Self-Hosted Mobile Device Management

Sovereignty over every device, that you hand out.

ShadowZ MDM manages your Android fleet on your server, under your domain name, without a vendor reading along in the middle. Including active hardening against IMSI catchers, UWB and NFC tracking.

Pay once. Run it yourself. No recurring fees.

panel.your-domain.com
42 devices
Pixel 8 — Research
active
Pixel 7a — Field work
active
Pixel 8 — Law office
locked
Pixel 7 — Reserve
active

The problem

Whoever controls your MDM controls your fleet.

Cloud MDMs read along

Hexnode, Scalefusion, Intune, JumpCloud. They all run in the provider cloud. Every configuration, every command, every location log passes through their servers. You are trusting a second vendor with access to your devices.

Subscription model with lock-in

50 to 80 euros per device per year. With 30 devices over 5 years that quickly becomes 10.000 euros for management software. Cancelling means migration under time pressure and re-enrolling every device.

Tracking built in

Standard solutions block neither the 2G downgrade (IMSI catcher), nor UWB tracking, nor passive NFC reading. Anyone who chooses GrapheneOS to avoid tracking gets surveillance through the back door from cloud MDMs.

The solution

Three properties no cloud MDM can offer you.

01

Data sovereignty

The server runs on your hardware, under your domain name, with your TLS certificate. Postgres, Redis, the MDM core. Three Docker containers. Nobody but you has access to the database with the configurations, the enrolled devices, the audit logs.

02

Anti-surveillance hardening

Enabled per configuration: 2G block against IMSI catchers, UWB and NFC radios fully off, Thread mesh blocked, Bluetooth contact sharing off, location service hard off. Plus lock screen hardening, auto wipe after failed attempts, app install block.

03

Lifetime license

Buy once. Updates included. No device limits in the Lifetime tier. If the world shuts down the license server tomorrow, your MDM keeps running because the token is validated offline. No kill switch.

Features

Four topic areas, no marketing fluff.

Every entry maps to a concrete function in the product. If you miss something, ask us before you buy.

01

Anti-tracking

  • Block 2G mobile (IMSI catcher protection, Android 14+)
  • Disable UWB radio (FindMy style tracking, Android 14+)
  • NFC radio off (passive tag tracking, Android 14+)
  • Block Thread mesh network (Android 15+)
  • Bluetooth contact sharing off
  • Disable location service system wide
  • Block airplane mode toggle (forensically relevant)
02

Control

  • Kiosk mode: only one app visible
  • App whitelist: Required plus Allowed per configuration
  • Configuration profiles, assigned to a group or a device
  • Remote Lock, Reboot, Wipe (with confirmation)
  • Password policy in five levels, from PIN to 12+ alphanumeric
  • Force password change on next unlock
  • Manage wallpapers centrally
03

Observability

  • Live heartbeat every 30 seconds, online or offline in the panel
  • Crash reports uploaded automatically, stack trace plus logcat tail
  • On demand log snapshots, 2 to 5 seconds round trip
  • Audit log of all admin actions, BEFORE trigger against tampering
  • Network and security logging optionally enabled
  • Lock screen support message: owner notice on every device
04

Security

  • mTLS between agent and server, your own internal CA
  • Postgres Row Level Security, fail closed on a forgotten tenant filter
  • TOTP 2FA for admin login with recovery codes
  • CSRF protection, HSTS, Content Security Policy
  • AES-256-GCM encrypted backups via gpg, 600k PBKDF2 iterations
  • CA key on disk encrypted with a passphrase
  • License JWT at rest encryption

In preparation

The ShadowZ Phone.

A preconfigured Pixel 9a built on GrapheneOS, shipped with active DeviceOwner status and the ShadowZ MDM agent already enrolled. Unbox it, scan the license QR code, done.

  • GrapheneOS hardened, Verified Boot active, bootloader locked
  • Works exclusively with ShadowZ MDM. No compatibility with cloud MDMs.
  • Anti-tracking policy from the factory: 2G blocked, UWB and NFC off, sensor toggle preconfigured
  • Pixel 9a hardware with Titan M2 security chip
Note: The ShadowZ Phone requires an active ShadowZ MDM instance. Both products are purchased separately. The Lifetime plan of the MDM does not include phone hardware.
ShadowZ Phone: setup wizard built on GrapheneOS, first step with ShadowZ branding
MDM agent
enrolled ✓

Pricing

One license for your entire fleet.

