final

Author: deadlypants1973

src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks.mdx

@@ -33,20 +33,20 @@ On this page, you will learn how to create a TLS endpoint on your trusted networ
 - The WARP client scans all managed networks every time it detects a network change event from the operating system. To minimize performance impact, reuse the same TLS endpoint across multiple locations unless you require distinct settings profiles for each location.
 - Ensure that the device can only reach one managed network at any given time. If multiple managed networks are configured and reachable, there is no way to determine which settings profile the device will receive.
 
-## 1. Choose a TLS endpoint
-
-A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against the SHA-256 fingerprint (if specified) or against the local certificate store to check that it is signed by a public certificate authority.
-
-The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. WARP will automatically exclude the managed network endpoint from all device profiles to ensure that users cannot connect to this endpoint over Cloudflare Tunnel. We recommend choosing a host that is physically in the office which remote users do not need to access, such as a printer.
-
-## WARP client and managed network detection
+## WARP client managed network detection
 
 When you configure a managed network, the WARP client uses the TLS endpoint to determine whether the device is on that network.
 
 The time it takes to apply the correct device profile depends on how quickly the TLS endpoint responds.
 
 If the TLS endpoint times out after 5 seconds, the WARP client will determine that the device is not on a managed network and will apply the default device profile. The WARP client only retries detection if a non-timeout error occurs. A timeout triggers fallback to the default device profile without further retries.
 
+## 1. Choose a TLS endpoint
+
+A TLS endpoint is a host on your network that serves a TLS certificate. The TLS endpoint acts like a network location beacon — when a device connects to a network, the WARP client on the device detects the TLS endpoint and validates the TLS certificate against the SHA-256 fingerprint (if specified) or against the local certificate store to check that it is signed by a public certificate authority.
+
+The TLS certificate can be hosted by any device on your network. However, the endpoint must be inaccessible to users outside of the network location. WARP will automatically exclude the managed network endpoint from all device profiles to ensure that users cannot connect to this endpoint over Cloudflare Tunnel. We recommend choosing a host that is physically in the office which remote users do not need to access, such as a printer.
+
 ### Create a new TLS endpoint
 
 If you do not already have a TLS endpoint on your network, you can set one up as follows:
@@ -287,3 +287,8 @@ To check if the WARP client detects the network location:
 1. Turn on WARP.
 2. Disconnect and reconnect to the network.
 3. Open a terminal and run `warp-cli debug alternate-network`.
+
+## Related resources
+
+- [Device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) - How to create and manage the device profiles you apply via managed networks.
+- [WARP settings](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/) - Defines how WARP behaves and what users can do.