one policy at a time.
During the enrollment (provisioning) process, the required management components are installed and configured automatically. On Android, this typically includes the Android Device Policy app (and, depending on your configuration, the Cerberus Enterprise companion app). On Apple devices, management is applied through MDM once the device is enrolled. Consequently, the corresponding policy is automatically applied to the device, and all associated rules are enforced by the platform management system.A policy can be applied to many devices. In this case, when you modify the policy, all the associated devices will receive the changes.
# Setup # Android Management setup To manage Android devices with Cerberus Enterprise, you must first connect your organization to Google Android Enterprise.The setup process usually takes a few minutes and requires a **work email address** (for example, *name@enterprise.com*).
## What happens during setup - You will be redirected to Google Android Enterprise. - You sign in with your work email address. - Google creates the Android Management account for your organization. - You are redirected back to Cerberus Enterprise to complete the setup. ## Important information Make sure to use a work email address, not a personal Gmail account. This email is used to create your Google Admin account for Android Management. ## Next steps After completing the setup, create an [**Enrollment token**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/enrollment-tokens "Enrollment tokens") and choose the appropriate provisioning method for the device. # Apple Management setup (APNs) To manage Apple devices, Cerberus Enterprise requires the Apple Push Notification service (APNs) certificate.Use the Apple ID associated with your organization. The APNs certificate is valid for one year and must be renewed annually to continue managing devices.
## Step 1: Download the CSR file In the dashboard, start the Apple Management setup and download the Vendor-Signed Certificate Signing Request (CSR) file generated by Cerberus Enterprise. ## Step 2: Create the Push Certificate on the Apple portal - Sign in to the Apple Push Certificates Portal with your Apple ID. - Click *"Create a Certificate"*. - Upload the CSR file from Step 1. - Download the created Push Certificate. Portal link: [https://identity.apple.com/](https://identity.apple.com/ "Apple Push Certificates Portal") ## Step 3: Upload the Push Certificate Upload the Push Certificate you downloaded from Apple back into Cerberus Enterprise to complete the setup.If the APNs certificate expires, Apple device management will stop working until the certificate is renewed.
## Next steps After APNs is configured, you can proceed with Apple device enrollment. Continue with [**Apple provisioning overview**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-provisioning-overview "Apple provisioning overview"). # Device provisioning overview Cerberus Enterprise supports device management for both Android and Apple platforms. You can configure either platform independently, depending on the devices you need to enroll. ## 1. Complete platform setup in the dashboard Before enrolling devices, complete the platform setup in the Cerberus Enterprise dashboard. If your account is not configured yet, the dashboard will guide you through the required steps. ### Android setup (Google Android Enterprise) For the complete Android setup procedure, read [**Android Management setup**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/android-management-setup "Android Management setup"). - Go to the dashboard Signup flow and select **Setup Android Management**. - You will be redirected to Google to sign in with a **work account** and authorize Android Enterprise. - After authorization, you will be redirected back to Cerberus Enterprise to complete the setup. ### Apple setup (APNs push certificate) For the complete Apple setup procedure, read [**Apple Management setup (APNs)**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-management-setup-apns "Apple Management setup (APNs)"). - Go to the dashboard Signup flow and select **Setup Apple Management**. - Download the CSR file from Cerberus Enterprise. - Create the APNs certificate in the Apple Push Certificates Portal and download the resulting certificate. - Upload the downloaded certificate back into Cerberus Enterprise to enable Apple device management. ## 2. Enroll devices After completing platform setup, choose the enrollment method that matches your device ownership model and the OS. ### Android enrollment For Android, enrollment is driven by [**Enrollment tokens**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/enrollment-tokens "Enrollment tokens"). Select the appropriate method depending on whether the device is personally-owned or company-owned. - Personally-owned (BYOD / work profile): [follow this guide](https://enterprise.cerberusapp.com/docs/books/user-manual/page/personally-owned-devices "Personally-owned devices"). - Company-owned (work and personal use / work profile): [follow this guide](https://enterprise.cerberusapp.com/docs/books/user-manual/page/company-owned-devices-for-work-and-personal-use "Company-owned devices for work and personal use"). - Company-owned (work use only / fully managed or dedicated): [follow this guide](https://enterprise.cerberusapp.com/docs/books/user-manual/page/company-owned-devices-for-work-use-only "Company-owned devices for work use only"). - Zero-touch: [follow this guide](https://enterprise.cerberusapp.com/docs/books/user-manual/page/zero-touch "Zero-touch"). ### Apple enrollment For Apple, start by completing the APNs setup described above, then follow the Apple provisioning guides: [**Apple provisioning overview**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-provisioning-overview "Apple provisioning overview"). # Device Provisioning - Android # Supported devices In general, any device running Android 6+ with Google Play Services is compatible with Cerberus Enterprise. For a better user experience, we suggest using devices that meet the [Android Enterprise Recommended](https://androidenterprisepartners.withgoogle.com/devices/) requirements.Some features are limited to specific Android versions, or may behave differently across OS versions. For more information about a specific feature, see the [Policies](https://enterprise.cerberusapp.com/docs/books/user-manual/chapter/policies-android "Policies") section of the documentation.
Cerberus Enterprise supports both company-owned and personally-owned devices, and two management modes: device owner and profile owner. **Personally-owned** devices can be managed through a **work profile**. This enables a BYOD solution by keeping employees' work data and apps separate from personal data and apps, improving both security and privacy. This option is suitable for devices already owned by employees that you want to enroll in your organization for work use. **Company-owned** devices can also be managed through a work profile, but you can also choose the **fully managed** option, which allows stricter control over the device. Company-owned devices with a work profile are suitable when you provide corporate devices to employees for work, while still allowing personal use. Fully managed devices are better suited for devices that must be used only for work, or for **dedicated devices** (COSU, corporate-owned single-use), such as kiosks. For more information on device provisioning, see the [Device provisioning overview](https://enterprise.cerberusapp.com/docs/books/user-manual/page/device-provisioning-overview "Device provisioning overview") page.The Android enrollment tokens tab is available only after completing [**Android Management setup**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/android-management-setup "Android Management setup").
## Where to find enrollment tokens In the dashboard, open **Enrollment tokens**. Depending on your account configuration, the page can show multiple tabs (Android tokens, Google sign-in enrollment, Apple manual enrollment, and Apple Automated Device Enrollment).If your Android enterprise is backed by a managed Google domain (Google Workspace), the dashboard can also show an **Authenticate Using Google Enrollment** tab. For details on enabling and using it, see [**Authenticate Using Google enrollment**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/authenticate-using-google-enrollment "Authenticate Using Google enrollment").
## Enrollment tokens list (Android) The Android tokens tab shows a table of all tokens. Clicking a row opens the token details page. ### Columns - **Id**: internal token identifier. - **Status**: **Available**, **Used** (one-time token already used), or **Expired**. - **Expiration**: expiration date/time, or **Never**. - **Policy**: the policy assigned to the token (the UI tooltip also shows the policy id). - **Personal usage**: Allowed / Disallowed / Dedicated device. - **Allowed usages**: Multiple or One time only. - **User**: optional user pre-assigned to devices enrolled with the token. ### Actions - Each row has a delete action (**Delete enrollment token**). Deletion is disabled when the license is expired. - The table supports multi-row selection: you can enable selection mode, select multiple tokens, and delete them with **Delete selected tokens**. - Use the refresh action to reload the list. The table is paginated (10/25/50 items per page). ## Create a new enrollment token On the Android tokens tab, click **New enrollment token** to open the token creation page. If your license is expired, the create button is disabled. ### Token options #### 1. Policy **Required.** The policy automatically applied to all devices enrolled using this token. Select one of your [**Android policies**](https://enterprise.cerberusapp.com/docs/books/user-manual/chapter/policies-android "Policies"). If you don't have any policy yet, create one first. #### 2. User Optional. If set, newly enrolled devices are automatically associated with this user. #### 3. Personal usage Controls whether personal usage is allowed on a device provisioned with this enrollment token: - **Allowed**: suitable for personally-owned devices (work profile) and company-owned devices for work and personal use. - **Disallowed**: suitable for company-owned devices for work use only (fully managed). - **Dedicated device**: suitable for kiosk/dedicated devices (device is not associated with a single user). #### 4. Allowed usages Select whether the token can be used multiple times (**Multiple**) or only once (**One time only**). #### 5. Expiration Select the expiration unit (**Minutes**, **Hours**, **Days**, or **Never**). When not set to Never, enter the expiration value. The allowed range depends on the selected unit and can go up to 10,000 days. ### Provisioning options (QR code only) These additional options are embedded into the QR code and are applied during provisioning of fully managed devices enrolled by scanning the QR code. They do not apply to work profiles or devices enrolled using the Enrollment URL or Token. #### Wi‑Fi configuration Use this to let a device automatically connect to Wi‑Fi during provisioning, so it can download and initialize the management app. Available fields include **SSID**, **Hidden SSID**, **Security**, and (when needed) **Passphrase**. You can also configure an HTTP proxy (**Proxy**) and, depending on the mode, set **Host**/**Port**, **PAC URI**, and **Proxy bypass host**. #### Other options Additional options include **Locale**, **Time zone**, and **Skip encryption**. ## Enrollment token details When you open a token, the details page shows the token configuration and usage information: - **Status**, **Expiration**, **Usage**, **Personal usage**, and **Allowed usages**. - **Token**: the raw enrollment token value (copyable). - **Enrollment URL**: a Google Android Enterprise enrollment URL (copyable and sendable by email). - **QR code**: shown on the right side of the page, used to enroll fully managed devices.For step-by-step provisioning procedures, follow the Android enrollment guides: [**Personally-owned devices**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/personally-owned-devices "Personally-owned devices"), [**Company-owned devices for work and personal use**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/company-owned-devices-for-work-and-personal-use "Company-owned devices for work and personal use"), [**Company-owned devices for work use only**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/company-owned-devices-for-work-use-only "Company-owned devices for work use only"), and [**Zero-touch**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/zero-touch "Zero-touch").
# Personally-owned devices| Android version |
| 6.0+ |
| Android version |
| 6.0+ |
| Android version |
| 6.0+ |
| Android version |
| 8.0+ |
| Android version |
| 7.0+ |
| Android version |
| 5.1+ |
| Android version | Work profile | Fully managed device | Dedicated device |
| 8.0+ (Pixel 7.1+) | ✓ | ✓ | ✓ |
This feature is available only for Android enterprises backed by a managed Google domain (Google Workspace).
## Where to find it In the dashboard, open **Enrollment tokens** and select the **Authenticate Using Google Enrollment** tab. The tab is shown only when Android Management is configured and the Google Workspace integration is available for your enterprise. ## Enable (or disable) Google Authentication Google Authentication is enabled from the **Google Admin console**. After changing the setting, return to Cerberus Enterprise and use **Refresh Status** to reload the current configuration. 1. Log in to your [**Google Admin console**](https://admin.google.com/) with an administrator account. 2. Open **Devices**. 3. Go to **Mobile & endpoints** → **Settings** → **Third-party integrations**. 4. Find the **Android EMM integration** for Cerberus Enterprise and open it. 5. Click **Manage EMM providers**. 6. Toggle **Authenticate Using Google** to enable or disable Google authentication for enrollment. 7. Click **Save**. 8. Return to the Cerberus Enterprise dashboard and click **Refresh Status** on the **Authenticate Using Google Enrollment** tab. ## Google Authentication Enrollment Token When Google Authentication is enabled, the dashboard shows a dedicated enrollment token used for this enrollment mode. The page can show a **QR code**, an **Enrollment Token** value, and an **Enrollment URL** (copyable and sendable by email). ### Key options - **Allow Personal Usage**: controls whether the token can enroll devices for work and personal use (work profile scenarios) or work use only (fully managed / dedicated scenarios). - **Fallback Default Policy**: the policy applied when the enrolling user does not have a specific Google Authentication default policy assigned. ### Policy interaction The policy setting **Work account setup authentication** (workAccountSetupConfig.authenticationType) controls how users authenticate during work account setup, but the Google Admin Console setting **Authenticate Using Google** and the enrollment token type can still require authentication. For already enrolled devices, this policy only applies if the device is managed by a managed Google Play account (i.e., enrolled without **Authenticate Using Google Enrollment**).Some actions (for example changing token options) can be disabled when the license is expired.
