If Option B has been selected: Where you use an app-store or application signing, are users restricted from installing unsigned applications?
Section A8: Malware Protection · Cyber Essentials Montpellier
What this question is really asking
If using option B, confirm that users are restricted to installing only approved apps from a vetted app store or signed source. MDM enforcement is the standard approach on iOS and Android — preventing sideloading and requiring apps to come only from managed stores.
What satisfies this requirement
Yes or NoOS-level restriction e.g. Windows S mode, Chromebooks, iOS, Android. 'Rooting' or 'jailbreaking' would violate this.
What to prepare before your assessor visit
MDM-enforced app store restriction is the cleanest way to satisfy this on mobile devices. On iOS, Mobile Device Management with supervised mode and app restriction policies prevents sideloading. Android requires a similar MDM policy disabling 'install from unknown sources'. If BYOD devices are in scope — which they are if they access corporate email — explain specifically how app controls apply to personal devices, as this is more complex and assessors will probe it.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.