Manage devices.
Leave no trace.
Self-hosted · Anonymity-first · GrapheneOS-native MDM
Norypt MDM is a self-hosted, anonymity-first mobile device management platform for Android and GrapheneOS fleets. No Google Services, no Firebase, no third-party cloud — IPs, IMEIs, serial numbers, and location data are architected out, not just hidden. Every destructive command is StrongBox-signed, making the platform server-compromise resistant.
From $100 / month managed · Private server from €2,000
Field-Unit-001
GrapheneOS 14
Press-Alpha-03
GrapheneOS 14
Legal-Device-07
GrapheneOS 13
NGO-Unit-12
GrapheneOS 14
mTLS Encrypted
Zero Google APIs
🎯 Who this is for
Built for the field, not the boardroom.
Every design decision in Norypt MDM was made with a specific person in mind — someone whose safety or sources depend on what their phone does not leak.
Journalists
Protecting source communication on assignment. Wipe a device remotely if a reporter is detained — before credentials or contacts are extracted.
Activists
Running fleets that cannot leak identifying metadata. No IMEI, no serial, no location data stored — even on the management server.
Lawyers
Managing devices that handle privileged client material. Enforce lockdown policies and maintain a tamper-evident audit log of every command issued.
Human-rights workers
Operating in restrictive or adversarial regions. The admin console is reachable over Tor — the management URL never has to appear in public DNS.
Researchers
Working with sensitive subjects who need auditable, tamper-evident device control. Hash-chained logs make every action cryptographically verifiable.
Security professionals
Deploying hardened phone fleets for internal teams. GrapheneOS-compatible, FCM-free, and built to operate entirely without Google infrastructure.
🕵️ Designed for anonymity, not just privacy
The schema holds nothing it doesn't need.
Most MDM products are surveillance tools dressed in enterprise clothing. They were designed to give a corporate IT team visibility — which means they were designed to collect. Norypt MDM was designed with the opposite constraint: the schema, the protocol, and the infrastructure are all built to hold the minimum information required to lock or wipe a device, and nothing else.
What Norypt MDM is designed not to collect
Admin accounts require only username + password + TOTP secret. Email is never requested and there is no email-based recovery backdoor.
Devices are identified only by a random UUID generated during enrollment. No hardware identifier is ever read or stored.
The Nginx reverse proxy ships with access_log off so that IP addresses are not written to disk.
Optional journald in volatile (RAM-only) mode — logs do not survive a reboot. Nothing is left behind.
🛡️ Bulletproof security architecture
Every layer hardened by design.
Transport
- mTLS everywhere — both device and server authenticate on every connection
- Self-signed CA generated at first boot; private CA material never leaves the box
- Server certificate SHA-256 pinned inside the device agent
- Optional Tor hidden service — the management URL never has to touch public DNS
Two-frame command authentication
- Mode A frame — server-EdDSA-signed; carries the runtime payload (download tokens, package names)
- Mode B frame — admin-StrongBox-ECDSA-signed; carries the authorization envelope (path + body + nonce + timestamp)
- WIPE, INSTALL_APK, UNINSTALL_APK, REBOOT, ENABLE_KIOSK, ENABLE_POLICY, ENABLE_LOST_MODE, SET_PASSWORD_POLICY, SET_SECURITY_CONFIG, DELETE_FILE and RENAME_FILE refuse to execute on Mode A alone — both frames must arrive within 60 seconds
- Single-use nonce and timestamp on every frame; replays rejected
- A server-only attacker can mint Mode A from the EdDSA key on disk — they cannot mint the matching Mode B without the admin's StrongBox key, which never leaves the GrapheneOS phone
APK provenance
- Upload pre-flight — every APK upload to the library extracts the v2 signing-block cert SHA-256. If the package matches the agent, the cert is checked against the tenant's TOFU pin. Wrong-keystore APK is rejected with HTTP 409 before bytes hit disk.
- In-place update guard — Android's PackageInstaller refuses cross-cert updates by design. Even a bypassed pin can't replace the running agent with a differently-signed APK.
- Out-of-band DO QR pin — the admin app downloads the live agent.apk before generating any new-phone provisioning QR, parses the v2 block client-side, and refuses to render the QR unless the cert SHA matches a value baked into the admin app at build time.
- A server-side swap of agent.apk is detected on the admin phone before the malicious bytes ever reach a new device.