## Enroll a device During enrollment, the user is prompted to authenticate with their Google Workspace account. After a successful enrollment, the device is associated with the authenticated user. ### Work profile (personally-owned devices) - Share the **Enrollment URL** with the user. When the user opens it on their Android device, they are guided through work profile setup and Google authentication. - Alternatively, the user can start from Android Settings and choose the work profile setup flow, then scan the QR code or enter the enrollment token when prompted. ### Company-owned devices - **QR code method**: on a new or factory-reset device, tap the screen multiple times in the same spot until the QR code prompt appears, then scan the QR code shown in the dashboard. - **DPC identifier method** (when QR scanning is not available): follow the setup wizard, connect to Wi‑Fi, then when prompted to sign in enter **afw#setup** and proceed by scanning the QR code or entering the enrollment token. When prompted, authenticate with the Google Workspace account. For general Android provisioning procedures (work profile vs fully managed), see the standard Android enrollment pages in this manual. # Device Provisioning - Apple # Apple provisioning overview Cerberus Enterprise supports enrolling and managing Apple devices. Apple provisioning requires an APNs certificate and can be performed using different enrollment methods. ## Prerequisite: configure Apple Management (APNs) Before enrolling any Apple device, complete [**Apple Management setup (APNs)**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-management-setup-apns "Apple Management setup (APNs)"). ## Choose an enrollment method ### Manual enrollment (Enrollment Profile) This method provides an enrollment URL and a configuration profile file (mobileconfig) that you install on the device. Read [**Apple manual enrollment**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-manual-enrollment-enrollment-profile "Apple manual enrollment"). ### Automated Device Enrollment (ADE) This method integrates with Apple Business Manager to automate enrollment for company-owned devices. Read [**Apple Automated Device Enrollment (ADE)**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-automated-device-enrollment-ade "Apple Automated Device Enrollment").You can use manual enrollment and ADE in parallel, depending on your device fleet and purchasing process.
# Apple manual enrollment (Enrollment Profile) Cerberus Enterprise supports manual enrollment for Apple devices using an enrollment URL and an enrollment profile file.Manual enrollment is available when Apple Management (APNs) is configured. If you have not completed APNs setup yet, read [**Apple Management setup (APNs)**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-management-setup-apns "Apple Management setup (APNs)").
## Get the enrollment URL and profile - Open the **Enrollment** section in the dashboard and select the **Apple manual enrollment (Enrollment Profile)** tab. - Copy the **Enrollment URL**, or use the send-by-email action. - Download the **Enrollment Profile** (mobileconfig file). ## How to enroll an iPhone or iPad iOS/iPadOS 15.0+ 1. Send the enrollment profile file (*enroll.mobileconfig*) to the device, or open the Enrollment URL in Safari on the device. 2. On the device, open *Settings* → *Profile Downloaded* → *Install*, then follow the instructions. 3. After enrollment, you can verify the status in *Settings* → *General* → *VPN & Device Management* (or *Profiles & Device Management*).Only install enrollment profiles that you obtained from your Cerberus Enterprise dashboard.
# Apple Automated Device Enrollment (ADE) Automated Device Enrollment (ADE) integrates with Apple Business Manager (ABM) to automatically enroll company-owned devices when they are turned on for the first time (or after a factory reset).ADE requires Apple Management (APNs) to be configured first. If needed, read [**Apple Management setup (APNs)**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-management-setup-apns "Apple Management setup (APNs)").
## How to enroll devices automatically 1. Add devices to your Apple Business Manager account. 2. After adding new devices to your ABM account, sync them in Cerberus Enterprise from the **Devices** section using the **Sync from ABM** action. 3. Create an ADE profile in the dashboard from **Enrollment** → **Apple Automated Device Enrollment (ADE)** → **New ADE profile**. 4. Assign an ADE profile to a device from the device details page using the **ADE profile** field. ## ADE profile settings (overview) An ADE profile controls how the device is enrolled and how Setup Assistant behaves. In Cerberus Enterprise, an ADE profile includes a name, an optional initial policy, and some enrollment options. ### Profile name A human-readable name for the profile (for example, *Default ADE profile*). ### Policy The policy initially applied to enrolled devices. You can assign a policy when creating a new ADE profile. ### Enrollment options - **MDM removable**: controls whether the MDM payload can be removed from the device. - **Allow pairing**: controls whether pairing is allowed (deprecated by Apple in iOS 13). - **Auto-advance setup**: automatically advances Setup Assistant through its screens. - **Await device configured**: blocks Setup Assistant until the server marks the device as configured. - **Mandatory**: prevents skipping profile application during setup. - **Multi user (Shared iPad)**: configures the device for Shared iPad. - **Supervised**: requests supervision for the device.After a device has an ADE profile assigned, it is ready to be automatically enrolled.
# Policies overview The **Policies** section of the dashboard (*Dashboard* → *Policies*) lists all policies in your account and lets you create, copy, edit, and delete them. ## Policy list Policies are displayed in a table. Clicking a row opens the corresponding policy editor. ### Columns - **Id**: internal policy identifier. - **MDM**: the platform for the policy (Android or Apple). - **Name**: policy name. - **Description**: policy description. - **Devices**: number of enrolled devices currently assigned to the policy. ### Filters and search - If both Android Management and Apple Management are configured, you can filter the list by **All**, **Android**, or **Apple**. - You can enable **Search** and search by policy name or description. ### Refresh and pagination - Use the refresh action to reload the list. - The table is paginated (10/25/50 items per page). ## Create a new policy At the bottom of the Policies page you can create a new policy. Depending on which platform is configured in your account, you may see one or both of these actions: - **Create new Android policy** - **Create new Apple policy**If your license is expired, policy creation (and other write actions) are disabled.
## Copy and delete policies Each policy row has an actions menu that includes **Copy policy** and **Delete policy**. ### Delete policy warnings When deleting a policy, the dashboard may show additional warnings depending on how the policy is used. - If the policy is assigned to enrolled devices, deleting it will disenroll the associated devices and wipe their apps and data. - If the policy is assigned to enrollment tokens, those tokens may no longer be able to complete enrollment. - If the policy is set as a default for Google Authentication enrollment (globally or for some users), deleting it can cause enrollments to fail. ### Delete multiple policies The Policies list supports multi-row selection for bulk deletion. In multi-select mode, you can select multiple policies and delete them in one action.Bulk deletion is only enabled when all selected policies belong to the same platform (all Android or all Apple).
## Next: edit policy settings The Policies list is the entry point. To configure policy settings, use the appropriate editor documentation: [**Policies → Android**](https://enterprise.cerberusapp.com/docs/books/user-manual/chapter/policies-android "Android policies") and [**Policies → Apple**](https://enterprise.cerberusapp.com/docs/books/user-manual/chapter/policies-apple "Apple policies").Policies referenced by enrollment tokens are applied automatically during device enrollment.
# Policies - Android # Summary Android policies are the core entities of the system: they define the rules that are applied and enforced on managed devices. You can browse your policies and create new ones from the **Policies** section of the dashboard. To open an Android policy, click the policy row in the table: the system opens the **Policy Editor** page. A policy can be associated with an [enrollment token](https://enterprise.cerberusapp.com/docs/books/user-manual/page/enrollment-tokens "Enrollment tokens"), so it will be automatically applied to devices during the provisioning process. You can also change the policy assigned to a device after provisioning.Each device can be associated with only one policy at a time.
Many policy options only apply to specific device types (fully managed, dedicated, work profile) and Android versions. Unsupported settings may be ignored by the device, or reported as non-compliant.
## Policy Editor layout The Policy Editor is organized as a set of expandable sections. At the top of the page you can always edit: - **Name** (required) - **Id** (read-only) - **Description** (optional) The sections below match the Policy Editor panels (for example: App management, Security, Networking, System, Personal usage, Cross-profile policies, and more). Use the chapter pages of this manual to understand each panel in detail. ## Save, delete, and associated devices Use **Save policy** to apply your changes. The button is disabled when there are no pending edits, or when the license is expired. If you opened an existing policy (it has an Id), the page shows a **Delete policy** action and an **Associated devices** list at the bottom, so you can see how many devices are currently using the policy. # App management In this section, you can set policies related to app availability, installation, updates, and permission management.Managed Google Play Accounts are automatically created when devices are provisioned.
#### 1. Play Store mode This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy. **Whitelist (default)**: Only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device. The Play Store will only show available apps. **Blacklist**: All apps are available and any app that should not be on the device should be explicitly marked as **blocked** in the applications policy. The Play Store will show all apps, except blocked ones. #### 2. Untrusted apps policy The policy for untrusted apps (apps from unknown sources) enforced on the device. This option controls the Android system setting that determines whether a user can install apps from outside the Play Store (sideloading). **Disallow (default)**: Disallow untrusted app installs on the entire device. **Personal profile only**: For devices with work profiles, allow untrusted app installs in the device's personal profile only. **Allow**: Allow untrusted app installs on the entire device. #### 3. Google Play Protect Whether Google Play Protect app verification is enforced. **Enforced (default)**: Force-enables app verification. **User choice**: Allows the user to choose whether to enable app verification. #### 4. Default permission policy The policy for granting runtime permission requests to apps. **Prompt (default)**: Prompt the user to grant a permission. **Grant**: Automatically grant a permission. **Deny**: Automatically deny a permission. #### 5. App functions Controls whether apps on fully managed devices or in work profiles are allowed to expose app functions. Requires Android 16 or above. **Allowed (default)**: Apps on fully managed devices or in work profiles can expose app functions. **Disallowed**: Apps on fully managed devices or in work profiles cannot expose app functions. #### 6. Install apps disabled Whether user installation of apps is disabled. #### 7. Uninstall apps disabled Whether user uninstallation of applications is disabled. #### 8. Permission policies Explicit permission or group grants or denials for all apps. These values override the **Default permission policy** setting. Use **Add permission policy** to create entries and remove them with the delete action. Each entry includes: **Android permission/group**: The Android permission or group (required), for example **android.permission.READ\_CALENDAR** or **android.permission\_group.CALENDAR**. **Policy**: Grant / Deny / Prompt (uses the same policy options as **Default permission policy**). #### 9. Applications List of applications that must be included in the policy. The behavior of the list's content depends on the value set on **Play Store mode**. If **Play Store mode** is set to **whitelist**, only apps that are in the policy are available and any app not in the policy will be automatically uninstalled from the device. If **Play Store mode** is set to **blacklist**, all apps are available and any app that should not be on the device should be explicitly marked as **blocked** in the applications policy. To add a new app, click on the **Add applications** button (or the **Add applications** icon), then choose the app from Play Store and click on the **Select** button in the app card.All apps that are published on the Play Store in your country are available for selection by default. To select your own private or web apps, you must upload them to the system first. For more information read the [**Private apps**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/private-apps "Private apps") page.
Each app can be configured with its own settings, that are visually contained in a card: ##### 9.1. Install type The type of installation to perform for an app. **Available**: The app is available to install. **Preinstalled**: The app is automatically installed and can be removed by the user. **Force installed**: The app is automatically installed and can't be removed by the user. **Blocked**: The app is blocked and can't be installed. If the app was installed under a previous policy, it will be uninstalled. **Required for setup**: The app is automatically installed and can't be removed by the user and will prevent setup from completion until installation is complete. **Kiosk**: The app is automatically installed in kiosk mode: it's set as the preferred home intent and whitelisted for lock task mode. Device setup won't complete until the app is installed. After installation, users won't be able to remove the app. You can only set this **install type** for one app per policy. When this is present in the policy, status bar will be automatically disabled. For more information please read the dedicated [**Kiosk mode**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/kiosk-mode "Kiosk mode") page. ##### 9.2. Install constraints Defines a set of restrictions for the app installation. When multiple constraints are selected, all of them must be satisfied for the app to be installed.This option is shown only when the **Install type** is **Preinstalled** or **Force installed**.
