Back last year the topic of alternative Android OS's came up, and I popped it on my never-ending list of things to dabble with.

Today I figured I'd take the plunge, eyes-closed, and see what I could do.

I flashed GrapheneOS (/e/ isn't yet supported on the Pixel 7a) and had a poke around.

Obviously there's no Google Set up Wizard (SUW) and so immediately on first boot I had no means of initiating a QR scan, zero-touch,.. provisioning was out of the question.

ADB is available (after enabling it) after setup completes, and TestDPC attained Device Owner with ease via a single command. From some light testing all of the on-device APIs for AE worked as intended.

I was also able to spin up a work profile through TestDPC and Shelter, and both worked in the testing I was doing, so cool.

Things took a turn when I started trying to shoehorn Android Device Policy into the mix. ADP appears to require a permission set much wider than that of what GrapheneOS will offer through their GMS sandbox, even with Google Play Services and the compatibility layer running atop, and while I got AMAPI all the way through to registering the token for a work profile (the WP was created, apps were populated from system) it ultimately failed in talking to the AMAPI backend with an authorisation error I wasn't able to get around.

Similarly, setting ADP as DO via ADB still had it asking for a token (expected), but then it behaved as if it's running on an already setup device, and would only attempt to provision a work profile.

Graphene do say, explicitly, AMAPI isn't supported; this was a year+ ago though so figured it was worth a look.

I'm sure AOSP/closed enrolment through EMM vendors that support it would work great given the basic API & functionality is there without Google services atop.

This was interesting, either way. I'll try /e/OS next once I find a supported device in my arsenal :)

• 25/365

#androidenterprise