feat: adds page about self-managed handsets

docs/link/e2e_channels/index.md

@@ -0,0 +1,11 @@
+---
+sidebar_position: 50
+sidebar_label: E2EE Channels
+---
+
+import DocCardList from '@theme/DocCardList';
+import {useCurrentSidebarCategory} from '@docusaurus/theme-common';
+
+# End-to-End Encrypted Channels
+
+<DocCardList items={useCurrentSidebarCategory().items} />

docs/link/e2e_channels/setup.md

@@ -1,12 +1,15 @@
 ---
-label: E2E channels
-sidebar_position: 40
+sidebar_label: Initial Setup
+sidebar_position: 10
 description: Setting up E2E channels (Signal and WhatsApp)
 ---
 
-# End-to-end encrypted channels
+# Initial setup
 
-## Initial setup
+:::info
+If you have requested a Signal and/or WhatsApp channel as part of your helpdesk setup, or you have a fully-managed
+handset provided by us, these steps will already have been completed by our support team.
+:::
 
 1. Log in to your CDR Link helpdesk admin panel using either ‘Sign in with Google button’ or Sign in with Zammad credentials’:
 
@@ -137,5 +140,3 @@ You will see a pop up window like the one below:
 - Click the blue ‘Save’ button.
 
 🎉 Congrats! Your connection is ready!
-
-## Reconnection

docs/link/e2e_channels/supported_handsets.md

@@ -0,0 +1,77 @@
+---
+title: Mobile Devices
+sidebar_position: 50
+description: E2EE channels require a physical mobile device for operation
+---
+
+Signal and WhatsApp channels require a physical mobile device to be set up to create the related accounts, and this
+device must be monitored and maintained to ensure the integrity of the end-to-end encryption and the availability of
+the channel.
+
+## Fully Managed Devices
+
+We will provide a fully managed Android device to support your use of one Signal and one WhatsApp channel, if desired,
+per Link Helpdesk.
+Our devices are provisioned with UK mobile numbers (+44 country code) however you can choose your own username and
+provide any branding you would like to have set up.
+Additional channels will be subject to a fee to cover the additional cost of each required mobile device.
+
+If for any reason you choose to move away from our hosted platform in the future, see [Moving Away](./moving_away) for
+details on porting your number to your new provider.
+
+## Self-Managed Devices
+
+If due to your organisational policies you require to be in posession of the device, it is possible for you to manage
+your own devices.
+If you require support for these devices, an additional fee will be charged.
+As of May 2026 this will be the same fee as is charged for an additional fully managed device. 
+
+:::info
+There are no discounts available for self-managing your device as, in our experience, the increased support costs
+outweigh the hardware and mobile service costs.
+Support provided to self-managed device users is on a best-effort basis. We make no claims regarding expected
+response times, time between failures, or time to recovery for any issues.
+:::
+
+### Hardware and Configuration
+
+* We only support OEM Google Pixel devices and these must be in current security support
+  ([end of life dates](https://endoflife.date/pixel)).
+* The device must have a mobile service contract that:
+  * has a sufficient monthly allowance for data for operating system and application updates, as well as the messaging
+    data which may include audio and video content;
+  * allows inbound and outbound calls and SMS; and
+  * has a permanently assigned mobile number.
+* The device must not be in use for any other purpose and interactions with the device should only be performed for the
+  purpose of monitoring and maintenance.
+* The device should be managed with a Mobile Device Management (MDM) solution to:
+  * automatically install operating system and application updates;
+  * restrict the installed apps, which may only be installed when signed with a valid certificate from a trusted app
+    store;
+  * enforce lock timeouts and strong unlock credential requirements;
+  * disable unnecessary features that would otherwise provide attack surface (e.g., WiFi and Bluetooth); and
+  * provide remote wipe capability.
+
+### Procedures
+
+* The device:
+  * must be continuously connected to the mobile network with data access enabled;
+  * must be kept turned on and charged, **using a charging system that does not keep the device connected to power 24 hours a day as this will lead to battery failure and risk of fire**;
+  * must have sufficient physical security considerations taken (e.g. kept in locked room when unattended);
+  * must not have mobile signal blocked from operation (e.g. do not store it in a metal safe);
+  * must have well-documented access control policies in place; and
+  * must be restarted once a week.
+* Monitor the logs of the MDM to ensure updates are applied.
+* Subscribe to security advisories for Android, Signal, WhatsApp and your MDM solution to endure critical and high
+  impact vulnerabilities are patched promptly.
+* Check channel operation regularly and relink the device if needed.
+* Regularly audit the device configuration and procedures, and who can access it.
+
+
+:::warning
+While we can advise you on a configuration for the device, security is a combination of applied configuration,
+physical security and formal processes such as regular internal or external audits.
+Only your organisation is able to ensure these recommendations are followed when self-managing your device.
+For this reason, we do not accept any responsibility related to any security incidents related to your self-management
+of the device.
+:::