**Unmetered network**: Install the app only when the device is connected to an unmetered network (e.g. Wi‑Fi). **Charging**: Install the app only when the device is charging. **Idle**: Install the app only when the device is idle. ##### 9.3. Auto-update mode Controls the auto-update mode for the app. **Default**: The app is automatically updated with low priority to minimize the impact on the user. The app is updated when all of the following constraints are met: (1) the device is not actively used, (2) the device is connected to an unmetered network, (3) the device is charging. The device is notified about a new update within 24 hours after it is published by the developer, after which the app is updated the next time the constraints above are met. **Postponed**: The app is not automatically updated for a maximum of 90 days after the app becomes out of date. 90 days after the app becomes out of date, the latest available version is installed automatically with low priority (see **Default** Auto-update mode). After the app is updated, it is not automatically updated again until 90 days after it becomes out of date again. The user can still manually update the app from the Play Store at any time. **High priority**: The app is updated as soon as possible. No constraints are applied. The device is notified immediately about a new update after it becomes available. ##### 9.4. Minimum version code The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a **Non compliance detail** with **Non compliance reason** set to **APP\_NOT\_UPDATED**. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy. ##### 9.5. Delegated scopes The scopes delegated to the app from Android Device Policy. You can grant other apps a selection of special Android permissions: **Certificate installation**: Grants access to certificate installation and management. **Managed configurations**: Grants access to managed configurations management. **Block uninstall**: Grants access to blocking uninstallation. **Permissions**: Grants access to permission policy and permission grant state. **Package access**: Grants access to package access state. **System app**: Grants access for enabling system apps. ##### 9.6. Preferential Network The preferential network service to use for this app. If set, the app will use the specified enterprise network slice for its connections when available. This must match a network slice configured in the **5G Network Slicing Configuration** section of the **Cellular** panel. 9.7. Default permission policy The default policy for all permissions requested by the app. If specified, this overrides the policy-level **Default permission policy** which applies to all apps. It does not override the **Permission policies** which applies to all apps. **Prompt (default)**: Prompt the user to grant a permission. **Grant**: Automatically grant a permission. **Deny**: Automatically deny a permission. ##### 9.8. Connected work and personal app Controls whether the app can communicate with itself across a device's work and personal profiles, subject to user consent (Android 11+). **Disallowed (default)**: Prevents the app from communicating cross-profile. **Allowed**: Allows the app to communicate across profiles after receiving user consent. ##### 9.9. Always On VPN lockdown exemption Specifies whether the app is allowed networking when the VPN is not connected and **lockdown enabled** is active. Only supported on devices running Android 10 and above. **Enforced (default)**: The app respects the always-on VPN lockdown setting. **Exempt**: The app is exempt from the always-on VPN lockdown setting. ##### 9.10. Work profile widgets Specifies whether the app installed in the work profile is allowed to add widgets to the home screen. **Allowed**: The application can add widgets to the home screen. **Disallowed**: The application cannot add widgets to the home screen. ##### 9.11. User control settings Specifies whether user control is permitted for a given app. User control includes user actions like force-stopping and clearing app data (Android 11+). If **extensionConfig** is enabled for an app, user control is disallowed regardless of this setting. For kiosk apps, you can use **Allowed** to allow user control. **Unspecified**: Uses the default behavior of the app to determine if user control is allowed or disallowed. **Allowed**: User control is allowed for the app. **Disallowed**: User control is disallowed for the app. ##### 9.12. Disabled Whether the app is disabled. When disabled, the app data is still preserved. ##### 9.13. Allow Credential Provider Whether the app is allowed to act as a credential provider on Android 14 and above. ##### 9.14. Managed configuration To configure the app's managed settings, click on the **Enable managed configuration** button. If a managed configuration is already set for the app, you can modify the configuration with the **Managed configuration** button, or delete it with the **Remove configuration** button.**Managed configuration** option is available only for apps that supports this functionality.
##### 9.15. Permission policies Explicit permission grants or denials for the app. These values override the **Default permission policy** and **Permission policies** which apply to all apps. Use **Add permission policy** to add one or more permission rules for the app card and remove them with the delete action. ##### 9.16. Track IDs List of the app’s closed testing track IDs that a device can access. If multiple track IDs are selected, devices receive the latest version among all accessible tracks. If no track IDs is selected, devices only have access to the app’s production track.**Track IDs** option is available only for apps that have at least one track ID available for your organization. For more details on how to add your organization to a closed testing track for a specific app please read [here](https://developers.google.com/android/management/apps#distribute_apps_for_closed_testing).
#### 10. Default application settings Set default apps for supported types. When a default app is set for at least one type, users are prevented from changing default apps in that profile.Only one default application setting is allowed per **Default application type**. The list of default applications must not contain duplicates.
##### 10.1. Default application type Select the app category to configure (for example Browser, Dialer, SMS, Wallet, or Assistant). Availability depends on Android version and management mode. ##### 10.2. Default application scopes Select where the default app should apply (Fully managed, Work profile, or Personal profile). Only scopes supported by the selected type can be chosen.If none of the selected scopes are applicable to the device’s management mode, the device reports a non‑compliance detail.
##### 10.3. Default applications List of apps that can be set as default for the selected type. The first installed and eligible app is set as the default.If scopes include **Fully managed** or **Work profile**, each app must also exist in the **Applications** list with **Install type** not set to **Blocked**.
#### 11. Private key selection Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in **Choose private key rules**.For devices below Android P, setting this may leave enterprise keys vulnerable.
#### 12. Choose private key rules Controls apps' access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .\*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey, without first having to call KeyChain.choosePrivateKeyAlias. When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return. Use **Add private key rule** to create entries and remove them with the delete action. ##### 12.1. Private key alias The alias of the private key to be used. ##### 12.2. URL pattern The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern. ##### 12.3. Package names The package names to which this rule applies. The hash of the signing certificate for each app is verified against the hash provided by Play. If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias. Use **Add package name** to add entries and remove them with the delete action.To delete an app, click on the **trashbin** icon, on the bottom of the app's card.
Wi‑Fi configurations can be provisioned and managed by the system via **WiFi configurations**. Depending on the value set on **Configure Wi‑Fi**, users may have limited or no control over adding/modifying networks.
## Device radio state #### 1. Wi‑Fi state Controls current state of Wi‑Fi and if the user can change its state. **User choice (default)**: User is allowed to enable/disable Wi‑Fi. **Enabled**: Wi‑Fi is on and the user is not allowed to turn it off (Android 13+). **Disabled**: Wi‑Fi is off and the user is not allowed to turn it on (Android 13+). #### 2. Minimum Wi‑Fi security level The minimum required security level of Wi‑Fi networks that the device can connect to. Supported on Android 13 and above, for fully managed devices and work profiles on company-owned devices. **Open network (default)**: The device can connect to all types of Wi‑Fi networks. **Personal network**: Disallows open Wi‑Fi networks; requires at least personal security (for example WPA2‑PSK). **Enterprise network**: Requires enterprise EAP networks; disallows Wi‑Fi networks below this security level. **192‑bit enterprise network**: Requires 192‑bit enterprise networks; strictest option. #### 3. Ultra wideband (UWB) state Controls the state of the ultra wideband setting and whether the user can toggle it on or off. **User choice (default)**: The user is allowed to toggle UWB on or off. **Disabled**: UWB is disabled and the user is not allowed to toggle it via settings (Android 14+). ## Device connectivity management #### 4. Bluetooth sharing Controls whether Bluetooth sharing is allowed. **Allowed**: Bluetooth sharing is allowed (default on fully managed devices, Android 8+). **Disallowed**: Bluetooth sharing is disallowed (default on work profiles, Android 8+). #### 5. Configure Wi‑Fi Controls Wi‑Fi configuring privileges. Depending on the selected option, the user has full, limited, or no control in configuring Wi‑Fi networks. **Allow configuring Wi‑Fi (default)**: The user is allowed to configure Wi‑Fi. **Disallow add Wi‑Fi config**: Adding new Wi‑Fi configurations is disallowed. The user can switch between already configured networks (Android 13+; fully managed and company-owned work profiles). **Disallow configuring Wi‑Fi**: Disallows configuring Wi‑Fi networks. For fully managed devices this removes user-configured networks and retains only networks configured via **WiFi configurations**. For company-owned work profiles, existing networks are not affected but users cannot add/remove/modify Wi‑Fi networks.When configuring Wi‑Fi is disabled and the device cannot connect at boot time, the system can show the **network escape hatch** to let the user temporarily connect and refresh policy.
#### 6. Wi‑Fi direct settings Controls configuring and using Wi‑Fi direct settings. Supported on company-owned devices running Android 13 and above. **Allow (default)**: The user is allowed to use Wi‑Fi direct. **Disallow**: The user is not allowed to use Wi‑Fi direct. #### 7. Tethering settings Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering. **Allow all tethering (default)**: Allows configuration and use of all forms of tethering. **Disallow Wi‑Fi tethering**: Disallows the user from using Wi‑Fi tethering (company-owned Android 13+). **Disallow all tethering**: Disallows all forms of tethering (fully managed + company-owned work profiles). #### 8. Wi‑Fi SSID policy Restrictions on which Wi‑Fi SSIDs the device can connect to (this does not affect which networks can be configured on the device). Supported on company-owned devices running Android 13 and above. **SSID denylist (default)**: The device cannot connect to any Wi‑Fi network whose SSID is listed, but can connect to other networks. **SSID allowlist**: The device can connect only to the SSIDs listed. The SSID list must not be empty. Use **Add SSID** to add entries. Depending on the selected policy type, the list is interpreted as allowed or denied SSIDs. In the Policy Editor UI, the SSID list is labeled **Allowed Wi‑Fi SSIDs** for allowlists and **Denied Wi‑Fi SSIDs** for denylists. #### 9. Wi‑Fi roaming settings Configure Wi‑Fi roaming mode per SSID. Use **Add Wi‑Fi roaming setting** to create entries. Each entry includes: **SSID**: The SSID to which the roaming setting applies (required). **Wi‑Fi roaming mode**: Default / Disabled / Aggressive. Disabled and Aggressive require Android 15+ and are supported only on fully managed devices and work profiles on company-owned devices. ## Network restrictions #### 10. Bluetooth disabled Whether bluetooth is disabled. Prefer this setting over Bluetooth config disabled because Bluetooth config disabled can be bypassed by the user. #### 11. Bluetooth contact sharing disabled Whether bluetooth contact sharing is disabled. #### 12. Bluetooth config disabled Whether configuring bluetooth is disabled. #### 13. Network reset disabled Whether resetting network settings is disabled. #### 14. Outgoing beam disabled Whether using NFC to beam data from apps is disabled. ## VPN #### 15. Always On VPN app Specify an Always On VPN package name to ensure that data from specified managed apps will always go through a configured VPN.Note: This feature requires deploying a VPN client that supports both Always On and per-app VPN features.
#### 16. VPN lockdown Disallows networking when the VPN is not connected. #### 17. VPN config disabled Whether configuring VPN is disabled. ## Proxy and network services #### 18. Preferential network service Controls whether preferential network service is enabled on the work profile. For example, an organization may have an agreement with a carrier that work data is sent via a carrier network service dedicated for enterprise use (for example, an enterprise slice on 5G networks). This has no effect on fully managed devices. **Disabled**: Preferential network service is disabled on the work profile. **Enabled**: Preferential network service is enabled on the work profile.If you use enterprise network slicing, also configure **5G Network Slicing Configuration** under the **Cellular** policy panel and assign apps to a slice using their **Preferential Network** setting.
#### 19. Recommended global proxy The network-independent global HTTP proxy. Typically, proxies should be configured per-network in WiFi configurations. A global proxy may be useful for unusual configurations like general internal filtering. The global proxy is only a recommendation and some apps may ignore it. **Disabled** **Direct proxy** **Proxy auto-config (PAC)** ##### 19.1. Host The host of the direct proxy. ##### 19.2. Port The port of the direct proxy. ##### 19.3. PAC URI The URI of the PAC script used to configure the proxy. ##### 19.4. Excluded hosts For a direct proxy, the hosts for which the proxy is bypassed. Host names may contain wildcards such as **\*.example.com**. Use **Add excluded host** to add entries (available for direct proxy only). ## WiFi configurations Define Wi‑Fi network configurations that the system will apply on devices. Use **Add Wi‑Fi configuration** to create an entry and remove it with the delete action. #### 20. Wi‑Fi configuration fields Each configuration includes: **Configuration name**: Required. **SSID**: Required. **Auto connect**: Whether the network should be connected to automatically when in range. **Fast Transition**: Whether the client should attempt to use Fast Transition (IEEE 802.11r-2008) with the network. **Hidden SSID**: Whether the SSID will be broadcast. **MAC randomization mode**: Hardware or Automatic (Android 13+). ##### 20.1. Security Wi‑Fi security options: **WEP‑PSK**: WEP (Pre-Shared Key). **WPA‑PSK**: WPA/WPA2/WPA3-Personal (Pre-Shared Key). **WPA‑EAP**: WPA/WPA2/WPA3-Enterprise (Extensible Authentication Protocol). **WPA3 192-bit mode**: WPA‑EAP network allowing only WPA3 192-bit mode. ##### 20.2. Passphrase (Pre‑Shared Key) Shown when Security is **WEP‑PSK** or **WPA‑PSK**. The passphrase is required. ##### 20.3. EAP method (Enterprise) Shown when Security is **WPA‑EAP** or **WPA3 192-bit mode**. Select one EAP outer method: **EAP‑TLS** **EAP‑TTLS** **PEAP** **EAP‑SIM** **EAP‑AKA** ##### 20.4. Phase 2 authentication Shown for tunneling outer methods (**EAP‑TTLS** and **PEAP**). **MSCHAPv2** **PAP** ##### 20.5. EAP credentials from users When enabled, the system automatically applies EAP credentials on devices on a per-user basis. You can configure user credentials in the **Users** section. ##### 20.6. Client certificate For **EAP‑TLS**, you can assign a client certificate used for Wi‑Fi authentication. For more information read the [**Certificate management**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/certificate-management "Certificate management") page. If a certificate is already assigned, you can use **Open certificate** to view it or **Change certificate** to select a different one. Alternatively, you can specify **Client certificate key pair alias**, which references a client certificate stored in the Android keychain and allowed for Wi‑Fi authentication.If both **Client certificate** and **Client certificate key pair alias** are set, the key pair alias is ignored.
