Android device management

SP-MDM · SELF-HOSTED

Move security controls below the app layer.
Manage the whole endpoint.

On enrolled Android devices, SecurePhone MDM enforces hardware, lock-screen, system-app, and connectivity posture across the phone. It supports Android 6.0+ across manufacturers, with the strongest controls available when the DPC is provisioned as Device Owner.

Android 6.0+Device OwnerStock Android or GrapheneOS
SP-MDM Ready to deploy
Device postureLIVE
01

cameraHardware capture

off
02

microphoneSystem audio input

off
03

locationGPS + geofencing

off
04

bluetoothBLE scan + pairing

off
05

screen-lockAndroid credential

required
LICENSE VALIDMODE PRIVATE
01Device Ownerstrongest organization-managed tier
02OS-widecontrols beyond individual apps
03Multi-OEMstock Android or GrapheneOS
04Cohortcentrally assigned policy
Endpoint controls

Reduce the hardware and operating-system attack surface.

Device policy handles the controls an encrypted messenger cannot enforce by itself. Availability varies by Android management tier and manufacturer, so deployments are validated against the actual device fleet.

01

Disable the camera

Block camera hardware while policy is active so managed users and other apps cannot capture images.

02

Disable the microphone

Remove the operating-system microphone surface for shared, loaner, kiosk, or high-risk field devices.

03

Disable GPS and location

Block location services system-wide so app requests fail and passive geofencing stops operating.

04

Disable Bluetooth

Close BLE scanning and pairing where trackers, beacons, or unauthorized accessories are part of the threat model.

05

Require a screen lock

Require an Android credential and lock behavior appropriate for unattended offices, vehicles, and field work.

06

Restrict Google services

On supported Device Owner deployments, disable managed Google packages and use signed APK delivery without depending on Play Store.

07

Managed application catalog

Assign required, allowed, and blocked applications by policy, with signed APK delivery available for supported deployment paths.

08

Per-app permissions

Control camera, microphone, location, storage, network, and other permissions where the Android management tier exposes them.

09

Always-on VPN posture

Require an approved VPN configuration and prevent ordinary users from weakening the managed network path on supported devices.

10

QR and activation enrollment

Connect a new or reset organization-owned phone to the correct customer, policy cohort, and licensed services during setup.

11

Posture and audit history

Review enrollment, policy synchronization, application state, remote actions, and device lifecycle events from the management surface.

12

Panic Wipe

Give properly enrolled Device Owner phones a dedicated last-resort control for an immediate whole-device factory reset.

Explore product
Enrollment path

Provision authority before the phone reaches the user.

The management tier is established during enrollment, then policy and app state are maintained centrally throughout the device lifecycle.

01

Choose the device tier

Use compatible stock Android hardware or optional GrapheneOS where the threat model calls for it.

02

Enroll Device Owner

Provision the management app during setup so Android grants organization-owned device authority.

03

Assign policy and apps

Select endpoint posture, required applications, update behavior, and user restrictions centrally.

04

Monitor and revise

Sync changes, review device health, and react to loss, role changes, or replacement from the management surface.

Management tier matters

Device Owner is not the same as an ordinary app install.

Android reserves the strongest controls for organization-owned enrollment. Device Admin or unmanaged installs cannot guarantee the same system-wide behavior.

Reseller demo
01

Enrollment preparation

Some Device Owner provisioning paths require a new or factory-reset phone.

02

Fleet validation

OEM and Android-version differences can affect individual restrictions.

03

GrapheneOS is optional

GrapheneOS is limited to supported Pixel hardware; stock Android remains supported more broadly.

04

Layered security

A disabled sensor improves posture but does not replace physical handling procedures.

Build the right endpoint tier

Match device authority to the actual threat model.

Map required Android controls to compatible hardware, enrollment, and operational ownership, then deploy SecurePhone MDM alone or with the complete SecurePhone stack.

Configure yours