diff --git a/docs/docs/topics/device-identity.md b/docs/docs/topics/device-identity.md
index 91ea17bb2..7f5ad7566 100644
--- a/docs/docs/topics/device-identity.md
+++ b/docs/docs/topics/device-identity.md
@@ -13,7 +13,7 @@ One of the core components of the zero trust security model is **device identity
 
 The history of IT security has, until recently, mostly focused on user identity verification. In this model, access to a service is granted only after verifying a user's identity and authorization to that service. This was usually sufficient in scenarios where the user's access was physically limited to trusted devices in trusted physical and network spaces; a PC sitting in an office in the company headquarters on a local network, for example.
 
-Hardware-backed device identity is becoming more widely discussed as more products begin to implement or require it across all tech industries. For example, Windows 11 generated a lot of news by [requiring TPM 2.0][win11-reqs], and Apple is taking steps to [eliminate passwords][apple-passkeys]:
+Hardware-backed device identity is becoming more widely discussed as more products begin to implement or require it across all tech industries. For example, Windows 11 generated a lot of news by [requiring TPM 2.0][win11-reqs], and Apple is taking steps to [eliminate passwords][apple-passkeys] :
 
 | ![Verge Article Header and Apple Video Page](./img/verge-apple.png) |
 |:--|
diff --git a/docs/enterprise/console-settings.yaml b/docs/enterprise/console-settings.yaml
index 78d48a0b8..da95e2fbe 100644
--- a/docs/enterprise/console-settings.yaml
+++ b/docs/enterprise/console-settings.yaml
@@ -5,22 +5,22 @@ settings:
         doc: |
           View the traffic running through Pomerium. Filter by [Route][route-concept] name, or date range.
 
-          ![The Traffic page in Pomerium Enterprise](../img/traffic-fullpage.png)
+          ![The Traffic page in Pomerium Enterprise](./img/traffic-fullpage.png)
       - name: "Runtime"
         doc: |
           Monitor how many system resources Pomerium is consuming. Filter by date range, service, and instance.
 
-          ![The Runtime Info page in Pomerium Enterprise](../img/runtime-fullpage.png)
+          ![The Runtime Info page in Pomerium Enterprise](./img/runtime-fullpage.png)
       - name: "Sessions"
         doc: |
           View active Sessions. From here you can revoke sessions, filter by session or user information, or revoke one or multiple sessions. You can also export the data.
 
-          ![The Sessions page in Pomerium Enterprise](../img/sessions-fullpage.png)
+          ![The Sessions page in Pomerium Enterprise](./img/sessions-fullpage.png)
       - name: "Events"
         doc: |
           The events page displays the log output of Envoy as it process changes from Pomerium and applies updates to the underlying services.
 
-          ![The Events page in Pomerium Enterprise](../img/events-fullpage.png)
+          ![The Events page in Pomerium Enterprise](./img/events-fullpage.png)
 
           The most common updates are to Pomerium Proxy services, which are updated every time a Route or Policy is created or updated.
 
@@ -31,7 +31,7 @@ settings:
 
           The default view shows all changes made through Pomerium Enterprise. Use the **COMPARE** button next to an entry to filter to only changes that affected that resource. Select two versions of that resource, then **DIFF** to see what changed:
 
-          ![A screenshot showing the diff of a change to a route, adding a policy](../img/deployment-diff.png)
+          ![A screenshot showing the diff of a change to a route, adding a policy](./img/deployment-diff.png)
   - name: "Manage"
     settings:
       - name: "Routes"
@@ -98,13 +98,13 @@ settings:
 
           From the **BUILDER** tab, users can add allow or deny blocks to a policy, containing and/or/not/nor logic to allow or deny sets of users and groups.
 
-          ![A policy being constructed in Pomerium Enterprise allowing a single user access](../img/example-policy-single-user.png)
+          ![A policy being constructed in Pomerium Enterprise allowing a single user access](./img/example-policy-single-user.png)
 
           ### Pomerium Policy Language
 
           From the **EDITOR** tab users can write policies in Pomerium Policy Language (**PPL**), a YAML-based notation.
 