##### 20.7. Identity Identity of user. For tunneling outer protocols (PEAP, EAP‑TTLS), this is used to authenticate inside the tunnel, and **Anonymous identity** is used for the EAP identity outside the tunnel. For non-tunneling outer protocols, this is used for the EAP identity. ##### 20.8. Anonymous identity For tunneling protocols only, this indicates the identity of the user presented to the outer protocol. ##### 20.9. Password Password of user. If not specified, defaults to prompting the user. ##### 20.10. Server CA certificates List of CA certificates to be used for verifying the host’s certificate chain. At least one CA certificate must match. For more information read the [**Certificate management**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/certificate-management "Certificate management") page. Use **Add Server CA certificate** to add entries and remove them with the delete action. ##### 20.11. Domain suffix matches A list of constraints for the server domain name. The entries are used as suffix match requirements against the DNS name(s) of the alternative subject name of an authentication server certificate. # System In this section, you can configure system-related policies. #### 1. Minimum API level The minimum allowed Android API level. #### 2. Encryption policy Whether encryption is enabled. **Default**: This value is ignored, i.e. no encryption required. **Enabled without password**: Encryption required but no password required to boot. **Enabled with password**: Encryption required with password required to boot. #### 3. Auto date and time Whether auto date, time, and time zone is enabled on a company-owned device. **User choice (default)**: Auto date, time, and time zone are left to user's choice. **Enforced**: Enforce auto date, time, and time zone on the device. #### 4. Developer settings Controls access to developer settings: developer options and safe boot. **Disabled (default)**: Disables all developer settings and prevents the user from accessing them. **Allowed**: Allows all developer settings. The user can access and optionally configure the settings. #### 5. Common Criteria Mode Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (CC). Enabling Common Criteria Mode increases certain security components on a device (for example: AES-GCM encryption of Bluetooth Long Term Keys, additional validation for some network certificates, and cryptographic policy integrity checks). Common Criteria Mode is supported only on company-owned devices running Android 11 or above. Warning: Common Criteria Mode enforces a strict security model typically only required for highly sensitive organizations. Standard device use may be affected; enable it only if required. **Disabled (default)**: Disables Common Criteria Mode. **Enabled**: Enables Common Criteria Mode. #### 6. Memory Tagging Extension (MTE) Controls Memory Tagging Extension (MTE) on the device. **User choice (default)**: The user can choose to enable or disable MTE on the device (if supported by the device). **Enforced**: MTE is enabled and the user is not allowed to change it (Android 14+; supported on fully managed devices and work profiles on company-owned devices). **Disabled**: MTE is disabled and the user is not allowed to change it (Android 14+; supported on fully managed devices only). #### 7. Content protection Controls whether content protection (which scans for deceptive apps) is enabled. This is supported on Android 15 and above. **Disabled (default)**: Content protection is disabled and the user cannot change this. **Enforced**: Content protection is enabled and the user cannot change this (Android 15+). **User choice**: Content protection is not controlled by the policy; the user can choose (Android 15+). #### 8. Assist content Controls whether AssistContent is allowed to be sent to a privileged app such as an assistant app (for example, Circle to Search). AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above. **Allowed (default)**: Assist content is allowed to be sent to a privileged app (Android 15+). **Disallowed**: Assist content is blocked from being sent to a privileged app (Android 15+). #### 9. Create windows disabled Whether creating windows besides app windows is disabled. This option prevents the following system UIs from being displayed: toasts and snackbars, phone activities (such as incoming calls) and priority phone activities (such as ongoing calls), system alerts, system errors and system overlays. #### 10. Network escape hatch Whether the network escape hatch is enabled. If a network connection can't be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings. #### 11. Default activities A list of default activities for handling intents that match a particular intent filter. For example, this feature would allow IT admins to choose which browser app automatically opens web links, or which launcher app is used when tapping the home button. Use **Add default activity** to create entries. Within an entry, use **Add action** and **Add category** to build the intent filter. ##### 11.1. Receiver activity The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent. ##### 11.2. Action The intent actions to match in the filter. If any actions are included in the filter, then an intent's action must be one of those values for it to match. If no actions are included, the intent action is ignored. ##### 11.3. Category The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent. #### 12. Permitted input methods Specifies permitted input methods. **All allowed**: No restriction applied. All input methods are allowed. **Only system's**: Only system's built-in input methods are allowed. **Only system's and provided**: Only the provided and the system's built-in input methods are allowed. ##### 12.1. Allowed input methods Input method package names that are allowed. Only applies when **Permitted input methods** is set to **Only system's and provided**. Use **Add input method** to add entries and remove them with the delete action. #### 13. Permitted accessibility services Specifies permitted accessibility services. **All allowed**: Any accessibility service can be used. **Only system's**: Only the system's built-in accessibility services can be used. **Only system's and provided**: Only the provided and the system's built-in accessibility services can be used. ##### 13.1. Allowed accessibility services Allowed accessibility services. Only applies when **Permitted accessibility services** is set to **Only system's and provided**. Use **Add accessibility service** to add entries and remove them with the delete action. #### 14. System update policy Configuration for managing system updates. **Default**: Follow the default update behavior for the device, which typically requires the user to accept system updates. **Automatic**: Install automatically as soon as an update is available. **Windowed**: Install automatically within a daily maintenance window. This also configures Play apps to be updated within the window. This is strongly recommended for kiosk devices because this is the only way apps persistently pinned to the foreground can be updated by Play. **Postpone**: Postpone automatic install up to a maximum of 30 days. ##### 14.1. Maintenance window (Windowed only) When **System update policy** is set to **Windowed**, you can define the daily maintenance window using the **from** and **to** fields. ##### 14.2. System update freeze periods An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days. Each freeze period must not exceed 90 days. Use **Add system update freeze period** to create entries. #### 15. Credential providers default Controls which apps are allowed to act as credential providers on Android 14 and above. **Disallowed (default)**: Apps with credentialProviderPolicy unspecified are not allowed to act as a credential provider. **Disallowed except system**: Apps with credentialProviderPolicy unspecified are not allowed to act as a credential provider, except for the OEM default credential providers. # Location and geofence This panel groups the Android policy settings that control device location reporting, location enforcement, and geofence definitions. Use it when you want Cerberus Enterprise to collect device locations or detect when devices enter or leave configured areas. ## Location reporting ### Report location Enables device geolocation reporting. Location data collected through this setting is used by the [**dashboard location map**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/dashboard-location-map "Dashboard location map"), the device overview location history, and geofence processing.On devices that are not fully managed, location data may still depend on the Cerberus Enterprise app having the required location permissions and on location services being enabled on the device.
### Location mode Controls the device location setting on company-owned devices. - **User choice**: location services are not restricted by the policy. - **Enforced**: location services are enabled on the device. - **Disabled**: location services are disabled on the device. ### Share location disabled Disables location sharing for work apps. On profile-owner devices, this affects the work profile. On fully managed devices, it disables location for the whole device and overrides the device location mode. ## Automatic behavior with active geofences Active geofences require location reporting to work. When at least one geofence is active, Cerberus Enterprise automatically keeps the related location settings consistent. - **Report location** is forced on while active geofences exist. - **Location mode** is forced to **Enforced**. - **Share location disabled** is forced off. If you try to disable **Report location** while one or more geofences are active, Cerberus Enterprise shows a confirmation dialog. If you continue, all active geofences in the policy are deactivated. ## Geofence list A policy can contain up to **10 geofences**. Geofence names must be unique within the policy. Use **Add geofence** to create a new entry. Each geofence contains these main fields: - **Name**: required and unique. - **Latitude** and **Longitude**: the center of the area. - **Radius (m)**: required, from **100** to **10000** meters. - **Description**: optional notes for administrators. - **Report enter** and **Report exit**: choose which transition events should be generated. - **Active**: enables or disables the geofence without deleting it.At least one of **Report enter** or **Report exit** must stay enabled for each geofence.
## Map editing tools Each geofence card includes a map preview of the area. You can edit the geometry from the map or from the numeric fields. - Click the map to move the geofence center when area editing is unlocked. - Use the **Current location** button to center the map on your current browser position. - Use the **Recenter map** button to restore the preferred viewport for that geofence. - Use the lock button to prevent accidental changes to the geofence geometry. ## Where geofence data appears Geofence transitions can be reviewed in the Android [**Device overview**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/device-overview "Device overview") page, inside the **Geofence** tab of the location panel. That tab shows transitions on a dedicated map together with filtering tools and the transition list. # User management ##### Add user disabled Whether adding new users and profiles is disabled. For devices where managementMode is **DEVICE\_OWNER** this field is ignored and the user is never allowed to add or remove users. ##### Modify accounts disabled Whether adding or removing accounts is disabled. ##### User credentials config disabled Whether configuring user credentials is disabled. ##### Remove user disabled Whether removing other users is disabled. ##### Set user icon disabled Whether changing the user icon is disabled. ##### Set wallpaper disabled Whether changing the wallpaper is disabled. ##### Work account setup authentication Controls how users authenticate during work account setup. This option is available only for Android enterprises backed by a managed Google domain (Google Workspace). During device setup/enrollment, this policy influences whether a work account sign-in is required, but the Google Admin Console setting **Authenticate Using Google** and the enrollment token type can still require authentication. For already enrolled devices, this policy only applies if the device is managed by a managed Google Play account (i.e., enrolled without **Authenticate Using Google Enrollment**). For more details and troubleshooting, refer to [**Authenticate Using Google enrollment**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/authenticate-using-google-enrollment "Authenticate Using Google enrollment"). ##### Blocked account types Account types that can't be managed by the user. This option prevents device users from adding unapproved accounts. Use **Add blocked account type** to add one or more account types. Each entry has an **Account type** field (required). Enter a string such as **com.google**. Remove an entry using the delete action. # Personal usage When [provisioning a company-owned device for work and personal use](https://enterprise.cerberusapp.com/docs/books/user-manual/page/company-owned-devices-for-work-and-personal-use "Company-owned devices for work and personal use"), you can specify some rules to limit how the user can operate the device for personale usage, outside the work profile.This section only apply to company-owned devices with work profile. They will have no effect on fully manged or personally-owned devices.
This setting depends on the policy-level **App functions** option (in the App management section). If App functions is set to **Disallowed**, the API will reject Cross-profile app functions set to **Allowed**.
##### Work contacts in personal profile Whether contacts stored in the work profile can be shown in personal profile contact searches and incoming calls. **Allowed (default)**: Allows work profile contacts to appear in the personal profile. **Disallowed**: Prevents personal apps from accessing work profile contacts and looking up work contacts. **Disallowed except system**: Prevents most personal apps from accessing work profile contacts, except for the OEM default Dialer, Messages, and Contacts apps (Android 14+). When Work contacts in personal profile is configured, you can optionally define a list of **Exempted package name** entries. Depending on the selected mode, these exemptions behave as allowlist or blocklist for personal apps. # Status reporting In this section, you can configure which data should be retrieved from the device. The status data can be viewed in the [**Device status**](https://enterprise.cerberusapp.com/docs/books/user-manual/chapter/device-status "Device status") dashboard page. ##### Application reports Whether app reports are enabled. (Information reported about an installed app.)This option is required by the system (for companion-app integration) and is always enabled; it can't be disabled.
