Cyber Device Manager for Windows 10 and Windows 11

Codeproof makes Windows device management simple. One signed MSI installs the robust Codeproof Agent and, in the same click, sets up the device's built-in Windows MDM enrollment. No separate installers, no fragile orchestration, no IT scripts to babysit. Enroll devices fast, push policies and apps at scale, and keep endpoints secure and compliant.

Windows MDM and endpoint management dashboard

One install, two management channels working side by side: built-in Windows MDM for baseline policies delivered through the OS's native enrollment stack (the OMA-DM / SyncML protocol Microsoft already ships with Windows), and the Codeproof Agent for rich inventory, software lifecycle, patch automation, kiosk/POS, remote scripts, and real-time actions that go beyond what native MDM exposes. Both are configured by the same MSI in a single click. Deploy via SCCM, Intune, Group Policy, login script, or a provisioning package.

The Codeproof Agent is built like an enterprise endpoint should be: a hardened Windows system service for policy, inventory, and remote actions; a system-tray UI that gives the end user visibility into device status and self-service options; and a standalone hardened Kiosk app for retail, hospitality, and field-ops scenarios where the device must do exactly one job and nothing else. Three components, one signed installer, one cloud console.

Looking for the Windows Kiosk Solution? Lock Windows 10 / 11 devices into a single app or curated set for POS, self-order restaurant kiosks, hotel check-in, healthcare check-in, manufacturing terminals, and digital signage. See Windows Kiosk Solution
Related: MDM overview · UEM hub · Windows Kiosk · iOS/iPadOS · Android · macOS · Linux

Enrollment options

Codeproof supports two Windows enrollment models so you can match the right approach to each fleet, without changing platforms.

Per-user enrollment

The fastest path for BYOD and self-service rollouts. The user installs a one-click enrollment package from their own Windows account (Settings → Access work or school). The Codeproof Cyber Device Manager activates immediately and IT-defined policies, apps, and security baselines take effect.

Best for: employees enrolling personal laptops, hybrid workers, contractors, and short-term assignments where the user owns the device.

Per-device enrollment

The right choice for corporate-owned hardware and shared machines. Enrollment applies at the device level and persists across every user that signs in. Only IT can remove the enrollment, so the device stays managed for its entire lifecycle.

Best for: imaged corporate laptops, kiosks, shared workstations in retail or healthcare, lab and classroom devices, and any fleet where the device (not the user) is the unit of management.

Both modes enforce device-wide security: BitLocker, firewall, Defender baselines, USB restrictions, and patch policies apply regardless of which model you choose. The difference is who controls the enrollment record and how it carries across users, not how much you can lock down.

Read the Windows Device Enrollment Guide (PDF)

What you can manage

Windows policy configurator

Command center

Execute instant actions from the cloud console. Lock, wipe, reboot, send message, run scripts, install or remove apps, and refresh policies across a single device or a group.

Policy configurator

Configure more than a thousand Windows settings, including browser controls, application restrictions, desktop settings, local account policies, password complexity, and device hardware access.

Patch management

Automate Windows updates with maintenance windows, deferrals, deadlines, and restart control. Report on update status and compliance so devices stay secure without disrupting users. Optional application patching supports common third-party apps via managed catalogs.

Application lifecycle

Deploy line-of-business and store apps at scale. Version and stage rollouts by device group. Enforce allow or deny lists, manage install context and silent parameters, and remove software that violates policy.

Kiosk and POS

Codeproof ships a dedicated, hardened Kiosk app for Windows, not a thin wrapper over Assigned Access. Configure single-app or multi-app kiosk for retail, hospitality, education, and field operations. The Kiosk shell replaces the default Windows shell, blocks Control Panel, Task Manager, USB autoplay, and unauthorized apps, survives reboots with auto-launch and watchdog restart, and is fully managed from the Codeproof console using the same enrollment, the same policy engine, and the same remote actions.

Use it for point-of-sale terminals, self-service check-in, digital signage, classroom devices, warehouse scanners, and shared workstations. Lock the device to one POS app, or expose a small curated set with a tiled launcher. End users can't escape the kiosk; IT can switch the device back to a normal desktop with a single policy push.

Networking and connectivity

Push Wi-Fi and VPN profiles, certificate chains, and trusted roots. Configure a systemwide proxy for CIPA compliant web filtering in K-12 and regulated environments. Users cannot bypass managed network policies.

Security and compliance

Cybersecurity controls

Enforce Windows security baselines from one console. Manage Windows Defender Antivirus, Windows Firewall (allow/block by app, port, or address, per Domain/Private/Public profile), SmartScreen, removable media policies, and local admin restrictions. Configure secure DNS, web proxy, and certificate pinning to reduce attack surface.