-          ![A policy as viewed from the editor tab](../img/example-policy-editor.png)
+          ![A policy as viewed from the editor tab](./img/example-policy-editor.png)
 
           PPL documents contain one or more rules. Each rule has a corresponding action and one or more logical operators.
           Each logical operator contains criteria and each criterion has a name and corresponding data.
@@ -186,13 +186,13 @@ settings:
               Displays the currently enrolled devices for each user, along with their current approval status.
               Administrators can inspect, approve, or delete registered devices from this table.
 
-              ![List of user devices](../img/console-devices.png)
+              ![List of user devices](./img/console-devices.png)
           - name: "New Enrollment"
             doc: |
               The **New Enrollment** button allows administrators to create a custom link for a specific user to use to register a new device, which will automatically be approved.
               This scheme is known as [Trust on First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use).
 
-              ![Example device enrollment](../img/new-enrollment.png)
+              ![Example device enrollment](./img/new-enrollment.png)
             settings:
               - name: "Search Users"
                 doc: "New Enrollment URLs are only valid for the specified user."
@@ -264,7 +264,7 @@ settings:
 
           1. From the main menu, select **Service Accounts** under **CONFIGURE**. Click the **+ ADD SERVICE ACCOUNT** button:
 
-             ![An empty Service Accounts page](../img/add-service-account.png)
+             ![An empty Service Accounts page](./img/add-service-account.png)
 
           1. Service accounts can be unique and exist only for Pomerium, or impersonate directory users from your IdP.
 
@@ -272,30 +272,30 @@ settings:
              :::: tab Unique
              Give the user a unique ID. Consider referencing the Namespace you're creating it under, for easier reference later. Optionally set an expiration date:
 
-             ![Adding a unique service account](../img/create-service-account.png)
+             ![Adding a unique service account](./img/create-service-account.png)
 
              The user ID set here corresponds to the `User` criteria when editing a policy.
              ::::
              :::: tab Impersonated
              You can find your User ID by going to the special endpoint `/.pomerium`, or selecting **Logout** under your user in the upper right hand corner (this will not immediately log you out):
 
-             ![Session Details](../img/user-id.png)
+             ![Session Details](./img/user-id.png)
 
              Copy the User ID and paste it into the **User ID** field in the **Add Service Account** modal. The lookahead search should show you the user name You can also optionally set an expiration date:
 
-             ![Adding an impersonated service account](../img/create-impersonated-service-account.png)
+             ![Adding an impersonated service account](./img/create-impersonated-service-account.png)
              ::::
              :::::
 
           1. After you click **Submit**, the modal presents the JSON web token (**JWT**) for the service account. Temporarily save it somewhere secure, as you will not be able to view it again:
 
-             ![Service Account Added](../img/service-account-jwt.png)
+             ![Service Account Added](./img/service-account-jwt.png)
 
              This JWT must be added to your application configuration to enable direct communication.
 
           1. Edit or create policies to give the service account access to the internal service:
 
-             ![An example policy for a service account](../img/service-account-policy.png)
+             ![An example policy for a service account](./img/service-account-policy.png)
       - name: "Namespaces"
         keys: ["namespace"]
         doc: |
diff --git a/docs/enterprise/reference/configure.md b/docs/enterprise/reference/configure.md
index aa72155f1..463619af9 100644
--- a/docs/enterprise/reference/configure.md
+++ b/docs/enterprise/reference/configure.md
@@ -180,7 +180,7 @@ Before you begin, confirm you are in the correct Namespace. A service account ca
 
 1. From the main menu, select **Service Accounts** under **CONFIGURE**. Click the **+ ADD SERVICE ACCOUNT** button:
 
-   ![An empty Service Accounts page](../img/add-service-account.png)
+   ![An empty Service Accounts page](./img/add-service-account.png)
 
 1. Service accounts can be unique and exist only for Pomerium, or impersonate directory users from your IdP.
 
@@ -188,30 +188,30 @@ Before you begin, confirm you are in the correct Namespace. A service account ca
    :::: tab Unique
    Give the user a unique ID. Consider referencing the Namespace you're creating it under, for easier reference later. Optionally set an expiration date:
 