##### Include removed apps Whether removed apps are included in application reports. ##### Device settings Whether device settings reporting is enabled. (Information about security related device settings on device.) ##### Software info Whether software info reporting is enabled. (Information about device software.) ##### Memory info Whether memory reporting is enabled. (An event related to memory and storage measurements.) ##### Network info Whether network info reporting is enabled. (Device network info.) ##### Display info Whether displays reporting is enabled. Report data is not available for personally-owned devices with work profiles. (Device display information.) ##### Power management events Whether power management event reporting is enabled. Report data is not available for personally-owned devices with work profiles. ##### Hardware status Whether hardware status reporting is enabled. Report data is not available for personally-owned devices with work profiles. ##### System properties Whether system properties reporting is enabled. ##### Common Criteria Mode Whether Common Criteria Mode reporting is enabled. # Misc #### 1. Easter egg game disabled Whether the Easter egg game in Settings is disabled. #### 2. Skip first use hints Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up. #### 3. Short support message A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated. #### 4. Long support message A message displayed to the user in the device administrators settings screen. #### 5. Owner lock screen info The device owner information to be shown on the lock screen. #### 6. Setup actions Actions to take during the setup process. During the enrollment, you can require the user to open one or more apps that are needed for device setup. Use **Add setup action** to create entries and remove them with the delete action. ##### 6.1. Launch app Package name of app to be launched ##### 6.2. Title Provides a user-facing message, to explain to the user why the app is required to be launched. ##### 6.3. Description Provides a user-facing message, to explain to the user why the app is required to be launched. #### 7. Enterprise display name visibility Controls whether the enterprise display name is visible on the device (for example, as a lock screen message on company-owned devices). **Visible (default)**: The enterprise display name is visible on the device (supported on work profiles on Android 7+ and fully managed devices on Android 8+). **Hidden**: The enterprise display name is hidden on the device. # Policy enforcement rules If a device or work profile fails to comply with any of the policy settings listed below, Android Device Policy immediately blocks usage of the device or work profile by default: - **Password requirements** - **Encryption policy** - **Keyguard disabled** - **Permitted input methods** - **Permitted accessibility services** If the device or work profile remains not compliant after 10 days, Android Device Policy will factory-reset the device or delete the work profile. In this section, you can override the default compliance enforcement rules or add new ones. #### Rules List of rules that define the behavior when a particular policy cannot be applied to a device. Use **Add rule** to create a new rule. Each rule card can be removed using the delete action. ##### Setting name The top-level policy to enforce. For example, **Applications** or **Password requirements**. **Required.** The value must match a supported top-level policy name; otherwise the field is marked as invalid. ##### Block after days Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. **Block after days** must be less than **Wipe after days**. Only applicable to devices that are company-owned. Allowed range: 0–300. ##### Block scope Specifies the scope of block action. Only applicable to devices that are company-owned. Default (new rule): **Work profile**. **Work profile**: Block action is only applied to apps in the work profile. Apps in the personal profile are unaffected. **Entire device**: Block action is applied to the entire device, including apps in the personal profile. ##### Wipe after days Number of days the policy is non-compliant before the device or work profile is wiped. **Wipe after days** must be greater than **Block after days**. Only applicable to devices that are company-owned. **Required.** Default (new rule): **1**. Allowed range: 1–300. ##### Preserve factory-reset protection Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles. Default (new rule): enabled. # Policies - Apple # Apple policies Apple policies define management settings that Cerberus Enterprise applies to Apple devices via MDM. These settings are configured from the dashboard in the Apple policy editor. ## Before you start Apple device management requires Apple Management (APNs) to be configured. If needed, read the [Apple Management setup (APNs)](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-management-setup-apns "Apple Management setup (APNs)") page. ## Open the Apple Policy Editor In the dashboard, open **Policies** and click **Create new Apple policy**. To edit an existing Apple policy, click its row in the policies table. ## Editor layout The Apple Policy Editor is organized as a set of expandable sections. At the top of the page you can always edit: - **Name** (required) - **Id** (read-only) - **Description** (optional) ## Policy sections The sections below match the panels currently available in the Apple Policy Editor: - **App management**: configure app-related restrictions and managed apps. - **Passcode settings**: configure passcode requirements and related rules. - **Security**: control features such as Auto Unlock and biometric unlocking. - **iCloud**: allow or disallow specific iCloud services (backup, keychain sync, private relay, etc.). - **Multimedia**: allow/disallow camera and related features. - **Cellular**: control cellular-related settings (app cellular data settings, eSIM, plan changes). - **Networking**: control AirDrop/AirPrint/AirPlay and other connectivity settings. - **Accounts**: restrict account modification and (optionally) configure Google and Mail accounts.Many options in the Apple Policy Editor include a tooltip that documents requirements and supported OS versions.
## Save, delete, and associated devices Use **Save policy** to apply your changes. The button is disabled when there are no pending edits, or when the license is expired. When editing an existing policy, the page also shows a **Delete policy** action. The editor can show an **Associated devices** list at the bottom, so you can see how many devices are currently using the policy. ## Next pages - Passcode: configure passcode requirements and related security options. - Restrictions: define allowed features and OS-level limitations. - Apps & profiles: configure installed apps and configuration profiles. # Apple policy: Passcode The **Passcode settings** section controls device passcode requirements and related security rules (for example, minimum length and complexity). ## Options In the Apple Policy Editor, passcode options are configured using a mix of toggles and numeric fields. Many fields include tooltips that indicate supported OS versions and supervision requirements. ### Passcode toggles - **ChangeAtNextAuth**: force a password reset the next time the user authenticates. - **RequireAlphanumericPasscode**: require at least one alphabetic character and one number. - **RequireComplexPasscode**: require a “complex” passcode (no repeating/sequential patterns and at least one non-alphanumeric character). - **RequirePasscode**: require a passcode without additional length/quality requirements. Note: setting other passcode keys implicitly requires a passcode. ### Numeric fields - **FailedAttemptsResetInMinutes**: minutes before the failed-attempts counter resets (requires MaximumFailedAttempts). - **MaximumFailedAttempts**: failed attempts allowed before the device is erased/locked (range: 2–11). - **MaximumGracePeriodInMinutes**: how long the device can be unlocked without requiring the passcode (0 = none). - **MaximumInactivityInMinutes**: idle time before the device locks (range: 0–15). - **MaximumPasscodeAgeInDays**: max passcode age before a forced change (range: 0–730). - **MinimumComplexCharacters**: minimum number of “complex” characters (range: 0–4). - **MinimumLength**: minimum passcode length (range: 0–16). - **PasscodeReuseLimit**: passcode history length to prevent reusing old passcodes (range: 1–50). # Apple policy: Restrictions The Restrictions sections control which OS features are allowed on managed Apple devices. In the Apple Policy Editor, these options are exposed as grouped panels with multiple toggles.Many restrictions are only supported on specific OS versions and may require supervised devices. Use the tooltips in the dashboard for authoritative requirements.
## Security - **Allow auto unlock** - **Allow Fingerprint for Unlock** - **Allow Fingerprint Modification** ## iCloud - **Allow iCloud address book** - **Allow iCloud backup** - **Allow iCloud bookmarks** - **Allow iCloud calendar** - **Allow iCloud desktop and documents** - **Allow iCloud document sync** - **Allow iCloud Freeform** - **Allow iCloud keychain sync** - **Allow iCloud Mail** - **Allow iCloud Notes** - **Allow iCloud Photo Library** - **Allow iCloud Private Relay** - **Allow iCloud Reminders** ## Multimedia - **Allow camera** - **Allow File Sharing Modification** - **Allow Files USB Drive Access** ## Cellular - **Allow app cellular data modification** - **Allow cellular plan modification** - **Allow eSIM modification** - **Allow eSIM outgoing transfers** ## Networking - **Allow AirDrop** - **Allow AirPlay incoming requests** - **Allow AirPrint** - **Allow AirPrint credentials storage** - **Allow AirPrint iBeacon discovery** - **Allow Bluetooth modification** - **Allow Bluetooth Sharing modification** - **Allow Files Network Drive Access** - **Allow Internet Sharing Modification** ## Accounts (restriction) The Accounts panel contains both a restriction and (optionally) account configuration. The restriction toggle controls whether the user can modify system accounts. - **Allow account modification** # Apple policy: Apps & profiles This section documents how to configure managed applications and account payloads for Apple devices. ## App management The **App management** panel contains both general app-related restrictions and a list of managed apps. ### General app restrictions - **Allow app clips** - **Allow app installation** - **Allow app removal** - **Allow automatic app downloads** - **Allow apps to be hidden** - **Allow apps to be locked** - **Allow In-App Purchases** ### Managed apps Use **Add application** to add an app to the policy. Each managed app is displayed as a card. You can expand the card to edit its settings and remove the app using the delete action. - **App Store ID**: the App Store identifier of the managed app. - **Bundle ID**: the app bundle identifier. - **Install behavior**: controls whether the app must remain installed or can be installed/removed by the user. - **Assignment**: license assignment type. - **VPP license**: VPP license type used for installation through the App Store. ## Accounts The **Accounts** panel lets you configure accounts that are applied to managed devices. It also includes a restriction toggle for account modification. ### Restriction - **Allow account modification**: when disabled, users cannot modify accounts such as Apple Accounts and internet accounts. ### Add accounts Use **Add Google account** or **Add mail account** to add account payloads to the policy. Each account appears as a card with its configuration fields. ### Account credentials from users Both Google and Mail account cards provide a **Account credentials from users** toggle. When enabled, the system applies account credentials on a per-user basis. When disabled, you enter the account identity in the policy. ### Google account fields - **Visible name**: the name shown to the user for the account. - **Google email address**: the user email address. - **Full name**: the user’s full name. ### Mail account fields Mail accounts include identity fields plus incoming/outgoing server configuration. Host names are required. - **Visible name**: the name shown to the user for the mail account. - **Email address**: the user email address. - **Full name**: the user’s full name. #### Incoming server - **Server type**: mail protocol (for example IMAP or POP). - **Authentication Method**: authentication method for the server. - **IMAP path prefix**: shown only when Server type is IMAP. - **Host name**: required. - **Port**: server port (1–65535). #### Outgoing server - **Authentication Method** - **Host name**: required. - **Port**: server port (1–65535). ### S/MIME options For Mail accounts, you can also configure S/MIME encryption and signing behavior. #### Encryption - **S/MIME encryption** - **Identity user-overrideable** - **Per-message switch enabled** - **User overrideable** #### Signing - **S/MIME Signing** - **Identity user-overrideable** - **User overrideable**Account and restriction options include tooltips in the dashboard that document prerequisites and supported OS versions.
# Device Status # Device overview Open a device from **Dashboard** → **Devices** by clicking the device row. The page title shows the device **Model** (when available) and the internal **Id**. ## Historical data vs current enrollment When a device has multiple enrollments, Cerberus Enterprise can show a read-only historical record. In that case, the page displays a **Historical data** banner and a button to return to the current enrollment data. ## Top fields The top section summarizes the device identity, assignment, and management state. Some fields are platform-specific and appear only for Android or Apple devices. - **Id** and **Model**: read-only identifiers. - **User**: shows the currently assigned user (if any). From the user menu you can **Open user** or **Change user**, or assign a user when none is set. - **Management mode** and **Ownership**: displayed with tooltips in the UI. - **State**: current device state (with icon and tooltip details). - **ADE profile** (Apple only): shows the assigned Automated Device Enrollment profile (if any) and lets you open or change it. - **Policy**: shows the assigned policy and lets you open or change it, or assign one when none is set. - **Policy compliance status** (when a policy is assigned): indicates whether the device is compliant. - **Policy version** (when a policy is assigned): indicates whether the device has the latest policy version applied. - **Enrolled on** and **Last status report**: timestamps for enrollment and last reported status. - **Disenrolled on**: shown when the device has been disenrolled.Some data and panels are available only when the corresponding category is enabled in the device policy. For more information read the [**Status reporting**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/status-reporting "Status reporting") and [**Location and geofence**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/location-and-geofence "Location and geofence") pages.