Encryption with BitLocker

Enable BitLocker drive encryption with a single toggle. Recovery keys automatically escrow to Azure Active Directory so IT can recover encrypted drives without user assistance. Choose cipher (XTS-AES-256 by default), require backup-before-encryption, allow standard user encryption for silent AAD-joined rollouts, and enable automatic recovery-password rotation. BitLocker To Go enforcement on removable drives keeps data on encrypted media only.

Device restrictions and hardening

One-click toggles disable risky surfaces and close common data-exfiltration paths across your fleet. Group by intent:

  • Hardware: disable camera, Bluetooth, microphone access for apps
  • Removable storage: block USB drives entirely, make USB read-only, or require BitLocker To Go before writes
  • Cloud / data exfiltration: block OneDrive personal sync, disable Cortana, limit telemetry to the Security level
  • Attack surface reduction: block Developer Mode (no sideloading), block Remote Assistance, disable Windows Hello-bypass paths

Remote actions

Remotely lock or wipe a device, rotate recovery keys, push policy refresh, or trigger a compliance remediation script. Protect data when devices are lost, stolen, or reassigned.

Windows device location and asset overview

Inventory, location, and reporting

Collect detailed hardware and software inventory, device health, and policy status. View approximate device location for laptops that support it. Export reports for audits and frameworks like CIS and NIST alignment.

Certificates and identity

Deploy client certificates and trusted roots for secure Wi-Fi, VPN, and application access. Configure SSO related policies where supported and keep credentials out of end user workflows.

Device usage and experience

Control screen timeout, account options, and session limits. Schedule off hours shutdown or sleep to reduce costs. Standardize the experience with corporate wallpaper and lock screen across device groups.

Wi-Fi management

Push enterprise Wi-Fi profiles silently to the fleet. Support WPA2/WPA3-Personal with managed passphrase or WPA2-Enterprise with certificate-based authentication (EAP-TLS). Auto-connect to corporate SSIDs, hide network details from users, and mark networks as non-roaming so devices stay on trusted Wi-Fi.

VPN management

Deliver always-on enterprise VPN with Windows VPN v2 profiles. Codeproof supports IKEv2 with EAP-MSCHAPv2, split-tunnel or force-tunnel routing, trusted network detection, and per-app VPN rules so only corporate apps route through the tunnel. Combine with deployed root and client certificates for zero-prompt connection.

Firewall management

Configure Windows Firewall from the cloud across all three profiles: Domain, Private, and Public. Set the default inbound and outbound action per profile and push custom allow/block rules by application path, port range, protocol, or remote IP. Users cannot disable the managed firewall.

Certificate management

Distribute and rotate certificates at scale (root CAs, intermediates, and per-device client certs) to keep Wi-Fi, VPN, and app connections trusted without user prompts.

Custom branding

Publish organization wallpaper and lock screen images by role or location.

Web proxy and content filtering

Push systemwide proxy settings with optional PAC URL, lock the browser into a managed proxy, and block bypass for CIPA-compliant web filtering in K-12 and regulated environments.

Accessibility and user help

Push support contacts and portal links to the desktop so users can get help fast.

