Fleet Tracking
Trucking, last-mile, field-service. Driver phones and ELDs spend their day uploading positions and timing data to your dispatch system — and to whatever ad SDK shipped inside the route-planning app you didn't audit. HardenedOS gives you sub-meter location with the surveillance ceiling intact and an audit-grade event stream straight to your SIEM.
The threat surface
Fleet management has a "soft" threat model — most operators don't have a state-actor adversary. The threats are mundane, but they show up in real audits + real lawsuits + real driver-union disputes:
The free routing app a driver installed bundles three location-collecting SDKs. Now the driver's daily route, dwell times at customer sites, and home address sit in a third-party data broker. Per-app network gating + sensor scopes shut these down without breaking the routing app's primary function.
An ELD that runs unsigned + can be remote-rooted is an ELD whose log can be edited. Hardware attestation on every heartbeat means your back-office knows the device is the device. The signed event stream means the timestamp can't be backdated by a driver who got pulled into a weigh station.
Unions fight invasive monitoring. The surveillance ceiling — kernel-enforced, no tier can override — neutralizes the "we're recording your microphone" allegation at the OS level. Auditable: any tier policy that tries to enable it is rejected before it reaches the device.
Devices walk off. Duress PIN wipes irrevocably. Auto-reboot on idle clears the decryption keys. Hardware attestation means a swapped phone can't impersonate the original on dispatch.
Cargo theft rings monitor dispatch traffic. Per-connection MAC randomization, DNS-leak prevention, VPN tunnel enforcement. The dispatcher app can't be bypassed onto a hostile Wi-Fi at a truck stop.
Photo-of-delivery scams: a driver photographs an empty doorstep + claims delivery. Storage scopes mean the camera-and-evidence app sees only its own folder; the device-attested timestamp + GPS coordinates land in your audit log signed; harder to fake.
How HardenedOS responds
Most fleet operators run Corporate tier on the driver phone, with this policy bag adjusted via /policies:
Your dispatch / ELD / routing client. Each pinned to its developer signing-cert SHA-256. Sideloading off; the only apps that ship are the ones you uploaded to /apps. Drivers don't install personal apps on the work device — basic-tier device for that.
The routing app gets GPS + network. The dispatch app gets network. The OEM keyboard gets neither. Even if a tracker SDK ships in the routing app, it can't get to its phone-home server because outbound network is policy-controlled at the OS level.
The proof-of-delivery app sees one folder: /Documents/POD. It can't read the dispatch app's offline route cache, the personal photo library, or the file-transfer history.
Every dispatch heartbeat carries a Titan-M2-signed attestation. Your back office knows the device is genuine. A modified phone trying to spoof an ELD log gets refused at the dispatch endpoint.
Every device event — activation, tier change, install, wipe-requested, heartbeat-attested — POSTed to your endpoint with HMAC-SHA256 signing. Drop straight into Splunk / Datadog / Sumo. Audit trail, not a screenshot.
Who deploys this
500–10,000 driver phones. The replacement for ageing Bluebird / Zonar tablets. Often paired with hardware ELD via Bluetooth; HardenedOS phone is the user-facing surface.
Higher device turnover, more theft. Required-app catalog + remote wipe + duress PIN are the load-bearing features. Procurement through a logistics-tech integrator who white-labels HardenedOS.
Smaller fleets, more diverse use cases (technicians, inspectors, meter-readers). Often a Corporate-tier work profile + a Basic-tier personal profile on the same hardware. One device, two lives.
We'll send a small batch under your branding. One depot, one rotation, one month. Your IT keeps the management panel + the webhook stream into your SIEM.