System-app DPC
Runs as Android Device Owner from first boot. Signed in the same release chain as the OS. Cannot be disabled, sideloaded over, or escaped by a rogue user-space app — policy enforcement happens below them, not alongside.
v0.1 · alpha · actively in development
Hardened Android.
Branded as yours.
A privacy-first OS for Pixel devices. Built on the same hardening that protects journalists, dissidents, and security researchers — packaged for resellers who need to ship a managed mobile platform under their own brand.
Built on bedrock.
Verified
Boot
Memory
Tagging
Hardened
Kernel
Built-in
MDM
Surveillance
Ceiling
Pixel
Hardware
Security isn't a static measure,
but a dynamic standard.
Hardware-rooted defense
Every binary loaded at boot is hash-checked against a measurement signed at build time. Pixel's Titan M2 secure element holds the root of trust. Tamper with the bootloader, system partition, or recovery image — and the device refuses to boot. Hardware attestation makes the chain remotely verifiable.
Built-in device management
The Device Policy Controller is a system app, not an add-on. It enforces the policy bag your IT defines, drives manifest sync, verifies branding-bundle signatures, and writes an audit-grade event stream you can pipe straight to your SIEM. One vendor, one signing chain.
Privacy floor, by design
Even at the highest tier, the OS refuses to silently record audio, screen-capture, log keystrokes, or hide its management UI from the user. Seven forbidden keys live in the kernel policy schema and are rejected before the tier filter even runs. Not optional. Not toggleable. Hardware-enforced.
What HardenedOS protects you from
The same Pixel. The threats you can't see.
Every app on a regular Android home screen is a relationship: a deal you made (or didn't) about your data, your sensors, your mic, your network. Toggle a threat below to see which apps expose you to it. HardenedOS blocks all of these by default.
Device policy & MDM
Built-in management. Not bolted on.
Most mobile MDM is an admin agent installed onto stock Android — fighting Android for permissions, racing the user to apply policy. HardenedOS's Device Policy Controller is a system app, signed by the same chain as the OS itself. Policy is enforced at boot, before user-space apps see the request.
Universal policy capability
Every policy your fleet might ever need lives in a single capability set — required apps, USB lock, kiosk, geofence, biometric gate. You opt in to what you want enforced via the admin panel. Changes ride the manifest stream, apply over the air on next sync, never require re-provisioning.
Required app catalog
Upload APKs you require, recommend, or whitelist. Each pinned to a known signing-cert SHA-256. Silent install on activation, OTA install of new entries, automatic uninstall when removed from your manifest.
Per-app permission scopes
Network, sensors, storage, contacts — each can be denied, granted, or scoped per app. Storage scopes mean an app sees one folder. Contact scopes mean an app sees one group. Toggleable from your admin panel.
Hardware attestation
Every heartbeat carries a Titan-M2-signed attestation: bootloader state, OS image identity, build fingerprint. Your admin panel can refuse policy enforcement on a device whose chain doesn't verify — the device can't fake its way back in.
HMAC-signed event stream
Activation, policy change, install, wipe, heartbeat-attested — every device event delivered to your webhook with HMAC-SHA256 signing. Drop-in for SIEM ingestion. Retries with exponential back-off; 24-hour delivery runway before abandonment.
One OS image, every policy you'll need
Lock-screen + biometric
Mandatory PIN, max-attempt wipe, biometric-only after idle, duress PIN. Defaults sane; resellers can tighten via the admin panel.
Fleet management
Required apps push silently. USB-data lock. Categories disable-able (cameras, sideloading, store install). Always-on VPN, allowed-Wi-Fi, blocked apps. Full audit log.
High-restriction
Kiosk mode, geofencing, mandatory remote attestation, hardware-locked settings, tamper response. Off by default; on for fleets that need them.
Surveillance ceiling, kernel-enforced. No policy — even at maximum restriction — can silently capture audio, screen-record, log keystrokes, or hide the management UI from the user. Seven forbidden keys live in the policy schema and are rejected at write time. Request the policy spec →
For resellers
Ship a managed mobile platform under your brand. Without rebuilding the OS.
HardenedOS gives you the management primitives, the device fleet API, and the white-label surface — so your customers see your name, your colors, your support page, and your app catalog.
-
White-labeled OS
Boot screen, lock screen, wallpaper, accent colors, OS name override — your brand from first boot.
-
Prepaid balance billing
Top up your account, draw down per active device per month. No surprise bills, no per-API-call charges.
-
Activation codes & APIs
Mint activation codes in batches. Distribute APKs through your channel. Push branding updates over the air.
-
Webhooks & audit
Every device event — activation, tier change, install — delivered to your endpoint with HMAC signing.
Supported devices
Pixel-only. By design.
HardenedOS targets Pixel hardware exclusively because Pixel is the only mass-market Android with a verified-boot model that lets a third party (us, you, the user) lock the device to a non-Google OS. Other vendors don't expose this.
- Pixel 9 Pro / 9 Pro XL / 9 Pro Fold
- Pixel 9 / 9a
- Pixel 8 Pro / 8 / 8a
- Pixel 7 Pro / 7 / 7a
- Pixel Fold
- Pixel 6 Pro / 6 / 6a
Newer devices generally get longer hardware support. Pixel 8 series and later have ~7-year guaranteed update commitment from Google; HardenedOS rides that lifecycle.