FAQs

Where can I find a step-by-step Windows enrollment guide?
Codeproof publishes a full Windows Device Enrollment Guide (PDF) that walks IT admins through every supported path: per-user and per-device enrollment, provisioning package (.ppkg) generation, MSI deployment, Autopilot integration, and troubleshooting. Open it from the link above or download a copy for your runbook.
Does Codeproof support BYOD on Windows?
Yes. Use per-user enrollment so the employee installs a one-click package from their own Windows account. IT enforces company policies, security baselines, and apps; the user keeps full control of their personal account. When the employee leaves or returns the device, the enrollment can be removed cleanly.
What's the difference between per-user and per-device enrollment?
Per-user enrollment is tied to one Windows account on the device, which makes it ideal for BYOD scenarios where the user is the unit of management. Per-device enrollment applies to the whole machine and survives across every user that signs in, which is ideal for corporate-owned laptops, kiosks, and shared workstations. Both modes can enforce the same device-wide security policies (BitLocker, firewall, USB restrictions, patching, etc.); the difference is administrative ownership and how the enrollment carries across users.
If a user enrolls their personal laptop, will MDM affect other users on that device?
Device-wide policies (BitLocker, firewall, USB restrictions, telemetry settings, etc.) apply to every account on the device because they're machine-level Windows settings. User-specific policies (Edge homepage, OneDrive sync rules, app permissions) apply only to the enrolled user's account. The other users' Windows sessions are otherwise untouched and they can even enroll into their own MDM separately.
Does Codeproof support agent-based Windows management?
Yes. The Codeproof Cyber Device Manager Agent ships in the same MSI as the built-in Windows MDM enrollment and adds advanced inventory, app lifecycle, patch automation, kiosk/POS, remote scripts, and real-time actions. Native Windows MDM handles baseline policies; the Agent extends what's possible.
Is the built-in Windows MDM and the Codeproof Agent one install or two?
One. A single signed MSI installs the Codeproof Agent and, in the same click, sets up the device's built-in Windows MDM enrollment (the OMA-DM/SyncML channel that ships natively in Windows). Deploy via SCCM, Intune, Group Policy, login script, or a one-click provisioning package (.ppkg). There is nothing else to push afterwards.
What's inside the Codeproof Cyber Device Manager Agent for Windows?
Three components packaged into one signed MSI: (1) a hardened Windows system service that handles policy enforcement, inventory collection, patch and software lifecycle, and communicates with the Codeproof cloud; (2) a system-tray UI that gives the end user visibility into enrollment status, compliance, and self-service actions; and (3) a standalone Kiosk app for single- and multi-app kiosk modes. The Agent installs and configures itself in one click and registers the device with Codeproof's cloud console automatically.
Does Codeproof include a dedicated Kiosk app for Windows?
Yes. Codeproof ships a hardened standalone Kiosk app for Windows that replaces the default shell, blocks Control Panel, Task Manager, USB autoplay, and unauthorized apps, and survives reboots with auto-launch and watchdog restart. It supports single-app and multi-app kiosk modes for POS, self-service, digital signage, classroom, warehouse, and shared-workstation use cases. It's managed from the same Codeproof console as the rest of your fleet, so no separate kiosk platform is required.
Can I automate Windows updates?
Yes. Create update rings, set maintenance windows and deadlines, control restarts, and report compliance across Windows 10 and Windows 11.
How does kiosk or POS mode work on Windows?
Use single-app or multi-app kiosk with Assigned Access or a custom shell. Limit UI elements and block unauthorized apps to keep devices focused on work.
What security controls are available?
Manage Windows Defender antivirus, Windows Firewall (per Domain/Private/Public profile), BitLocker encryption with Azure AD recovery escrow, USB and removable-media restrictions, camera/microphone/Bluetooth controls, OneDrive and Cortana blocking, telemetry limits, Developer Mode lockdown, web content rules, and local admin restrictions. Run remediation scripts and perform remote lock or wipe.
Can I deploy and update third-party apps?
Yes. Upload packages or use managed catalogs where available. Assign by device group, control versions, and remove software that violates policy.
Do you support Windows Autopilot zero-touch enrollment?
Yes. Assign Autopilot profiles for zero-touch provisioning with policies and apps applied during OOBE.
Can we enforce BitLocker and escrow recovery keys to Azure AD?
Yes. Enforce BitLocker drive encryption with XTS-AES-256, require backup-before-encryption, and allow standard-user encryption for silent rollouts. Recovery keys automatically escrow to Azure Active Directory (Entra ID), so IT can recover an encrypted drive from the Codeproof console or the Entra portal without contacting the user. BitLocker To Go is supported for removable media.
Can Codeproof block USB drives, OneDrive personal, or Cortana?
Yes. The Restrictions policy ships one-click toggles for the most common data-exfiltration and attack-surface concerns: block USB mass storage entirely or make it read-only, require BitLocker To Go before writes to removable media, block personal OneDrive sync, disable Cortana, limit Windows telemetry to the Security level, block Developer Mode (no sideloading), and disable Remote Assistance. Every toggle is enforceable per device group.
Does Codeproof support enterprise VPN with always-on and split-tunnel?
Yes. Codeproof uses Windows VPN v2 to push IKEv2 profiles with EAP-MSCHAPv2 authentication, split-tunnel or force-tunnel routing, trusted network detection so the VPN doesn't activate on the corporate LAN, and per-app VPN rules so only specific apps route through the tunnel. Combined with deployed root and client certificates, end users get a zero-prompt connection experience.
Can I push Windows Firewall rules per network profile?
Yes. Configure Windows Firewall independently for the Domain, Private, and Public profiles. Set the default inbound and outbound action per profile and push custom allow/block rules by application path, port range, protocol, or remote IP. Users cannot disable the managed firewall.
How are apps and updates managed?
Deploy MSI/WinGet/Store apps with rollout rings and control Windows Update deferrals, pauses, and deadlines.
Do you integrate with Entra ID (Azure AD) and on-prem AD?
Yes. Support Entra ID/Azure AD join, Hybrid scenarios, and policy targeting with groups.
Get started with Windows MDM Learn more about Codeproof MDM Windows Enrollment Guide (PDF)

Customer stories

Bob Baerwalde, CTO, United Taxi

"Throughout my experience with Codeproof, it has worked flawlessly. Even more importantly, Codeproof support is unrivaled."

- Bob Baerwalde, CTO, United Taxi

CJ Brown, Vice President, Operations at Regional Express Inc.

