In preparation

A phone that gives nothing away about you.

The ShadowZ Phone is a Pixel 9a built on GrapheneOS, shipped with a hardened system, a locked bootloader and the ShadowZ MDM agent already enrolled. Unbox it, scan the license QR code, done.

Request now How it works

GrapheneOS hardened. Verified Boot active. Titan M2 security chip.

ShadowZ Phone: setup wizard on GrapheneOS with ShadowZ branding
MDM agent
enrolled ✓
GrapheneOS Verified Boot Bootloader locked Titan M2 DeviceOwner from the factory

The problem

Your phone works against you.

A new Android or iPhone phones home from the moment you switch it on. Location, contacts, app usage, all of it flows to corporations.

Advertising IDs, silent background services and 2G fallbacks turn every device into a beacon without you noticing.

Anyone trying to secure devices for a team fights cloud MDMs that see the very data they are supposed to protect.

Features

Privacy from the first power-on.

No after-the-fact configuration, no hobby ROM. The device arrives in a secure state and stays there.

GrapheneOS hardened

Hardened kernel, hardened memory allocators, Verified Boot. No forced Google Play, sandboxing for everything you install.

MDM enrolled from the factory

The ShadowZ MDM agent is preinstalled with DeviceOwner status. You manage policies centrally without setting up the device first.

Anti-tracking policy

2G blocked, UWB and NFC off, sensor toggle preconfigured. The radio surfaces that can locate you are closed from the factory.

Pixel 9a hardware

Titan M2 security chip, Verified Boot anchored in hardware, long-term security updates. A solid base instead of exotic hardware.

No account, no cloud

No Google account required, no telemetry, no silent sync. What stays on the device stays on the device.

Full control

You or your administrator decides what runs. Apps, networks, radios and permissions are managed centrally and transparently.

The foundation

Built on GrapheneOS.

GrapheneOS is the most hardened Android there is. It removes the Google dependencies, closes entire classes of attacks and hands control back to the owner. The ShadowZ Phone builds on it and adds management that is ready to use.

You get the security of a self-flashed GrapheneOS device without having to flash, enroll or configure anything yourself.

  • Verified Boot checks the entire system chain on every start. Tampering is caught immediately.
  • Bootloader locked, rollback protection active. Nobody quietly installs an older, vulnerable system.
  • Hardened memory management and a strict app sandbox. A compromised app does not reach the system.
  • Updates come straight from the GrapheneOS base, extended by the ShadowZ configuration.

How it runs

Three steps to secured.

01

Unbox

The device arrives sealed, with hardened GrapheneOS and a locked bootloader. Switching it on is enough.

02

Scan the license QR

You connect the phone to your ShadowZ MDM instance by scanning the license QR code. Nothing more is needed.

03

Done

The policies load, the agent checks in, the device is secured and ready to use.

Hardware

What is inside.

Model
Google Pixel 9a
Operating system
GrapheneOS with ShadowZ configuration
Security chip
Titan M2, Verified Boot in hardware
Bootloader
Locked, rollback protection active
Management
ShadowZ MDM agent as DeviceOwner, enrolled from the factory
Radios from the factory
2G blocked, UWB off, NFC off
Sensors
Sensor toggle preconfigured
Accounts
No Google account required, no telemetry

Good to know

The ShadowZ Phone works exclusively with ShadowZ MDM.

Full control over the device comes from the interplay of hardware and your ShadowZ MDM instance. Without an active MDM instance the phone cannot be brought into the managed state. There is deliberately no compatibility with cloud MDMs.

  • Both products are purchased separately.
  • The Lifetime plan of the MDM does not include phone hardware.
  • ShadowZ MDM is self-hosted, your data never leaves your instance.
More about ShadowZ MDM

Questions

Frequently asked.

Do I need technical knowledge to use the device?

No. The phone arrives fully hardened and enrolled. To connect it to your MDM instance you scan a QR code, that is all. Day to day it feels no different from an ordinary Android.

Does the phone work without ShadowZ MDM?

Not in the managed state. Central control over apps, radios and policies only comes from an active ShadowZ MDM instance. That is exactly the purpose of the device.

Can I install my own apps?

Yes, within the policies that you or your administrator define. GrapheneOS sandboxes every app. What is allowed is decided centrally.

Is my data stored anywhere?

On the device and in your own MDM instance. ShadowZ MDM is self-hosted. There is no ShadowZ cloud that sees your data.

Do I get security updates?

Yes. Updates come from the GrapheneOS base and are extended by the ShadowZ configuration.

When is the ShadowZ Phone available?

The device is in preparation. Register your interest and we will get in touch as soon as the first devices ship.

Secure one of the first devices.

The ShadowZ Phone is in preparation. Register your interest and we will get in touch as soon as the first batch ships. No prepayment, no obligation.

Register interest View ShadowZ MDM

Write to us directly at phone@shadowz.live. No trackers, no sharing.