v0.1 · alpha · actively in development

Manage any Android fleet.
Branded as yours.

A white-label MDM / UEM platform. Enroll, configure, lock down, and brand Android devices from any OEM — through one multi-tenant Partner API and an on-device Device Policy Controller. An optional hardened Custom OS tier is available for Pixel.

Try the MDM demo → Read the features

admin.hardenedos.com/branding

Brand Studio

Try the white-label live — these controls change the site too.

NAME

ACCENT

LOGO

WALLPAPER

9:41 ●●●

9:41

Sat, May 9

HardenedOS

Managed

S @ E T V K ⚙ ⌖ M

☎ ✉ 📷 ⚙

Built on bedrock.

Verified
Boot

Memory
Tagging

Hardened
Kernel

Built-in
MDM

Surveillance
Ceiling

Custom
OS

Manage anywhere.
Harden where it counts.

Runs on any Android

The Device Policy Controller uses standard Android Enterprise (Device Owner) APIs, so it enrolls and manages Pixel, Samsung, and other OEM devices — no OS changes, no platform signing. For the highest assurance, the optional Custom OS tier adds verified boot keyed to you, on Pixel hardware.

Built-in device management

The Device Policy Controller enforces the policy bag your IT defines, drives manifest sync, verifies branding-bundle signatures, and writes an audit-grade event stream you can pipe straight to your SIEM. One vendor, one signing chain.

Privacy ceiling, enforced

The platform refuses to silently record audio, screen-capture, log keystrokes, or hide its management UI from the user. Seven forbidden keys are rejected server-side and re-checked on the device before any policy applies. Not optional. Not toggleable.

What HardenedOS protects you from

The same Pixel. The threats you can't see.

Every app on a regular Android home screen is a relationship: a deal you made (or didn't) about your data, your sensors, your mic, your network. Toggle a threat below to see which apps expose you to it. HardenedOS blocks all of these by default.

Threat filters

Data leak 0
Malware vector 0
Phishing vector 0
Privacy concern 0
Exploit target 0
Surveillance SDK 0

No filters active. Toggle one to see which apps it touches.

2:24

TikTok

Facebook

Instagram

Snapchat

♪

Spotify

▶

YouTube

𝕏

✈

Signal

●

Threema

Chrome

Maps

Gmail

Photos

Cash App

Uber

DoorDash

Amazon

☎ ✉ ⚙ 📷

Device policy & MDM

Built-in management. Not bolted on.

Most mobile MDM is an admin agent installed onto stock Android — fighting Android for permissions, racing the user to apply policy. HardenedOS's Device Policy Controller is a system app, signed by the same chain as the OS itself. Policy is enforced at boot, before user-space apps see the request.

System-app DPC

Runs as Android Device Owner from first boot. Signed in the same release chain as the OS. Cannot be disabled, sideloaded over, or escaped by a rogue user-space app — policy enforcement happens below them, not alongside.

Universal policy capability

Every policy your fleet might ever need lives in a single capability set — required apps, USB lock, kiosk, geofence, biometric gate. You opt in to what you want enforced via the admin panel. Changes ride the manifest stream, apply over the air on next sync, never require re-provisioning.

Required app catalog

Upload APKs you require, recommend, or whitelist. Each pinned to a known signing-cert SHA-256. Silent install on activation, OTA install of new entries, automatic uninstall when removed from your manifest.

Per-app permission scopes

Network, sensors, storage, contacts — each can be denied, granted, or scoped per app. Storage scopes mean an app sees one folder. Contact scopes mean an app sees one group. Toggleable from your admin panel.

Hardware attestation

Every heartbeat carries a Titan-M2-signed attestation: bootloader state, OS image identity, build fingerprint. Your admin panel can refuse policy enforcement on a device whose chain doesn't verify — the device can't fake its way back in.

HMAC-signed event stream

Activation, policy change, install, wipe, heartbeat-attested — every device event delivered to your webhook with HMAC-SHA256 signing. Drop-in for SIEM ingestion. Retries with exponential back-off; 24-hour delivery runway before abandonment.

Field provisioning, no computer

Flash GrapheneOS onto a Pixel and enroll the DPC from another Android phone over USB-C — a guided wizard, no laptop or command line. Provision in the field, at a kiosk, or hand a customer a phone that sets up theirs. Already on GrapheneOS? Enroll in one tap. More →

Remote eSIM provisioning

Push a mobile data plan to any enrolled device over the management channel. The device prompts to install the eSIM with a single tap — no SIM swap, no carrier-store visit, no physical card to ship. Connectivity the moment a device is enrolled.

One OS image, every policy you'll need

Lock-screen + biometric

Mandatory PIN, max-attempt wipe, biometric-only after idle, duress PIN. Defaults sane; resellers can tighten via the admin panel.

Fleet management

Required apps push silently. USB-data lock. Categories disable-able (cameras, sideloading, store install). Always-on VPN, allowed-Wi-Fi, blocked apps. Full audit log.

High-restriction

Kiosk mode, geofencing, mandatory remote attestation, hardware-locked settings, tamper response. Off by default; on for fleets that need them.

Surveillance ceiling, enforced server-side and on-device. No policy — even at maximum restriction — can silently capture audio, screen-record, log keystrokes, or hide the management UI from the user. Seven forbidden keys live in the policy schema and are rejected at write time. Request the policy spec →

For resellers

Ship a managed mobile platform under your brand. Without rebuilding the OS.

HardenedOS gives you the management primitives, the device fleet API, and the white-label surface — so your customers see your name, your colors, your support page, and your app catalog.

White-labeled OS

Boot screen, lock screen, wallpaper, accent colors, OS name override — your brand from first boot.
Prepaid balance billing

Top up your account, draw down per active device per month. No surprise bills, no per-API-call charges.
Activation codes & APIs

Mint activation codes in batches. Distribute APKs through your channel. Push branding updates over the air.
Webhooks & audit

Every device event — activation, tier change, install — delivered to your endpoint with HMAC signing.

Try the MDM demo → Talk to us

Supported devices

Any Android Enterprise device.

The managed tier runs on commodity Android — Pixel, Samsung, and other OEMs that support standard Device Owner provisioning. No OS changes. The optional Custom OS tier is Pixel-only (it needs a re-lockable bootloader to key verified boot to you):

Pixel 11 / 11 Pro / 11 Pro XL / 11 Pro Fold Coming soon
Pixel 10 Pro / 10 Pro XL / 10 Pro Fold
Pixel 10 / 10a
Pixel 9 Pro / 9 Pro XL / 9 Pro Fold
Pixel 9 / 9a
Pixel 8 Pro / 8 / 8a
Pixel 7 Pro / 7 / 7a
Pixel Fold
Pixel 6 Pro / 6 / 6a

Custom OS tier devices (Pixel). Newer devices get longer support — Pixel 8 series and later have a ~7-year update commitment from Google; the Custom OS tier rides that lifecycle. The managed tier follows each OEM's own support window.