Working with Codeproof has been a relief, it allows our company to have control over software and devices and visibility to ensure our employees have the proper equipment to do their job each and every day.

- CJ Brown, Vice President, Operations at Regional Express Inc.

Patrick Delaney, Daniel Mullins Trucking

We didn’t make a single compromise to get the protection we wanted and needed.

- Patrick Delaney, Daniel Mullins Trucking

Rachel Gutzke, Champion National Security

We have site phones that we need locked and tracked. We have recovered lost or stolen phones...and pushed new apps remotely.

- Rachel Gutzke, Champion National Security

Dylan Smith, Aculabs Inc.

The Codeproof platform not only assists in fleet management, it has made retrieving company property far more reliable.
Customer support is always accessible, and the team consistently goes out of their way to ensure the MDM platform meets all of our needs.

- Dylan Smith, Aculabs Inc.

Marvin Martin, Compass Foundation

Codeproof had the right balance of easy individual device configuration and group-level settings, as well as an excellent support team and willingness to add new features to meet our needs, all at a competitive price.

- Marvin Martin, Compass Foundation

Natalie McCall, Director, Finanace & Business Operations.

Having our employees work in remote locations, Codeproof has really helped us manage our devices...They are very helpful and detailed when explaining thing.

- Natalie McCall, Director, Finanace & Business Operations.

Merle Bauman, MWPOL

Codeproof has made device management much easier than some larger MDM solutions. From the beginning of our trial Console, up to the present, we were able to easily contact the development team at Codeproof with any ideas for improvements.

- Merle Bauman, MWPOL

Pamela Ward, Account Manager II, Sprint

With Codeproof, the first thing I noticed is that the UI is much more intuitive and simpler to navigate. I feel like there are as many, if not more, features available to me in Code Proof but they are a little easier to find.

- Pamela Ward, Account Manager II, Sprint

Lori Yamaguchi, Executive Director, Always Dream Foundation

Foundation is so grateful for the partnership with Codeproof and their willingness to support students and families in need of literacy resources. While our technical needs are likely less than that of other companies, we have found great value in the Codeproof product.

- Lori Yamaguchi, Executive Director, Always Dream Foundation

Irvyn Mamwell, Mobile/Asset Management IT Manager, TetraTech

Codeproof has great customer support. If there is an issue, or if we need assistance with anything, they are very quick to respond and lend a hand.

- Irvyn Mamwell, Mobile/Asset Management IT Manager, TetraTech

Terry Peters, Director Product Development & Project Management

Terrapin Pharmacy’s Executive Management and Technology Developers would be extremely likely to recommend Codeproof to others based upon the interactions we have had with the Codeproof team and the can-do culture within their organization.

- Terry Peters, Director Product Development & Project Management

William Burke, IT Director and CISO at Gersh Management.

Codeproof is a very comprehensive MDM product. We received great service at all times from their technicians when we had issues. They are continually working on improving the product with feedback from customers like us, so we can have better control of our remote equipment.

- William Burke, IT Director and CISO at Gersh Management.

Tracy Slattery, District Teacher Coordinator - Assessments & Technology, Atlantic City School District

[An] upbeat, well-organized, and helpful company. Codeproof provided superior customer support during a time of uncertainty.

- Tracy Slattery, District Teacher Coordinator - Assessments & Technology, Atlantic City School District

Daramid Mercado, Director of Information Technology at Miami Beach Medical Group

Codeproof has been an asset in maintaining security, control and reducing liability of our mobile devices by allowing us blanketed control of our mobile fleet at all times regardless of day and location. It will continue to be the foundation for our mobile security for now and the future. Their security options and scalability is priceless.

- Daramid Mercado, Director of Information Technology at Miami Beach Medical Group

<b>Jeffrey Falkingham</b>,<br>Owner of NHBlackLabs Delivery LLC

I chose Codeproof over other players in the market because it's simple and customizable dashboard caters to the needs of my business. Codeproof tries to find solutions and treats you as partners rather than just a customer.

- Jeffrey Falkingham,
Owner of NHBlackLabs Delivery LLC

Krishna Sharma, Senior Lead - Cyber Security, Innovapptive Inc.

I chose Codeproof for our internal MDM solutions over other options because the case study and utilization of the system were very understandable. It decreased our potential costs related to device investments while increasing device security and reducing operational costs.

- Krishna Sharma, Senior Lead - Cyber Security, Innovapptive Inc.

Aculabs
Champion
Compass
Daniel Mullins
Horizon
MWPOL
Sprint
Tetra Tech
Always Dream
SpaceX
T-Mobile
Alliance Schools
Piper Fire
Canadian Armed Forces
Nissan
Sims Crane
University Academy School
Terrapin

Maximize employee productivity through Codeproof

Start free 14-day trial Book a live demo