Does GOS play well with MDM for Corporate/Enterprise Environments?

OpenSource-Ghost

Does it? Can a company have control over GOS through MDM just like it can with stock AOSP and/or Pixel factory OS? For example, can MDM software override GOS permissions for geolocation and network access? Employers want to monitor employees and need to know about their mobile device activities. If an employee can just disable network permission for MDM app, then it defeats the point of MDM.

r3g_5z

I answered this in https://github.com/GrapheneOS/os-issue-tracker/issues/1938#issuecomment-1416839482 as my company also uses MDM using VMware Airwatch.

In short: No for lots of reasons.

MDM apps depend on lots of privileged functionality that only stock OS provides. The biggest issue right now is MDM apps depend on Play services + Play Store to properly initialise the work profile and to install the company apps. On GrapheneOS, we do not ship Google apps and services by default obviously. This means that when a work profile is created the MDM app expects Play services to be installed automatically, but it's not on GrapheneOS. MDM apps do not handle this case and will usually chain crash or create a very broken / incomplete work profile.

It is possible to initialise the broken work profile with your MDM app, then go into GrapheneOS Apps and install sandboxed Google Play, but your work profile will still not be 100% functional because MDM apps delegate installation of the company apps to Play Store. If your company policy forbids you from installing 3rd-party apps in your work profile, then Play Store cannot install any apps because Play Store is not a privileged 1st-party app store like it is on stock OS and will always forbid you from installing your company apps like the corporate VPN, Microsoft Office, Duo MFA, Okta, etc (just examples).

The only realistic solutions would be us creating special case bypasses or exceptions for Google apps, but we want to avoid doing such a thing in the first place. We may end up creating opt-in hidden toggles for something like this in the long run.

It's also extremely difficult for us to test or add support for this when we do not have a sandbox/playground/test environment of an actual MDM solution that mimics a production environment (Airwatch, InTune, etc).

The best you need to do is get a cheap work phone that you can enroll and use strictly for MDM and work.

OpenSource-Ghost

So... MDM apps heavily rely on GPS running as privileged services/processes/apps. If MDM app is not reliant on GPS at all, then can it be used to stop users from changing permissions?

You can't deny that GOS easily positions itself as a secure OS an enterprise may want to use if it can prevent employees from changing settings. Many small companies do not trust big tech companies like Google/Microsoft/Apple or they have to sign special (and expensive) contracts/agreements with big tech to prevent big tech from scanning employee files or trackig employee activities. That is the case in health/medical industries for sure. Security-related companies would also be intersted in GOS.

Without a doubt, I wouldn't use any personal devices for work, but it would hard not to recommend GOS as OS for work-only phones to employers if employers can control GOS phones through MDM. Employees would not get privacy-from-employers benefits of GOS, but they would get the security benefits for sure.

dazinism

OpenSource-Ghost
GrapheneOS does have all the AOSP stuff present for managed devices and managed profiles.

As outlined previously solutions for managed work profiles that are tied to Google Play will most likely have issues.

MDM solutions for managed devices are more likely to work with GrapheneOS, particularly those designed to work on devices without Google Play.