## Panels The Device editor is organized in expandable sections. Depending on platform and state, you may see one or more of the following panels: - **Location map**: a tabbed panel with **Location** history for the current device and, on Android devices, a **Geofence** tab for geofence transitions when geofence data is available. - **Commands**: send commands to the device and view command history (platform-specific). - **Security posture** (Android only): posture, Play Integrity verdict, and security risks. - **Application reports** (Android only): installed apps and feedback/error reports. - **Managed applications** (Apple only): managed app state and installation details. - **Non compliance details**: shown when a device is not compliant; lists the policy settings that are out of compliance. - **Status reports**: additional data reported by the device, displayed as a tree of categories and values. - **Enrollment history**: previous enrollments for this same physical device, shown as a list. ## Location panel tabs The **Location map** panel now uses tabs so location history and geofence transitions stay separated. - **Location**: shows history filters, a date-range search, location markers, the accuracy circle, and live tracking controls for the current device. - **Geofence** (Android only): shows geofence transition history on a dedicated map, with period filters, an optional archived-geofence toggle, and a side list of transitions. For the full behavior of these tabs, see [**Location map**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/location-map "Location map"). ## Actions At the bottom of the page you can refresh data and perform actions depending on the platform, device state, and license status. - **Refresh data**: reload the device record. - **Disable device** / **Enable device** (Android only): available in supported states. - **Disenroll device**: removes management from the device. The exact behavior depends on platform and ownership (for example, Android may wipe a work profile or factory reset). - **Delete device**: available when the device is already disenrolled and its record can be removed. # Commands The Device editor provides a **Commands** panel to send remote commands to a managed device. Available commands depend on the platform (Android or Apple) and device state.If the device is not currently online, the command will be delivered and executed as soon as the device connects to the Internet. For Android commands you can set the **Duration** parameter to determine for how long an undelivered command remains valid.
## Android (AMAPI) commands For Android devices, the Commands panel includes a **Duration** field (value + unit) and a **Command** selector. Some commands require additional parameters, which appear dynamically when you select the command. ### Common parameters - **Duration**: how long the command is valid if it cannot be executed immediately. - **Command**: choose which action to send to the device. ### Commands with additional fields - **Reset password**: requires **New password** and **Confirm new password**. Optional toggles include **Lock now**, **Require entry**, and **Do not ask for credentials on boot**. - **Clear app data**: requires the target **Package name**. - **Start lost mode**: requires a **Lost message** and supports optional contact fields (street address, organization, phone number, email). - **Request device info**: requires selecting which device information to request. - **Add eSIM**: requires an **Activation code** and an **Activation state**. - **Remove eSIM**: requires the eSIM **ICCID**. - **Wipe**: supports a **Wipe reason message** (shown to users on personal devices) and optional wipe flags. ### Command history Below the send controls, the dashboard shows a command history table. The table is sortable and supports pagination. Some rows can be expanded to view additional parameters or execution details. #### Android history columns - **Creation date** - **Command** - **Validity** - **Status** - **Error** - **Execution date** ## Apple (MDM) commands For Apple devices, the Commands panel provides a **Command** selector. Some commands require additional inputs. As with Android, a command history table is shown below. ### Commands with additional fields - **InstallApplication**: requires the application **Bundle ID**. - **SendNotification**: requires a **Notification message** (maximum length 200 characters). #### Apple history columns - **Creation date** - **Command** - **Status** - **Status time** ## Refresh Use the refresh action in the Commands panel to reload the command history. # Location map This page documents the device-specific location tools available in [**Device overview**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/device-overview "Device overview"). The panel contains a **Location** tab for position history and, on Android devices, a **Geofence** tab for geofence transitions. ## Prerequisites Device location data is shown only when location reporting is enabled in the device policy. To enable it, open the policy and turn on **Location and geofence** → **Report location**. For more details, see [**Location and geofence**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/location-and-geofence "Location and geofence").On devices that are not fully managed, location data may still depend on the Cerberus Enterprise app having the required location permissions and on location services being enabled on the device.
For the global multi-device map available from the dashboard, see [**Dashboard location map**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/dashboard-location-map "Dashboard location map").
## Loading and no-data state - While location data is loading, the panel shows a loading overlay on the map. - If the device has no location data available, the panel shows a message stating **No location data available** together with a reminder to enable location reporting in the assigned policy. - If a date filter is active and no samples match it, the panel shows **No data available in the selected date range**. ## Location tab Open the **Location** tab to inspect the history for a single device. The available filters include the last known location, recent history ranges, a custom date range, and live tracking. - **Last**: shows the last known location. - **Today**, **Last 7 days**, and **Last 30 days**: show recorded locations for the selected period. - **Search**: lets you choose a custom date range. - **Live**: starts or stops live tracking for the current device. ## Marker details When you click a location marker, an information window opens with: - The timestamp of the location record. - The reported **accuracy** (in meters). - The reported **speed**, when the device provides it. - The reported **heading** or bearing, when the device provides it. ## Accuracy circle When the information window is open, an accuracy circle is displayed around the marker. The circle radius corresponds to the reported accuracy (in meters). Closing the information window hides the circle. ## Live tracking In the device history view, selecting the **Live** filter starts a real-time tracking request for that specific device. Cerberus Enterprise asks for confirmation before starting the request. - Live tracking runs for up to **15 minutes**. - The device shows a notification while live tracking is active. - While live tracking is active, the panel keeps refreshing the latest location and the live indicator stays visible. - Selecting the live filter again lets you stop live tracking before the timeout ends. ## Geofence tab On Android devices, the second tab shows geofence transitions generated from the geofences defined in the assigned policy. This tab is available when geofence data exists for the device. - The map shows the current geofence areas together with the recorded transition points. - The transition list on the right lets you inspect **enter** and **exit** events. - The available filters are **Today**, **Last 7 days**, **Last 30 days**, and a custom date-range search. - **Include archived** also shows transitions related to old geofence definitions that are no longer present in the current policy. ## Geofence transition details Selecting a transition opens its details on the map and highlights the corresponding list entry. When available, Cerberus Enterprise also shows the device coordinates and reported accuracy for that transition. # Dashboard location map The dashboard location map provides a global view of the latest known position of devices that are reporting location data. Open it from **Dashboard** to review multiple devices on the same Google map. ## Prerequisites A device appears on this map only when location reporting is enabled in its assigned policy. To enable it, open the policy and turn on **Location and geofence** → **Report location**. For more details, see [**Location and geofence**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/location-and-geofence "Location and geofence").On devices that are not fully managed, location data may still depend on the Cerberus Enterprise app having the required location permissions and on location services being enabled on the device.
For the per-device history and geofence transitions available in the device editor, see [**Location map**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/location-map "Location map").
## Loading and no-data state - While location data is loading, the map shows a loading overlay. - If no devices currently have location data available, the page shows a **No location data available** message. ## Markers and clusters Each device with available location data is shown as a marker. When many devices are close together, markers are clustered automatically to keep the map readable. Devices that are currently in live tracking are highlighted with an animated marker so they are easier to spot on the map. ## Map controls When the map contains device locations, Cerberus Enterprise shows action buttons in the top-right corner of the map. - **Current location**: uses your browser location to move the map to your current position and fit the reported accuracy area. - **Recenter map**: fits the map again around the currently displayed device markers. - **Tracked** live-tracking pill: appears when one or more devices are being live tracked and shows how many are currently active. - **Stop all live tracking**: the icon button inside the live-tracking pill stops live tracking for all currently tracked devices after confirmation. ## Marker details Clicking a marker opens an information window with: - The device **Model** and internal **Id**. - The timestamp of the latest reported location. - The reported **accuracy** in meters. - The reported **speed**, when available. - The reported **heading** or bearing, when available. The device identifier in the information window is a link that opens the corresponding [**Device overview**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/device-overview "Device overview") page. ## Info window actions Each information window also includes action buttons for the selected device. - **Device link**: the device name and Id at the top of the info window open the corresponding device overview page. - **Zoom in**: centers the map on the selected device and fits the reported accuracy circle more closely around it. - **Live**: starts live tracking for that device. If live tracking is already active, the same button stops it after confirmation. - **Live tracking active**: when present, this status line indicates that the selected device is already being tracked in real time. ## Accuracy circle When a marker is selected, the map displays an accuracy circle around the location. The radius of the circle matches the reported accuracy. ## Live tracking behavior Starting live tracking from an information window sends a real-time tracking request to that device. Cerberus Enterprise then refreshes the map automatically while the session is active. - Each live tracking session runs for up to **15 minutes**. - The device shows a notification while live tracking is active. - Live tracking can be stopped either from the selected device info window or from the global **Stop all live tracking** button on the map. # Private apps From this section of the dashboard, you can upload your own private Android apps or create web apps to distribute on your devices. The only details you need to provide are an app's title and APK. Private apps are automatically approved for your organization and are typically ready for distribution within 10 minutes. You can upload a total of 15 private apps per day. Note that web apps also count towards this total. The first time you publish a private app, you'll need to provide an email address to receive notifications from the Play Console about your apps and Google Play developer account. Also, managed Play automatically creates a Play Developer account on behalf of your organization. You don't need to pay a registration fee for this account. Private apps published from the iframe: - Aren't subject to the same checks as other apps. As a result, they can't be converted to public apps. - Are non-transferrable. You can't transfer ownership of an app to a different Play Developer account. For more details please visit the [Managed Google Play Help ](https://support.google.com/googleplay/work/answer/9146439) # Certificate management The dashboard includes a **Certificates** section to import, view, and delete certificates. Clicking a certificate row opens the certificate editor. ## Certificates list Certificates are displayed in a sortable, paginated table. The list includes both client certificates and Certificate Authorities (CA). ### Filters At the top of the page you can enable filters using the chip list. Some filters are mutually exclusive. - **All**: show all certificates. - **Client**: show client certificates only. - **Certificate Authority (CA)**: show CA certificates only. - **Search**: shows a text field (label **Name or filename**) to search by certificate name or imported filename. - **Without user**: show client certificates not associated with any user. ### Table columns - **Name** - **Type** - **Expiration** - **User** (shown for client certificates) - **Imported filename** - **Import date** ### Actions - **Open certificate**: click a row to open the certificate editor. - **Delete certificate**: available only when the certificate is not associated with users/policies and is not used by devices. The action can also be disabled when the license is expired. - **Multi-row selection**: you can enable multi-row selection to delete multiple certificates at once. Only deletable certificates can be selected. - **Refresh**: reload the certificates list. ## Import certificates To import certificates, click **Import certificate** and select one or more files. Supported formats are shown in the tooltip of the import button. ### Clients Supported format: Base64-encoded PKCS#12 (.p12 / .pfx). Client certificates identify a user or a device on the enterprise network. Client certificates can be associated with a specific user. Each client certificate can be optionally assigned to a specific user: this allows deploying the same Wi‑Fi EAP configuration on many devices. You can do that in the policy's [network configuration](https://enterprise.cerberusapp.com/docs/books/user-manual/page/networking "Networking") section, using the **EAP credentials from users** option.Alternatively, you can assign a certificate to a user from the **Users** page.