Credentials
- Passwords stored with Argon2id — memory-hard, GPU-resistant
- TOTP secrets AES-256-GCM encrypted at rest
- Backup codes individually Argon2id-hashed
- JWTs with 15-minute TTL; refresh tokens single-use rotating
Data & audit
- PostgreSQL 16 with row-level security at the database layer
- Per-tenant isolation — cross-tenant linkage architecturally blocked
- Hash-chained audit log — tampering is cryptographically detectable
- No IP, PII, or location column anywhere in the schema
🛡️ Server-compromise threat model
What if the server itself is compromised?
The trust anchor isn't on the server.
Most MDMs assume the management server is trusted infrastructure. We assume it can be rooted at any time. Norypt MDM's threat model explicitly addresses VPS compromise — and the design ensures that even with full server root, the attacker cannot push code or destructive commands to a single phone in your fleet.
If the attacker has…
Root in the server container
They can
Read fleet metadata
They cannot
Push WIPE / INSTALL_APK / REBOOT to any device
If the attacker has…
The server EdDSA private key
They can
Mint Mode A frames
They cannot
Pair them with admin Mode B — frames expire unconsumed
If the attacker has…
Postgres write access
They can
Tamper with rows
They cannot
Bypass the admin app's baked APK cert pin
If the attacker has…
File write to the on-server agent.apk
They can
Replace bytes
They cannot
Pass the admin-app cert pin verify — DO QR is refused
If the attacker has…
A stolen browser session cookie
They can
Read audit log
They cannot
Issue any destructive command — every mutation requires StrongBox
If the attacker has…
Username + password + TOTP (no admin StrongBox)
They can
Log into the panel
They cannot
Issue any destructive command — every mutation requires StrongBox
A fully-compromised server becomes a metadata-only read leak — not a fleet-wide compromise.
🚀 What it can do
Full fleet control. Zero vendor overhead.
Device fleet control
- Encrypted QR enrollment (Device Admin or Device Owner mode)
- Live WebSocket per device — command delivery in milliseconds
- Offline command queue for disconnected devices
- Remote Lock / Unlock / Factory Wipe
- Per-device alias — set by the admin, never the user
Policy & lockdown
- Kiosk mode — lock a device to a single app
- Lockdown mode — disable camera, Bluetooth, USB, unknown sources
- Lost mode — on-screen banner with a return number
- App allowlist / blocklist
- Silent APK push in Device Owner mode
- Emergency SOS auto-disable for field deployments
Fleet rollout
- One-tap import of the live agent.apk into the library (cert pin verified on every push)
- Staged rollout with max-concurrent and failure-threshold-percent
- Pause / Resume / Abort — every action StrongBox-signed
- Heartbeat-driven success — devices only mark "succeeded" after they actually report the new version, not on a hopeful pre-ack
- Auto-pause if the failure rate breaches threshold
- Read-only version histogram in the web admin
Admin experience
- Browser console and companion Android admin app
- Three-role RBAC — Owner, Admin, Wiper (scoped to assigned devices)
- Hash-chained audit viewer with filters
- TOTP-only login — no email, no SMS, no recovery backdoor
- EdDSA signing-key rotation without re-enrolling devices
📱 The Android Agent
Invisible to the user. Hardened against the attacker.
Zero user-facing attack surface
Two Jetpack Compose screens total: 'Scan enrollment code' and 'Connected.' That is all a device user ever sees. No settings, no controls, no information to extract.
Non-exportable client key
The client certificate is generated on the device and stored in the Android Keystore. It cannot be copied, exported, or extracted — not even with root access.
Obfuscated release builds
R8 + minification + signed release builds. The agent binary is not straightforward to reverse-engineer.
Hidden server URL
The management server address is compiled into the APK and encoded inside the encrypted enrollment QR. A third-party QR scanner sees only ciphertext.
GrapheneOS — recommended for the admin app
The admin companion app uses Android's StrongBox-backed Keystore for the ECDSA-P256 signing key that authorizes every destructive command. On GrapheneOS this key is generated in the secure element, is non-extractable, and survives no software-only compromise of the device. This is the trust anchor that protects the fleet from a compromised server.
No Play Services required
Pushes commands over a persistent mTLS WebSocket. No FCM, no Google Cloud Messaging, no dependency on any Google infrastructure.
⚖️ Norypt MDM vs. mainstream MDM
Built differently. By design.
🧩 What's in the box
The full stack. Nothing left to configure.
