Verified boot, your keys
The device boots only your signed image, with the bootloader re-locked against your Android Verified Boot key. The managed tier inherits the OEM's verified boot, keyed to the OEM — not you.
Optional tier · in development
The hardened Custom OS tier.
Everything HardenedOS does as a white-label MDM/UEM platform works on commodity Android. The Custom OS tier goes further: it bakes the same Device Policy Controller into a hardened, GrapheneOS-based system image, so you get OS-level guarantees the managed tier can't — verified boot keyed to you, system-wide branding, and true radio kill-switches. It's Pixel-only, and it's a separate, heavier workstream.
Status: in development — not yet a shippable product.
There is no buildable HardenedOS system image today. If you need managed, branded Android devices now, that's the managed tier — it ships, runs on any OEM, and needs none of the infrastructure below.
Why a Custom OS
What the Custom OS tier adds.
The managed tier inherits whatever OS the OEM ships. The Custom OS tier replaces that OS with a hardened image you control — these are the capabilities that need it.
True radio kill-switches
Power Wi-Fi and NFC radios off in hardware. A non-privileged Device Owner (the managed tier) can only effectively block them — a match-nothing allowlist plus config restrictions — not power the radio down.
System-wide branding
Themed icons, accent across the entire UI, a custom boot animation, and your OS name everywhere in Settings — via platform RROs. The managed tier brands wallpaper, the OS-name string, and the DPC's own screens.
OS-update control that holds
The OS is yours to pin and stage; block_os_updates freezes it by controlling the bundled Updater. On the managed tier you're at the mercy of the OEM's OTA mechanism.
Hardware attestation
Remote attestation against keys you control, plus the full GrapheneOS hardening surface — hardened malloc, hardened kernel, exec-spawning, memory tagging on supported silicon.
OS-level privacy floor
The surveillance ceiling is enforced on both tiers (server + DPC). The Custom OS tier additionally backs the privacy floor in the OS itself — verified boot always on, keyed to you.
How it's built
A GrapheneOS rebase.
Minimal divergence from upstream
95%+ of repos point straight at GrapheneOS upstream tags. We fork only a handful — per-device branding overlays, the Updater (pointed at our OTA), a branding RRO, and the DPC system app. The kernel, Vanadium, and base framework are used as-is, so the monthly upstream rebase stays cheap.
Build, sign, OTA
A full AOSP build pipeline (64 GB RAM, ~500 GB SSD) produces signed images across dev / beta / stable channels with incremental OTA deltas. Three offline key sets — AVB, per-app APK, and the infrastructure signing key — anchor the trust chain.
Pixel-only hardware
The tier targets Pixel (the models GrapheneOS supports — roughly Pixel 6 through Pixel 10 families), because Pixel is the mass-market Android that exposes a re-lockable bootloader (avb_custom_key), StrongBox, and a Titan M2 secure element. Other OEMs don't, which is why this tier can't be commodity-hardware the way the managed tier is.
Start with the platform
You don't need the Custom OS to ship today.
The managed MDM/UEM platform runs on any Android Enterprise device right now. Bring the Custom OS tier in later, on Pixel, where the extra assurance is worth the build pipeline.