### Certificate Authorities (CA) Supported formats: Base64-encoded X.509 (.crt / .pem / .cer / .der). CA certificates identify a Certificate Authority and indicate to the device that any certificates issued by the CA should be trusted. The dashboard validates that an imported X.509 certificate is a CA. ## Certificate editor When you open a certificate, the editor shows its main fields and a read-only **Certificate information** panel. ### Main fields - **Name** (required) - **Id** (read-only) - **Type** (read-only) - **Expiration** (read-only) - **Import date** (read-only) - **Imported filename** (read-only) ### User association (client certificates) For **Client** certificates, the editor shows a **User** field. If a user is assigned, a menu allows you to **Open user**, **Change user**, or **Disassociate user**. If no user is assigned, you can assign one using the user action button. ### Delete certificate The delete action is disabled when the certificate is currently associated with a user or used in policies. It can also be disabled when the license is expired. # Devices # Devices The **Devices** section of the dashboard (*Dashboard* → *Devices*) lists all enrolled devices in your account. From this page, you can filter the list, open a device record, and perform device actions such as disabling or disenrolling. ## Filters At the top of the page you can enable one or more filters using the chip list. Selected chips represent the currently active filters. ### Available filters - **All**: show all devices. - **Android**: show Android devices only. - **Apple**: show Apple devices only. - **Company-owned**: show company-owned devices only. - **Personally-owned**: show personally-owned devices only. - **Profile owner**: show Android work profile devices only. - **Device owner**: show Android fully-managed devices only. - **Active**: show devices in active state. - **Compliant**: show devices that are policy-compliant. - **Not compliant**: show devices that are not policy-compliant. - **Secure**: show devices with a secure posture. - **Not secure**: show devices with a non-secure posture. - **Policy not updated**: show devices that have pending policy changes. - **Status not updated**: show devices that have not reported status in the last 72 hours. - **Apps error**: show devices whose apps have sent error feedback. - **Search**: enable a text search field. ### Search When you enable the **Search** filter, a text field appears with the label **Id, Model or User**. The list is updated automatically after you stop typing. ## Device table Devices are displayed in a sortable, paginated table. Clicking a row opens the device editor. ### Columns - **Id**: internal device identifier. - **MDM**: platform (Android or Apple). - **Model**: device model. - **Ownership**: company-owned or personally-owned (with tooltip details). - **Management mode**: management mode (with tooltip details). - **Policy**: currently assigned policy. - **User**: associated user (name, email, or id depending on availability). - **Last status report**: most recent status report timestamp (when available). - **State**: device state (with tooltip details). - **Compliance**: compliance status indicator. - **Security**: security posture (with tooltip details). - **Apps error**: apps error indicator. ### Refresh and pagination - Use the refresh action to reload the list. - The table is paginated (10/25/50 items per page). ## Device actions Each device row can provide actions, depending on the platform and device state. Some actions are disabled when your license is expired or terminated. ### Per-device actions - **Disable device** / **Enable device**: available for Android devices in supported states. - **Disenroll device**: removes management. On Android this can wipe the work profile or factory reset (depending on ownership); on Apple this removes policy settings. - **Delete device**: available for devices that were already disenrolled (removes the record from the system). ### Multi-row selection You can enable multi-row selection from the action bar below the table. When enabled, you can select multiple rows and apply bulk actions (disable, enable, disenroll, or delete), depending on which devices are selected. ## Apple Business Manager sync If Apple Management is configured and an Automated Device Enrollment token is present, the page may show the **Sync from ABM** action to import devices from Apple Business Manager. ## Enroll a device Use **Enroll a device** to open the Enrollment tokens section and start enrolling a new device. # Users # Users The **Users** section of the dashboard (*Dashboard* → *Users*) lists all users configured in your account. From this page, you can search for users, open the user editor, create new users, and delete users that are not currently associated with devices. ## Search At the top of the page there is a search field with the label **Search** and the placeholder **Name, username or email**. The list updates automatically after you stop typing. ## Users table Users are displayed in a sortable, paginated table. Clicking a row opens the user editor. ### Columns - **Id**: internal user identifier. - **First name**: user first name. - **Last name**: user last name. - **Username**: username (often a directory username). - **Email**: user email address. - **Devices**: number of devices currently associated with the user. - **WiFi certificate**: indicator showing whether a Wi‑Fi certificate is assigned to the user. ### Refresh and pagination - The refresh action reloads the list. - The table is paginated (10/25/50 items per page). ## User actions ### Create new user Use **Create new user** to open the user creation dialog. This action is disabled when your license is expired. ### Sync from Google Workspace If Google Workspace directory sync is available for your account, the page shows **Sync from Google Workspace**. When you start a sync, a progress indicator is shown while the request is running. ### Delete a user You can delete a user only when the user is not associated with any device (the **Devices** column must be 0). The delete action is disabled when your license is expired or terminated. ### Multi-row selection and bulk deletion From the action bar below the table you can enable multi-row selection. In this mode you can select multiple users and delete them in bulk. - **Eligibility**: only users with **Devices** = 0 can be selected for deletion. - **Select all**: the **All** checkbox selects all eligible rows on the current page. - **Bulk delete**: **Delete selected users** is disabled when no rows are selected, or when your license is expired or terminated. ## Wi‑Fi certificates and EAP The **WiFi certificate** column shows whether a certificate is currently assigned to a user. User certificates are typically used for Wi‑Fi EAP (for example EAP‑TLS) configurations. For certificate assignment and management, see [**Certificate management**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/certificate-management "Certificate management"). # User editor The user editor is available from *Dashboard* → *Users* by clicking a user row. It lets you edit user details, configure per-user Wi‑Fi EAP credentials, and view the user’s associated devices. ## User details The top section contains the user’s main fields. Some fields are required and the editor shows validation errors when they are missing or invalid. - **Id**: read-only identifier. - **First name**: required. - **Last name**: required. - **Username**: required. - **Email**: required and must be a valid email address. - **Telephone number**: optional. - **Google account**: optional and must be a valid email address when provided. ## Google Authentication Default Policy In Google Workspace environments with Google Authentication enabled, the editor can show **Google Authentication Default Policy**. This is the policy applied to devices enrolled using Google Authentication by this user. - **Change policy**: opens the policy selection dialog. - **Open policy**: opens the selected policy in the policy editor (when a policy is set). - After selecting a new default policy, you must save the user to apply the change. The editor shows a notification reminding you to save. ## Wi‑Fi EAP credentials The **WiFi EAP credentials** section is used to configure per-user credentials that are automatically installed on the user’s devices when their assigned policy contains a Wi‑Fi EAP configuration that requires them. The Wi‑Fi EAP configuration is part of the Android policy [network configuration](https://enterprise.cerberusapp.com/docs/books/user-manual/page/networking "Networking"). ### Client certificate You can optionally assign a client certificate to a user. When a certificate is assigned, it is shown in the **Client certificate** field and a menu provides actions. When no certificate is assigned, the field shows **No certificate assigned** and you can assign one. - **Assign certificate**: opens the certificate selection dialog. - **Open certificate**: opens the certificate editor. - **Change certificate**: selects a different client certificate. - **Disassociate certificate**: removes the certificate from the user. The system also removes the certificate from all devices associated with this user. For certificate import and management, see [**Certificate management**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/certificate-management "Certificate management"). ### Identity, anonymous identity, and password - **Identity**: identity of the user. For tunneling outer protocols (PEAP, EAP‑TTLS) this is used inside the tunnel. - **Anonymous identity**: used for tunneling outer protocols as the identity presented outside the tunnel. When not specified, it defaults to an empty string. - **Password**: the user password for EAP methods that require it. If not specified, the device can prompt the user. A show/hide action toggles password visibility. ## Associated devices The **Associated devices** section shows the list of devices currently linked to the user. If the user has one or more associated devices, the user cannot be deleted. ## Save and delete - **Save user**: enabled only when the form is valid, there are pending changes, and the license is active. A progress indicator is shown while saving. - **Delete user**: disabled when the user is associated with devices or when the license is expired/terminated. When deletion is allowed, a confirmation dialog is shown. If the user is assigned to enrollment tokens, the dialog warns that devices enrolled with those tokens will no longer be assigned to a user. ## Unsaved changes warning If you have unsaved changes and try to leave the page, the dashboard asks whether you want to discard the changes. # Account # Settings The **Settings** page (*Dashboard* → *Settings*) summarizes account and license information, and provides actions to manage billing, platform setup (Android Management and Apple Management), and optional directory/token integrations. ## License banner (expiring / expired) When your license is **expiring**, **expired**, or **terminated**, a prominent banner is shown at the top of the page. Depending on your subscription state, it provides either a **Manage billing** action (Stripe customer portal) or a **Buy license** action.When the license is expired, the account becomes limited to device disenrolling only. After the grace period, the account may be canceled and devices can be automatically disenrolled.
## Account information The **Account Information** card shows read-only fields: - **Username** - **Enterprise name** - **Enterprise id** ### Change password If you are not signed in with Google or Apple, the card also shows a **Change password** action. This opens a dialog to continue with the password change flow. ## License information The **License Information** card shows the current license state and your device limit. It also provides actions to contact sales and to manage billing or buy a license. - **License status**: shown as **Active** or **Expired** (with an icon badge and tooltip). - **Free trial**: shown when the account is currently in trial mode. - **Licensed devices**: maximum number of devices allowed by the license. The *need more devices?* link opens a message to contact support. - **Next scheduled renewal**: shown for active subscriptions that renew automatically. Otherwise the card shows the **Expiration date**. ## Android Management The **Android Management** card shows Android Management status for your enterprise. If Android Management is not configured yet, the card provides a **Setup Android Management** action that opens the setup flow. ### Configured state When Android Management is configured, the card can show: - **Management id** - **Synced with Google Workspace** (badge shown when directory sync is active) - **Managed Google Play account settings** (link to Google Play admin settings, when applicable) - **Google Admin Console** (link, when applicable) - **Sync with Google Workspace** (shown when directory sync is not configured; opens the instructions panel at the bottom of the page) ## Apple Device Management The **Apple Device Management** card shows Apple device management (MDM) status for your enterprise. If Apple management is not configured yet, the card provides a **Setup Apple Management** action that opens the setup flow. ### Configured state When Apple management is configured, the card can show: - **Apple id** - **Apple Push Certificate expiration**: shows the expiration date and an icon badge. If the certificate is expiring/expired, the badge is clickable and opens renewal instructions. - **ABM Token expiration**: shows the Apple Business Manager token expiration (with a clickable badge when action is required). - **VPP Token**: shows organization name and expiration for the Apple Volume Purchase Program token (with a clickable badge when action is required). - **Apple Business Manager Portal**: link shown when an ABM token is present. - **Sync with Apple Business Manager** and **Sync with Apple Volume Purchase Program**: shown when tokens are missing.Apple management requires the APNs certificate setup. If needed, see [**Apple Management setup (APNs)**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/apple-management-setup-apns "Apple Management setup (APNs)").
## Preferences & Privacy The **Preferences & Privacy** card contains a marketing preference toggle and links to the Terms of Service and Privacy Policy. Use **Save preferences** to apply changes (a progress indicator is shown while saving). ## Send feedback When subscriptions are enabled for the account, the page can show a **Send feedback** card with links to: **Make a feature request** and external review platforms. ## Inline setup and renewal instructions At the bottom of the page, the dashboard can show expandable instruction panels depending on the current state (for example when a certificate/token is missing or expiring). ### Renew Apple Push Certificate (APNs) When the APNs certificate is expiring or expired, the page shows a panel with steps to download a CSR, renew the certificate on Apple’s portal, and upload the new certificate into Cerberus Enterprise. ### Sync with Apple Business Manager (ABM) When the ABM token is missing, expired, or expiring, the page shows a panel with steps to download a token from Apple Business Manager and upload it into Cerberus Enterprise. ### Sync with Apple Volume Purchase Program (VPP) When the VPP token is missing, expired, or expiring, the page shows a panel with steps to download a content token from Apple Business Manager and upload it into Cerberus Enterprise. ### Sync with Google Workspace When Google Workspace directory sync is not configured, the page shows a panel that explains the integration and provides an authorization button. It also lists the required Google OAuth scope: **https://www.googleapis.com/auth/admin.directory.user.readonly**.For initial Android setup, see [**Android Management setup**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/android-management-setup "Android Management setup").
# Multi-tenancy # Multi-tenancy overview The **Multi-tenancy** section is available to MSP and enterprise manager accounts that manage multiple customer enterprises from a single login. This chapter explains the enterprise scope model, enterprise switching, managed enterprise administration, and sub-accounts.To request a multi-tenancy account, contact [**enterprise@cerberusapp.com**](mailto:enterprise@cerberusapp.com).
## Core concepts - **Main multi-tenancy account**: the primary manager account that can access the global multi-tenancy workspace. - **Sub-account**: a delegated manager account created by the main account, with selectable enterprise assignments. - **Selected enterprise context**: the active enterprise currently open in the dashboard for day-to-day operations. - **Delegation**: permission granted by an enterprise owner that allows a manager account to enter and manage that enterprise. ## Navigation model When no enterprise context is selected, the side navigation shows multi-tenancy areas such as **Enterprises** and, for main accounts, **Sub-accounts**. After entering an enterprise, the dashboard switches to the standard single-enterprise navigation (Home, Users, Devices, Enrollment, Policies, and more). ## Ownership and delegation Each managed enterprise has an owner. The owner can always access that enterprise. Non-owner manager accounts can access an enterprise only when delegation is granted.Owner and delegation state are shown directly on enterprise cards to make access scope explicit before entering an enterprise.