Go backend
Single static binary (Gin framework) — fast, minimal, no runtime dependencies.
PostgreSQL 16 + Redis 7 + Nginx
Nginx ships with access_log off by default. Everything containerised and pre-configured.
Optional Tor hidden-service config
Admin console reachable via an onion address — the management URL stays off public DNS.
Android device agent APK
Kotlin · Jetpack Compose · min SDK 26. Signed, obfuscated, no Play Services dependency.
Android admin companion APK
Manage your fleet from a phone. Same security properties as the browser console.
React + TypeScript admin panel
Browser-based console with audit log viewer, device grid, and RBAC-scoped controls.
Docker Compose deployment
docker compose up -d brings the full stack online. No Kubernetes, no cloud provider account.
Signed release builds
Every APK and binary is signed. Signed update channel so you can verify every future update.
🎯 Threat model
Honest about what it defends against.
No security product protects against everything. Here is exactly what Norypt MDM is designed to resist — and what it does not claim to.
Designed to resist
- Surveillance of device-to-server traffic (mTLS + certificate pinning)
- A compromised server attempting to wipe or hijack devices (admin Mode-B signatures)
- Database exfiltration revealing user identity (no PII in schema; Argon2id; TOTP encrypted)
- Phishing of admin credentials (mandatory TOTP; admin APK private key required for destructive commands)
- A device user attempting to extract credentials, disable the agent, or discover the server URL
Does not defend against
- —A physical attacker with access to an already-unlocked admin device
- —A lawful warrant served on your hosting provider — encrypt your disks
- —Compromise of your own build toolchain or supply chain
No product can, and we will not pretend otherwise. This is an honest description of the threat model.
💶 Plans & pricing
Start on managed cloud. Or own your stack.
Managed Cloud
We host the management panel for you. Zero server setup. Enroll phones and manage your fleet from day one.
Starter
- Up to 5 managed devices
- Norypt-hosted management panel
- Encrypted QR enrollment
- Lock · Unlock · Wipe · Kiosk · Lockdown · Lost mode
- Hash-chained audit log
- TOTP admin authentication
- Email support
Growth
- Up to 25 managed devices
- Everything in Starter
- Priority email support
- Access to Admin Companion APK
- Signing-key rotation on demand
Pro
- Up to 50 managed devices
- Everything in Growth
- Priority support with faster SLA
- Onboarding call for your team
- Guidance on device hardening and enrollment workflow
Need more than 50 devices on managed cloud? Talk to us — we tailor a plan to your fleet.
Private Server Deployment
We build, deploy, and harden a Norypt MDM instance on your own infrastructure. You own the server, the database, the certificates, and the encryption keys.
Deployed on your own VPS or bare metal. Perpetual self-hosted licence. Pricing scales with fleet size and hardening scope — get a quote for your deployment.
Request a Quote- Deployed on your own VPS or bare metal — perpetual licence
- Full stack: Go backend · PostgreSQL 16 · Redis 7 · Nginx · Docker Compose
- Optional Tor hidden service for the admin console
- CA + EdDSA signing keys generated on your server and held by you
- Admin Companion APK included
- Handover documentation and operational runbook
Typical additional scope: custom hardening review, white-label rebrand, air-gapped install, SLA-backed support, SSO integration, dedicated onboarding. Quoted per project.
🔗 Related at Norypt
A complete fleet privacy stack.
Norypt MDM is the management plane. The full privacy stack pairs it with the right phone, OS, and on-device security app.
GrapheneOS Phones
Pre-configured Pixel devices running GrapheneOS — the recommended hardware for Norypt MDM admins and managed devices.
Norypt Protect (free app)
Local-only Android security app. Pair with MDM for layered fleet defence: Protect on the device, MDM in the management plane.
Norypt MDM vs Jamf, Intune, Workspace ONE
Side-by-side comparison of mainstream corporate MDM platforms against Norypt's anonymity-first design.
Remote wipe without Google
Three open-source ways to lock or wipe an Android phone without a Google account — including the MDM path.
GrapheneOS vs Stock Android
Why GrapheneOS — not stock Android — is the right OS layer under an anonymity-first MDM.
Talk to us about a deployment
Quotes for managed cloud beyond 50 devices, private-server deployments, white-label, and air-gapped installs.
❓ FAQ
Frequently asked questions
Norypt MDM
Deploy an MDM that works for your people — not against them.
Start on managed cloud in minutes, or talk to us about a private-server deployment tailored to your threat model.