-   ![Adding a unique service account](../img/create-service-account.png)
+   ![Adding a unique service account](./img/create-service-account.png)
 
    The user ID set here corresponds to the `User` criteria when editing a policy.
    ::::
    :::: tab Impersonated
    You can find your User ID by going to the special endpoint `/.pomerium`, or selecting **Logout** under your user in the upper right hand corner (this will not immediately log you out):
 
-   ![Session Details](../img/user-id.png)
+   ![Session Details](./img/user-id.png)
 
    Copy the User ID and paste it into the **User ID** field in the **Add Service Account** modal. The lookahead search should show you the user name You can also optionally set an expiration date:
 
-   ![Adding an impersonated service account](../img/create-impersonated-service-account.png)
+   ![Adding an impersonated service account](./img/create-impersonated-service-account.png)
    ::::
    :::::
 
 1. After you click **Submit**, the modal presents the JSON web token (**JWT**) for the service account. Temporarily save it somewhere secure, as you will not be able to view it again:
 
-   ![Service Account Added](../img/service-account-jwt.png)
+   ![Service Account Added](./img/service-account-jwt.png)
 
    This JWT must be added to your application configuration to enable direct communication.
 
 1. Edit or create policies to give the service account access to the internal service:
 
-   ![An example policy for a service account](../img/service-account-policy.png)
+   ![An example policy for a service account](./img/service-account-policy.png)
 
 
 ## Namespaces
diff --git a/docs/enterprise/reference/manage.md b/docs/enterprise/reference/manage.md
index bf7248c24..02ff06708 100644
--- a/docs/enterprise/reference/manage.md
+++ b/docs/enterprise/reference/manage.md
@@ -185,13 +185,14 @@ of the connection using `timeout` value (i.e. to 1 day).
 
 #### Host Headers
 
-The `host` header can be preserved via the `preserve_host_header` setting or customized via 3 mutually exclusive options:
+The `host` header can be preserved via the `preserve_host_header` setting or customized via three mutually exclusive options:
+
+1. `preserve_host_header` will, when enabled, this option will pass the host header from the incoming request to the proxied host, instead of the destination hostname. It's an optional parameter of type `bool` that defaults to `false`.
 
-1. `preserve_host_header` when enabled, this option will pass the host header from the incoming request to the proxied host, instead of the destination hostname. It's an optional parameter of type `bool` that defaults to `false`.
     See [ProxyPreserveHost](http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypreservehost).
-2. `host_rewrite` which will rewrite the host to a new literal value.
-3. `host_rewrite_header` which will rewrite the host to match an incoming header value.
-4. `host_path_regex_rewrite_pattern`, `host_path_regex_rewrite_substitution` which will rewrite the host according to a regex matching the path. For example with the following config:
+2. `host_rewrite`, which will rewrite the host to a new literal value.
+3. `host_rewrite_header`, which will rewrite the host to match an incoming header value.
+4. `host_path_regex_rewrite_pattern` & `host_path_regex_rewrite_substitution`, which will rewrite the host according to a regex matching the path. For example with the following config:
 
     ```yaml
     host_path_regex_rewrite_pattern: "^/(.+)/.+$"
@@ -200,7 +201,7 @@ The `host` header can be preserved via the `preserve_host_header` setting or cus
 
     Would rewrite the host header to `example.com` given the path `/example.com/some/path`.
 
-The 2nd, 3rd and 4th options correspond to the envoy route action host related options, which can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto.html#config-route-v3-routeaction).
+The 2nd, 3rd and 4th options correspond to the Envoy route action host related options, which can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto.html#config-route-v3-routeaction).
 
 #### Set Request Headers
 
@@ -289,13 +290,13 @@ Policies can be constructed three ways:
 
 From the **BUILDER** tab, users can add allow or deny blocks to a policy, containing and/or/not/nor logic to allow or deny sets of users and groups.
 
-![A policy being constructed in Pomerium Enterprise allowing a single user access](../img/example-policy-single-user.png)
+![A policy being constructed in Pomerium Enterprise allowing a single user access](./img/example-policy-single-user.png)
 
 ### Pomerium Policy Language
 
 From the **EDITOR** tab users can write policies in Pomerium Policy Language (**PPL**), a YAML-based notation.
 
