From 0d6676a1547fa952bb24f11365e7fa1835f8671d Mon Sep 17 00:00:00 2001 From: irl Date: Sat, 23 May 2026 12:16:53 +0100 Subject: [PATCH] feat: adds page about self-managed handsets --- docs/link/e2e_channels/index.md | 11 +++ .../setup.md} | 13 ++-- docs/link/e2e_channels/supported_handsets.md | 77 +++++++++++++++++++ 3 files changed, 95 insertions(+), 6 deletions(-) create mode 100644 docs/link/e2e_channels/index.md rename docs/link/{e2e_channels.md => e2e_channels/setup.md} (95%) create mode 100644 docs/link/e2e_channels/supported_handsets.md diff --git a/docs/link/e2e_channels/index.md b/docs/link/e2e_channels/index.md new file mode 100644 index 0000000..fb7a628 --- /dev/null +++ b/docs/link/e2e_channels/index.md @@ -0,0 +1,11 @@ +--- +sidebar_position: 50 +sidebar_label: E2EE Channels +--- + +import DocCardList from '@theme/DocCardList'; +import {useCurrentSidebarCategory} from '@docusaurus/theme-common'; + +# End-to-End Encrypted Channels + + diff --git a/docs/link/e2e_channels.md b/docs/link/e2e_channels/setup.md similarity index 95% rename from docs/link/e2e_channels.md rename to docs/link/e2e_channels/setup.md index 7937345..bf8deeb 100644 --- a/docs/link/e2e_channels.md +++ b/docs/link/e2e_channels/setup.md @@ -1,12 +1,15 @@ --- -label: E2E channels -sidebar_position: 40 +sidebar_label: Initial Setup +sidebar_position: 10 description: Setting up E2E channels (Signal and WhatsApp) --- -# End-to-end encrypted channels +# Initial setup -## Initial setup +:::info +If you have requested a Signal and/or WhatsApp channel as part of your helpdesk setup, or you have a fully-managed +handset provided by us, these steps will already have been completed by our support team. +::: 1. Log in to your CDR Link helpdesk admin panel using either ‘Sign in with Google button’ or Sign in with Zammad credentials’: @@ -137,5 +140,3 @@ You will see a pop up window like the one below: - Click the blue ‘Save’ button. 🎉 Congrats! Your connection is ready! - -## Reconnection \ No newline at end of file diff --git a/docs/link/e2e_channels/supported_handsets.md b/docs/link/e2e_channels/supported_handsets.md new file mode 100644 index 0000000..359b0e7 --- /dev/null +++ b/docs/link/e2e_channels/supported_handsets.md @@ -0,0 +1,77 @@ +--- +title: Mobile Devices +sidebar_position: 50 +description: E2EE channels require a physical mobile device for operation +--- + +Signal and WhatsApp channels require a physical mobile device to be set up to create the related accounts, and this +device must be monitored and maintained to ensure the integrity of the end-to-end encryption and the availability of +the channel. + +## Fully Managed Devices + +We will provide a fully managed Android device to support your use of one Signal and one WhatsApp channel, if desired, +per Link Helpdesk. +Our devices are provisioned with UK mobile numbers (+44 country code) however you can choose your own username and +provide any branding you would like to have set up. +Additional channels will be subject to a fee to cover the additional cost of each required mobile device. + +If for any reason you choose to move away from our hosted platform in the future, see [Moving Away](./moving_away) for +details on porting your number to your new provider. + +## Self-Managed Devices + +If due to your organisational policies you require to be in posession of the device, it is possible for you to manage +your own devices. +If you require support for these devices, an additional fee will be charged. +As of May 2026 this will be the same fee as is charged for an additional fully managed device. + +:::info +There are no discounts available for self-managing your device as, in our experience, the increased support costs +outweigh the hardware and mobile service costs. +Support provided to self-managed device users is on a best-effort basis. We make no claims regarding expected +response times, time between failures, or time to recovery for any issues. +::: + +### Hardware and Configuration + +* We only support OEM Google Pixel devices and these must be in current security support + ([end of life dates](https://endoflife.date/pixel)). +* The device must have a mobile service contract that: + * has a sufficient monthly allowance for data for operating system and application updates, as well as the messaging + data which may include audio and video content; + * allows inbound and outbound calls and SMS; and + * has a permanently assigned mobile number. +* The device must not be in use for any other purpose and interactions with the device should only be performed for the + purpose of monitoring and maintenance. +* The device should be managed with a Mobile Device Management (MDM) solution to: + * automatically install operating system and application updates; + * restrict the installed apps, which may only be installed when signed with a valid certificate from a trusted app + store; + * enforce lock timeouts and strong unlock credential requirements; + * disable unnecessary features that would otherwise provide attack surface (e.g., WiFi and Bluetooth); and + * provide remote wipe capability. + +### Procedures + +* The device: + * must be continuously connected to the mobile network with data access enabled; + * must be kept turned on and charged, **using a charging system that does not keep the device connected to power 24 hours a day as this will lead to battery failure and risk of fire**; + * must have sufficient physical security considerations taken (e.g. kept in locked room when unattended); + * must not have mobile signal blocked from operation (e.g. do not store it in a metal safe); + * must have well-documented access control policies in place; and + * must be restarted once a week. +* Monitor the logs of the MDM to ensure updates are applied. +* Subscribe to security advisories for Android, Signal, WhatsApp and your MDM solution to endure critical and high + impact vulnerabilities are patched promptly. +* Check channel operation regularly and relink the device if needed. +* Regularly audit the device configuration and procedures, and who can access it. + + +:::warning +While we can advise you on a configuration for the device, security is a combination of applied configuration, +physical security and formal processes such as regular internal or external audits. +Only your organisation is able to ensure these recommendations are followed when self-managing your device. +For this reason, we do not accept any responsibility related to any security incidents related to your self-management +of the device. +::: \ No newline at end of file