## License and billing actions Multi-tenancy views expose license status, device limits, and enterprise billing actions. Depending on enterprise subscription state and your permissions, the card can show **Manage billing** or **Buy license**. For enterprises created by a multi-tenancy account, licensing is managed by multi-tenancy users. The main account can always manage licensing, while sub-accounts can manage licensing only when the main account enables **Can manage license** for that sub-account. ## Pages in this chapter - [**Managed enterprises**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/managed-enterprises "Managed enterprises"): search, filters, card details, and enterprise creation. - [**Enterprise switching**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/enterprise-switching "Enterprise switching"): top switcher behavior and scope transitions. - [**Sub-accounts**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/sub-accounts "Sub-accounts"): delegated operators, assignments, and credentials management. # Managed enterprises The **Enterprises** page (*Dashboard* → *Enterprises*) is the control center for managed enterprise access. It lists all enterprises visible to your multi-tenancy account and lets you filter, inspect ownership/delegation, enter an enterprise context, and create new managed enterprises (main accounts only). ## Search and filters - **Search enterprise**: filters by enterprise name or enterprise ID. - **Delegation**: **All**, **Delegated**, or **Not delegated**. - **License status**: **All**, **Valid**, **Expiring**, **Expired**, or **Terminated**. ## Enterprise cards Each enterprise card shows key management metadata: - **License status** with icon badge and contextual tooltip. - **Licensed devices** (enterprise device limit). - **Next scheduled renewal** or **Expiration date**, depending on subscription state. - **Delegation** state (**Owner**, **Granted**, or **Not granted**). - **Owner** display name and username. ### Recently selected enterprises Enterprises that you accessed recently are pinned to a **Recently selected** section to speed up repeated context switching. ## Enterprise actions - **Enter enterprise**: opens the selected enterprise context when delegation/ownership allows access. - **Manage billing**: opens enterprise billing management when available and permitted. - **Buy license**: opens enterprise purchase flow when billing is not active. ### Who can manage licenses For enterprises created by a multi-tenancy account, license management is controlled by multi-tenancy users. The main account can always manage billing and license actions for those enterprises. Sub-accounts can manage billing and license actions only if the main account grants the **Can manage license** permission in the [**Sub-accounts**](https://enterprise.cerberusapp.com/docs/books/user-manual/page/sub-accounts "Sub-accounts") page. ## Create managed enterprise Main multi-tenancy accounts can expand **Create managed enterprise** from the bottom action area. - **Enterprise name** is required. - **Create per-enterprise admin user** controls ownership mode. - When enabled, **Admin username** (email format) and **Admin name** are required. - Before creation, a confirmation dialog summarizes the operation and, when applicable, warns that temporary credentials are sent by email to the new admin user. ### Ownership mode - **Per-enterprise admin enabled**: the new admin user owns the enterprise and can delegate management to your multi-tenancy account. - **Per-enterprise admin disabled**: the enterprise is owned directly by your multi-tenancy account. ### Enterprise quota If the account reaches the configured enterprise quota, creation is blocked and the form shows a support contact message with current and maximum enterprise count.When the enterprise quota is reached, you cannot create additional managed enterprises until your limit is increased.
# Enterprise switching The enterprise switcher in the top toolbar lets multi-tenancy users move between delegated enterprises without logging out. It is available when at least one enterprise context can be selected. ## Switcher behavior - The trigger shows the current enterprise name (or enterprise ID if no name is available). - The menu lists delegated/accessible enterprises and marks the current enterprise as already selected. - During switching, switcher actions are temporarily disabled to prevent concurrent scope changes. ## Exit enterprise The switcher menu includes **Exit enterprise**, which clears the current enterprise context and returns you to the global multi-tenancy workspace. ## Context reset rules Switching enterprise or exiting enterprise resets the dashboard scope. Enterprise-specific pages and data refresh for the newly selected context, and menu visibility adapts to whether an enterprise is currently selected.Use the switcher for fast operational context changes, but verify the selected enterprise name before running sensitive actions such as policy updates or device commands.
# Sub-accounts The **Sub-accounts** page (*Dashboard* → *Sub-accounts*) is available to main multi-tenancy accounts. It lets you create delegated manager users, assign managed enterprises, control billing permissions, and maintain sub-account credentials. ## Sub-account list Each sub-account card shows identity and management controls: - **Name** and **username/email**. - **Managed enterprises** multi-select assignment. - **Can manage license** permission toggle. - **Reset password** and **Delete** actions. ## Managed enterprises assignment Enterprise assignments are edited through the **Managed enterprises** multi-select field. When you close the selector after changes, the dashboard asks for confirmation before saving updates. ## License management permission The **Can manage license** toggle controls whether a sub-account can access enterprise billing/license management actions. For enterprises created by the multi-tenancy account, the main account always has license management rights. Sub-accounts receive license management rights only when this toggle is enabled by the main account. ## Password reset **Reset password** generates a new temporary password and sends it to the sub-account by email after confirmation. ## Delete sub-account Deleting a sub-account requires confirmation and permanently removes delegated access for that account. ## Create sub-account Use the bottom action panel **Create sub-account** to add a new delegated manager. - **Email**: required and validated as email format. - **Name**: required display name. - **Can manage license**: optional initial billing permission. - Before creation, a confirmation dialog warns that a temporary password email is sent to the provided address. # Insights Here are some articles that delve into how MDM can help your business: ## [What is Kiosk Mode? A Guide to Locking Down Android & Apple Devices for Business](https://enterprise.cerberusapp.com/en-US/insights/what-is-kiosk-mode-lock-down-android-apple-business) Kiosk mode turns standard phones and tablets into focused business tools. Cerberus Enterprise helps organizations lock devices to one app or a small approved set of apps for use cases such as retail POS, guest-facing check-in, and fleet navigation, while keeping those specialized devices easier to secure, support, and manage at scale. ## [How to Choose the Right MDM Solution: A 7-Point Checklist for Small Businesses](https://enterprise.cerberusapp.com/en-US/insights/choose-right-mdm-solution-small-business-checklist) Choosing MDM late in the buying process is easier when the comparison stays practical. This checklist helps small businesses evaluate vendors across the seven criteria that usually matter most in real deployments: security, Android and Apple support, ease of use for lean teams, scalability, privacy boundaries, total cost of ownership, and day-to-day supportability. ## [Creating a Safe and Focused Digital Classroom: A Guide to MDM for K-12 Schools](https://enterprise.cerberusapp.com/en-US/insights/k12-schools-mdm-safe-focused-digital-classroom) School-managed devices work best when they stay centered on learning. Cerberus Enterprise helps K-12 organizations keep student devices focused through managed apps, kiosk-style restrictions, standardized shared or loaned device setups, and remote recovery actions that reduce loss, drift, and classroom disruption. ## [Equipping Your Field Technicians: How MDM Boosts On-Site Efficiency and Security](https://enterprise.cerberusapp.com/en-US/insights/field-technicians-mdm-onsite-efficiency-security) Field technicians depend on mobile devices for schedules, service notes, technical references, customer history, and job updates while working on site. Cerberus Enterprise helps keep those devices ready through managed apps, standardized device models, remote support commands, and location-aware visibility that can improve dispatch coordination while strengthening security in the field. ## [Beyond the Map: Using MDM for Smarter Fleet Management and Driver Safety](https://enterprise.cerberusapp.com/en-US/insights/mdm-smarter-fleet-management-driver-safety) Fleet operations rely on mobile devices for navigation, dispatch, messaging, logging, and field execution. Cerberus Enterprise helps keep those devices focused on approved workflows through managed apps, kiosk and dedicated-device controls, secure communication policies, remote troubleshooting, and location-aware supervision that can reduce downtime and support safer driving operations. ## [How Geofences, Live Tracking, and Location Maps Improve Enterprise Operations](https://enterprise.cerberusapp.com/en-US/insights/geofences-live-tracking-location-maps) Location-aware features in Cerberus Enterprise help organizations move from simple device visibility to more practical operational control. Periodic location reporting, live tracking, geofence transitions, and interactive maps can support logistics, field service, healthcare, retail, construction, and other distributed teams that need better insight into where work is happening and when devices enter or leave important areas. ## [How Multi-Tenancy Helps MSPs Scale MDM Services and Create New Revenue Streams](https://enterprise.cerberusapp.com/en-US/insights/multi-tenancy-mdm-msp-growth) Multi-tenancy allows MSPs, resellers, and multi-company organizations to manage multiple enterprises from a single Cerberus Enterprise account while keeping each environment separate. This model reduces operational friction, improves service scalability, and supports delegated access through sub-accounts and explicit customer-controlled administration. It also creates stronger business opportunities for providers that want to combine software licensing with onboarding, support, compliance, and managed mobility services. ## [Enhancing Enterprise Operativity with MDM Solutions](https://enterprise.cerberusapp.com/en-US/insights/mdm-operativity) Mobile Device Management centralizes control of company devices, simplifying enrollment, configuration, and maintenance. Automated provisioning and bulk operations reduce manual IT work and ensure consistent policies across all devices. Security features such as encryption, compliance monitoring, and remote wipe protect corporate data. Overall, MDM improves productivity while reducing support costs and operational complexity. ## [Advanced Security in Android Enterprise Management](https://enterprise.cerberusapp.com/en-US/insights/android-enterprise-security) Android Enterprise uses a work profile to isolate corporate apps and data from personal content on the same device. This containerization creates separate encrypted environments managed independently by IT administrators. Security policies can control corporate data sharing without affecting personal apps. The architecture protects business data even if personal applications are compromised. ## [Apple iPhone MDM and Automated Enrollment](https://enterprise.cerberusapp.com/en-US/insights/apple-iphone-mdm) Apple's MDM framework enables centralized management of iPhones in enterprise environments. Combined with Apple Business Manager, devices can automatically enroll and configure themselves when first activated. Administrators can silently deploy and configure corporate apps, enforce security settings, and monitor compliance. This automation ensures consistent device configuration and reduces setup errors. ## [Understanding Mobile Device Management](https://enterprise.cerberusapp.com/en-US/insights/understanding-mdm) Mobile Device Management provides a centralized platform to monitor, secure, and control mobile devices accessing corporate systems. Core capabilities include enforcing security policies, managing applications, and remotely locking or wiping lost devices. MDM helps protect corporate data while maintaining device compliance. It enables organizations of any size to securely manage growing mobile workforces. ## [Enterprise Device Deployment Models](https://enterprise.cerberusapp.com/en-US/insights/device-deployment-models) Organizations can adopt multiple device ownership models such as BYOD, CYOD, COPE, COBO, and COSU. Each model balances cost, user flexibility, and security control differently. BYOD prioritizes user convenience, while COBO and COSU maximize corporate control and security. Choosing the correct model depends on regulatory requirements, workforce needs, and IT management capacity. ## [MDM vs. EMM vs. UEM](https://enterprise.cerberusapp.com/en-US/insights/mdm-emm-uem-difference) MDM focuses on managing and securing mobile devices through policy enforcement, configuration control, and remote management. EMM expands this scope to include application and content management, while UEM attempts to manage all endpoints including laptops and desktops. For many SMBs, full EMM or UEM suites add unnecessary complexity. In practice, robust MDM capabilities often meet most mobile management requirements. ## [MDM on Personal Phones and Employee Privacy](https://enterprise.cerberusapp.com/en-US/insights/mdm-personal-phone-privacy) Modern MDM systems use containerization to separate work and personal data on employee-owned devices. Employers can only manage and monitor the work environment, including corporate apps and device compliance information. Personal data such as photos, messages, and browsing history remain inaccessible to the company. This technical separation enables secure BYOD programs while preserving employee privacy. ## [MDM ROI and Business Value](https://enterprise.cerberusapp.com/en-US/insights/mdm-roi-business-value) MDM should be evaluated as a strategic investment rather than a simple security expense. It generates financial returns through reduced device loss, lower IT support costs, and improved operational efficiency. Automated management also increases employee productivity and reduces downtime. Additionally, stronger security reduces the risk and financial impact of data breaches. ## [HIPAA-Compliant Device Management](https://enterprise.cerberusapp.com/en-US/insights/hipaa-compliant-device-management) Healthcare organizations must protect electronic patient data according to HIPAA security requirements. MDM helps enforce encryption, authentication controls, secure data transmission, and detailed audit logs. It also enables remote wipe and centralized policy enforcement for devices accessing medical systems. These controls reduce compliance risks while enabling mobile workflows in healthcare environments. ## [MDM for Retail Operations and Security](https://enterprise.cerberusapp.com/en-US/insights/retail-operations-mdm-security) Retail organizations rely on mobile devices for POS systems, inventory management, and in-store operations. MDM ensures these devices remain secure, updated, and compliant with standards such as PCI-DSS. Centralized management reduces downtime and simplifies device deployment across multiple locations. The result is improved operational efficiency and reduced risk of payment-related security incidents.