-![A policy as viewed from the editor tab](../img/example-policy-editor.png)
+![A policy as viewed from the editor tab](./img/example-policy-editor.png)
 
 PPL documents contain one or more rules. Each rule has a corresponding action and one or more logical operators.
 Each logical operator contains criteria and each criterion has a name and corresponding data.
@@ -407,7 +408,7 @@ Device enrollment let's you create [policies](/docs/topics/ppl.md#device-matcher
 Displays the currently enrolled devices for each user, along with their current approval status.
 Administrators can inspect, approve, or delete registered devices from this table.
 
-![List of user devices](../img/console-devices.png)
+![List of user devices](./img/console-devices.png)
 
 
 ### New Enrollment
@@ -415,7 +416,7 @@ Administrators can inspect, approve, or delete registered devices from this tabl
 The **New Enrollment** button allows administrators to create a custom link for a specific user to use to register a new device, which will automatically be approved.
 This scheme is known as [Trust on First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use).
 
-![Example device enrollment](../img/new-enrollment.png)
+![Example device enrollment](./img/new-enrollment.png)
 
 
 #### Search Users
diff --git a/docs/enterprise/reference/reports.md b/docs/enterprise/reference/reports.md
index 0913a4533..27a4e5c8e 100644
--- a/docs/enterprise/reference/reports.md
+++ b/docs/enterprise/reference/reports.md
@@ -13,28 +13,28 @@ meta:
 
 View the traffic running through Pomerium. Filter by [Route][route-concept] name, or date range.
 
-![The Traffic page in Pomerium Enterprise](../img/traffic-fullpage.png)
+![The Traffic page in Pomerium Enterprise](./img/traffic-fullpage.png)
 
 
 ## Runtime
 
 Monitor how many system resources Pomerium is consuming. Filter by date range, service, and instance.
 
-![The Runtime Info page in Pomerium Enterprise](../img/runtime-fullpage.png)
+![The Runtime Info page in Pomerium Enterprise](./img/runtime-fullpage.png)
 
 
 ## Sessions
 
 View active Sessions. From here you can revoke sessions, filter by session or user information, or revoke one or multiple sessions. You can also export the data.
 
-![The Sessions page in Pomerium Enterprise](../img/sessions-fullpage.png)
+![The Sessions page in Pomerium Enterprise](./img/sessions-fullpage.png)
 
 
 ## Events
 
 The events page displays the log output of Envoy as it process changes from Pomerium and applies updates to the underlying services.
 
-![The Events page in Pomerium Enterprise](../img/events-fullpage.png)
+![The Events page in Pomerium Enterprise](./img/events-fullpage.png)
 
 The most common updates are to Pomerium Proxy services, which are updated every time a Route or Policy is created or updated.
 
@@ -47,7 +47,7 @@ From the **Deployment History** page administrators can review changes made to t
 
 The default view shows all changes made through Pomerium Enterprise. Use the **COMPARE** button next to an entry to filter to only changes that affected that resource. Select two versions of that resource, then **DIFF** to see what changed:
 
-![A screenshot showing the diff of a change to a route, adding a policy](../img/deployment-diff.png)
+![A screenshot showing the diff of a change to a route, adding a policy](./img/deployment-diff.png)
 
 
 [route-concept]: /enterprise/concepts.md#routes
diff --git a/docs/guides/enroll-device.md b/docs/guides/enroll-device.md
index 6a3cfc9ab..48bdf4bb1 100644
--- a/docs/guides/enroll-device.md
+++ b/docs/guides/enroll-device.md
@@ -14,7 +14,7 @@ description: >-
 
 If a Pomerium route is configured to [require device authentication](/docs/topics/ppl.md#device-matcher), then the user must register a [trusted execution environment](/docs/topics/device-identity.md#authenticated-device-types) (**TEE**) device before accessing the route. Registration is easy, but different depending on the device being used to provide ID.
 
