Deployment
One-Click via MDM
Cerbera AI deploys through your existing MDM, so rollout is a single push and requires no per-user configuration. The exact steps depend on the MDM, but the experience for the end user is the same:
- You push the package from the MDM (for example Jamf or Intune).
- The user sees a short prompt asking them to restart.
- After the restart, the proxy works out of the box. There is nothing for the user to configure.
Because it installs as a system proxy with no manual setup, even non-technical employees are covered automatically. And because coverage follows the device rather than a network, users are protected everywhere, at the office or at home, unlike a VPN someone might choose to turn off.
Platform Support
| Platform | How it is deployed |
|---|---|
| macOS | Via MDM (for example Jamf), or a downloadable package without an MDM |
| Windows | Via MDM (for example an MSI through Intune), or a downloadable package |
| Linux | No MDM, so installation is via an emailed script the user runs |
You can deploy without an MDM if you prefer, but users then need to download and run the installer package themselves.
Disabling and Uninstalling
The proxy is configured as a system proxy. Disabling it means going into the device's network settings, which is harder than toggling a VPN icon but straightforward for anyone technical.
This is intentional. Cerbera AI is not built to stop a malicious insider; it is built to cover the careless user, or the user who assumes a tool is probably allowed and tries it anyway.
If anyone ever reports a conflict or problem, the proxy can be uninstalled in one click through the MDM, which unblocks them immediately while the cause is investigated.
Avoiding Conflicts
Cerbera AI is one more layer in the network path, so it should be validated against the other agents already on your devices. Common neighbors:
- VPNs and ZTNA clients (for example Cato Networks)
- Secure web gateways (for example Jamf Security Cloud)
- EDR agents
In these cases the proxies are chained, and in practice this works without issue. Because any new layer can in theory cause side effects, Cerbera always tests against your specific stack before a fleet-wide rollout.
During a pilot, include at least one device that runs each of your existing layers (VPN, secure web gateway, EDR). That way every combination is exercised before broad deployment.
Recommended Rollout
Confirm compatibility
Cerbera checks for conflicts with your VPN, ZTNA, secure web gateway, and EDR.
Pilot on a few devices
Deploy to a small group of consenting users (often power users) to confirm everything works end to end.
Monitor only
Run in monitor mode for roughly five to ten days. Nothing is blocked; you simply learn what is in use.
Harden gradually
Introduce redaction and blocking rules as you grow comfortable, with Cerbera proposing stricter rules for you to approve.
Roll out broadly
Expand the deployment, with help on works-council and employee communication so the program is understood as security, not surveillance.