All prices include VAT. Payment by bank transfer or Bitcoin. Activation usually within 24 hours.

Monthly

€199 per month

For evaluations and shorter deployments.

  • Up to 50 devices
  • All features
  • Email support
  • Cancel any time
Start monthly

Yearly

€999 per year

For established installations with a fixed device count.

  • Up to 500 devices
  • All features
  • Prioritized support
  • 12 month commitment
Buy yearly
Recommended

Lifetime

€2.999 one time

For operations that run the MDM permanently in their own stack.

  • Unlimited devices
  • All features, all future updates
  • Direct support channel
  • No subscription, no auto renew, no kill switch
Secure Lifetime

For enterprise licenses with more than 1000 devices or on-premise setups with air gap, contact us directly: sales@shadowz.live.

Technical data

On your server, your stack, your rules.

Server stack
Docker Compose. Postgres 16, Redis 7, Go binary, Caddy or nginx as the TLS frontend.
Minimum hardware
4 GB RAM, 2 vCPU, 20 GB disk. Enough for several hundred devices.
Domain plus TLS
Your own hostname. Let's Encrypt via Caddy automatically, or your own certificate.
Database
Postgres with Row Level Security. Encrypted backups via the integrated tool (gpg, AES-256-GCM).
Auth
JWT with access and refresh token, TOTP 2FA for admins, mTLS between agent and server.
Update model
Docker image pull. No automatic update, you decide when.
OS compatibility
Android 9 to Android 16. Full feature set only as DeviceOwner. GrapheneOS recommended.
Languages
English, German, French, Spanish, Italian, Portuguese.
License model
Signed JWT from license.shadowz.live, validated offline. If the license server fails, your MDM keeps running.
Source code
Proprietary. Full architecture documentation on request. Audit right for Lifetime customers.

Frequently asked

What we get asked the most.

What servers does the MDM run on?
On yours. You install it with a shell script on a VPS, a dedicated machine or in your own data center. We recommend Hetzner, OVH, a Strato root server or a machine in your own rack. ARM and x86_64 are supported.
Is this GDPR compliant?
You are the data processor, you decide where your servers stand and how you secure them. We deliver the tool. The software stores audit logs, crash reports and configurations exclusively on your server. No telemetry data is sent to us.
How does this relate to HeadwindMDM?
HeadwindMDM is an older open source MDM solution. ShadowZ MDM is a commercial product with a focus on current anti-surveillance functions (wave 4 restrictions such as 2G block, UWB off, NFC off), a modern tech stack (Go, Next.js, Postgres with RLS), six languages and commercial support.
What happens if you stop operating?
The license token is validated offline and is valid for 60 days per cycle. If the license server is unreachable for longer, the MDM keeps running in a read only mode, new devices can be enrolled, existing ones run unchanged. In an emergency we publish a guide to license deactivation so you can run the product without us.
Do I get the source code?
Standard licenses do not receive source code. Lifetime customers have an audit right: after signing a contract with a confidentiality agreement they receive read only access to the repository for security audits. We do not plan to open source it.
Does this scale to thousands of devices?
The database is Postgres with Row Level Security. The heartbeat is every 30 seconds, the server keeps open WebSocket connections for every online device. On an 8 vCPU machine with 16 GB RAM we have tested up to 5000 devices. For larger fleets contact us for an architecture assessment.
Which Android versions are supported?
Android 9 to Android 16. The anti-tracking features need Android 14 (2G, UWB, NFC) or Android 15 (Thread). On older versions these toggles are disabled, the rest works. GrapheneOS is especially recommended because the hardening there works with the MDM instead of against it.
Can I migrate from another MDM?
Yes, but it is a manual process. Every device must be re-enrolled because the DeviceOwner status is not transferable between MDMs. We support the configuration migration via a script for Hexnode, Scalefusion and HeadwindMDM. For larger fleets we accompany the migration.

Still have a question? Write to hello@shadowz.live .