-This guide covers enrollment of a device by a user. This is available for both open-source Pomerium and [Pomerium Enterprise](/enterprise) installations. However, Enterprise users may also receive registration links [generated by their administrators](/guides/admin-enroll-device.md), which will mark the newly enrolled device as approved in the Pomerium Enterprise Console.
+This guide covers enrollment of a device by a user. This is available for both open-source Pomerium and [Pomerium Enterprise](/enterprise/readme.md) installations. However, Enterprise users may also receive registration links [generated by their administrators](/guides/admin-enroll-device.md), which will mark the newly enrolled device as approved in the Pomerium Enterprise Console.
 
 1. Users are prompted to register a new device when accessing a route that requires device authentication:
 
diff --git a/docs/enterprise/img/add-service-account.png b/docs/reference/img/add-service-account.png
similarity index 100%
rename from docs/enterprise/img/add-service-account.png
rename to docs/reference/img/add-service-account.png
diff --git a/docs/enterprise/img/console-devices.png b/docs/reference/img/console-devices.png
similarity index 100%
rename from docs/enterprise/img/console-devices.png
rename to docs/reference/img/console-devices.png
diff --git a/docs/enterprise/img/create-impersonated-service-account.png b/docs/reference/img/create-impersonated-service-account.png
similarity index 100%
rename from docs/enterprise/img/create-impersonated-service-account.png
rename to docs/reference/img/create-impersonated-service-account.png
diff --git a/docs/enterprise/img/create-service-account.png b/docs/reference/img/create-service-account.png
similarity index 100%
rename from docs/enterprise/img/create-service-account.png
rename to docs/reference/img/create-service-account.png
diff --git a/docs/enterprise/img/deployment-diff.png b/docs/reference/img/deployment-diff.png
similarity index 100%
rename from docs/enterprise/img/deployment-diff.png
rename to docs/reference/img/deployment-diff.png
diff --git a/docs/enterprise/img/events-fullpage.png b/docs/reference/img/events-fullpage.png
similarity index 100%
rename from docs/enterprise/img/events-fullpage.png
rename to docs/reference/img/events-fullpage.png
diff --git a/docs/enterprise/img/example-policy-editor.png b/docs/reference/img/example-policy-editor.png
similarity index 100%
rename from docs/enterprise/img/example-policy-editor.png
rename to docs/reference/img/example-policy-editor.png
diff --git a/docs/enterprise/img/example-policy-single-user.png b/docs/reference/img/example-policy-single-user.png
similarity index 100%
rename from docs/enterprise/img/example-policy-single-user.png
rename to docs/reference/img/example-policy-single-user.png
diff --git a/docs/reference/img/new-enrollment.png b/docs/reference/img/new-enrollment.png
new file mode 100644
index 000000000..99de9ce65
Binary files /dev/null and b/docs/reference/img/new-enrollment.png differ
diff --git a/docs/enterprise/img/runtime-fullpage.png b/docs/reference/img/runtime-fullpage.png
similarity index 100%
rename from docs/enterprise/img/runtime-fullpage.png
rename to docs/reference/img/runtime-fullpage.png
diff --git a/docs/enterprise/img/service-account-jwt.png b/docs/reference/img/service-account-jwt.png
similarity index 100%
rename from docs/enterprise/img/service-account-jwt.png
rename to docs/reference/img/service-account-jwt.png
diff --git a/docs/enterprise/img/service-account-policy.png b/docs/reference/img/service-account-policy.png
similarity index 100%
rename from docs/enterprise/img/service-account-policy.png
rename to docs/reference/img/service-account-policy.png
diff --git a/docs/enterprise/img/sessions-fullpage.png b/docs/reference/img/sessions-fullpage.png
similarity index 100%
rename from docs/enterprise/img/sessions-fullpage.png
rename to docs/reference/img/sessions-fullpage.png
diff --git a/docs/enterprise/img/traffic-fullpage.png b/docs/reference/img/traffic-fullpage.png
similarity index 100%
rename from docs/enterprise/img/traffic-fullpage.png
rename to docs/reference/img/traffic-fullpage.png
diff --git a/docs/enterprise/img/user-id.png b/docs/reference/img/user-id.png
similarity index 100%
rename from docs/enterprise/img/user-id.png
rename to docs/reference/img/user-id.png