I have several questions regarding using GrapheneOS with MDM.

Most Android devices can be enrolled into MDM during the initial boot after a factory reset (by tapping the screen, etc). This type of enrollment usually (always?) yields a fully managed "Work Managed Device" appropriate for corporate ownership. This is different from enrollment in MDM in "Work Profile" mode which is more appropriate for a BYOD scenario.

Question 1
It dos not appear that GrapheneOS supports enrollment in MDM during the initial boot after factory reset. Is this correct?

Question 2
Does GrapheneOS support full management via MDM (Work Managed Device, or the less common COPE mode), and if so, how is this accomplished?

I have attempted to enroll a Pixel 6 with GrapheneOS into WorkspaceONE using various methods but always seem to fail at some point. I have tried with regular, legacy, and AOSP modes without success. To note, WorkspaceONE relies heavily on their own app (which can be sideloaded) for enrollment and MDM management.

Question 3
Is there any support for MDM enrollment in GrapheneOS or a list of MDMs which are/are not compatible?

To note: we do not have a Managed Google Play account.

TL;DR
We like GrapheneOS for a secure/minimal solution but also like MDM management for fleet management and configuration. It seems GrapheneOS cannot be used with at least some MDM solutions but wondering if we're missing anything.

2 years later

Ok i know this is old topic but it's first that appears when searching for work profile.
I managed to enroll to managed MDM with some workaround.
Answer to Q1 is NO. You would need to have gapps installed first, so not possible.
Answer to Q2 is YES. I tried couple methods with creating shelter profile, installing sandboxed gapps and enrolling, but it didn't work. So quick steps how to achieve it: (BTW i enrolled to google workspace)

  1. Install Rom,
  2. Enable developer options and ADB, install Gapps, (maybe installing device policy or other MDM app will help at this point also)
  3. login to Your managed account.
    Here during this process google crashed in the middle but it started to create work profile. I paused in the middle while there was button "next"
  4. Connect to PC, use adb shell, install gapps to profile 10 (work)
    (maybe some are not required, but it worked for me)
    pm install-existing --user 10 app.grapheneos.gmscompat
    pm install-existing --user 10 app.grapheneos.gmscompat.lib
    pm install-existing --user 10 app.grapheneos.gmscompat.config
    pm install-existing --user 10 com.google.android.gms
    pm install-existing --user 10 com.android.vending
  5. continue enrollment.
  • de0u replied to this.