01
PRE-LOADED
Mission-Loaded
Ships with ATAK, licensed plugins, encrypted comms, and every mission-critical application pre-installed. Power on and operate.
Pixel 9a / GrapheneOS
Pixel 9a – Fully De-Googled with GrapheneOS
The Pixel 9a is delivered fully de-googled and configured with GrapheneOS for enhanced privacy, hardened security, and full control over your software environment.
This device is prepared out of the box for users who prioritize security-first architecture and the flexibility of open-source software, while maintaining compatibility with essential applications through secure sandboxing.
Why GrapheneOS on the Pixel 9a?
GrapheneOS is a security-focused, open-source operating system designed to provide strong isolation, advanced exploit mitigations, and granular permission management — without compromising usability.
Benefits Over Standard Smartphones
User Privacy
GrapheneOS reduces data collection and removes proprietary Google services by default. Users maintain meaningful control over network access, permissions, and background processes.
Hardened Security
The OS incorporates enhanced memory protections, attack surface reduction, and strict app sandboxing to significantly lower vulnerability to malware and privilege escalation.
Transparency
As an open-source project, the codebase is publicly auditable, reinforcing trust through transparency.
Granular Control
Users can tightly manage:
-
Network access per application
-
Sensor access (camera, microphone, etc.)
-
Background activity
-
Storage permissions
-
Compatibility mode for exploit protections
Closed-source applications can run inside isolated sandboxes without compromising overall system integrity.
Operational Notes
While GrapheneOS substantially improves security and privacy posture, no system can guarantee absolute protection. Maintaining digital security depends on:
-
Keeping the OS updated
-
Using strong, unique passphrases
-
Carefully vetting applications
-
Applying strict permission controls
-
Practicing disciplined OPSEC
Device & Privacy Policy
-
The device ships with no additional applications installed by GoTAK, unless explicitly selected.
-
We do not retain or store any PII, IMEI, serial numbers, or identifying device information related to your purchase.
-
In-person purchase arrangements are available at our office upon special request.
We do not sell consumer VPN services, cloud backup solutions, or third-party data protection subscriptions. These services should be independently vetted and selected by the end user according to their specific operational requirements and threat model.
Please conduct proper due diligence with any OPSEC-related matter.
GoTAK is an authorized Google hardware partner.
DEPLOYED BY
SOF
Law Enforcement
SAR
Defense Contractors
Public Safety
Why not a stock tablet?
A consumer device shares everything by default. The EUD V3 is built to share nothing — unless you decide otherwise.
Google Telemetry
STOCK PHONE
Active by default
PIXEL TABLET
Zero Google dependency
Modem Access
STOCK PHONE
Direct memory access
PIXEL TABLET
Hardware-isolated from OS
Under Duress
STOCK PHONE
No safe exit
PIXEL TABLET
Duress PIN wipes all keys
App Permissions
STOCK PHONE
Broad defaults
PIXEL TABLET
Per-app network & sensor control
Forensic Resistance
STOCK PHONE
Expanded attack window after unlock
PIXEL TABLET
Auto-reboot to locked state
Mission Software
STOCK PHONE
Manual install required
PIXEL TABLET
ATAK + plugins pre-loaded
| FEATURE | STOCK PHONE | PIXEL TABLET |
|---|---|---|
| Google Telemetry | Active by default | Zero Google dependency |
| Modem Access | Direct memory access | Hardware-isolated from OS |
| Under Duress | No safe exit | Duress PIN wipes all keys |
| App Permissions | Broad defaults | Per-app network & sensor control |
| Forensic Resistance | Expanded attack window after unlock | Auto-reboot to locked state |
| Mission Software | Manual install required | ATAK + plugins pre-loaded |
Your threat model is your baseline.
Consumer phones defend against opportunistic malware. The EUD V3 defends against targeted exploitation, post-compromise persistence, and physical coercion.
Security isn't a feature. It's the architecture.
THE THREAT
Your phone is exposing you.
Zero-click exploits. Silent network signaling. Baseband-level attacks. Every app you install widens the attack surface.
GRAPHENEOS RESPONSE
Sandboxing
GrapheneOS enforces strict application sandboxing — each app operates in its own isolated environment, restricted from interacting with other apps or accessing sensitive system resources without explicit user consent.
- All apps run in isolated sandbox environments.
- Compromised apps cannot access external resources or memory.
- Compatibility layer runs Google Play Services inside the sandbox — no elevated privileges.
THE THREAT
The cellular modem is a black box.
Cellular modems operate outside the OS using closed-source firmware blobs, independent execution environments, and persistent network exposure when enabled.
GRAPHENEOS RESPONSE
Hardware Isolation
The EUD V3 treats the modem as untrusted hardware. On most phones, the modem is inherently trusted with direct memory access.
- Hardware-isolates the cellular modem from the application processor.
- Prevents modem access to OS and app memory.
THE THREAT
The classic $5 wrench attack.
Security often fails under physical pressure. Users may be coerced to unlock devices. Biometric access can be forced. Standard locks offer no safe exit.
GRAPHENEOS RESPONSE
Duress PIN
GrapheneOS is designed for real-world hostile scenarios — both digital and physical. A pre-configured duress PIN triggers an irreversible process that destroys all hardware keystore keys, disk encryption keys, and eSIMs, then shuts down the device.
- Duress PIN entry immediately wipes all user data under coercion.
- Renders all encrypted data permanently inaccessible.
THE THREAT
Forensic extraction after unlock.
Once unlocked, most phones become significantly easier to extract data from. Commercial forensic tools can access active memory, capture running services, and exploit the expanded post-unlock attack window.
GRAPHENEOS RESPONSE
Auto-Reboot State Control
The EUD V3 reduces After-First-Unlock (AFU) exposure — the window where decryption keys live in memory.
- Automatic reboot intervals return the device to a locked state.
- Rapid return to Before-First-Unlock (BFU) — the safest device state.
- Reduced persistence opportunities for forensic tools.
THE THREAT
Your apps are reporting back.
Default smartphone permissions grant apps broad access to microphones, cameras, GPS, and network connectivity. Most users never audit these permissions. Apps routinely collect and transmit data beyond their stated function.
GRAPHENEOS RESPONSE
Granular Permissions
GrapheneOS provides per-app control over network connectivity, file access, and every device sensor. Disable an app's ability to connect to the internet or access sensors like the microphone and accelerometer entirely.
- Per-app network access toggles — block any app from reaching the internet.
- Sensor access controls for microphone, camera, accelerometer, and GPS.
- Prevents unauthorized data collection or transmission.
01 / 05
Hardened from chip to app.
TRUST ROOT ↓
↑ USER SPACE
01
LAYER DETAIL
HARDWARE
The Pixel Tablet ships with the Titan M2 security chip — hardware-backed key storage, verified boot chain, and a tamper-resistant secure element. All cryptographic operations are isolated from the main processor.
Operational on first boot.
Power on and operate. Every device ships with the mission stack already loaded — no configuration, no licenses to chase, no setup time.
02
INTEROPERABLE
Radio Agnostic
Interfaces with any mesh radio — TrellisWare, Silvus, goTenna, and Beartooth. One device, every network.
03
GLOBAL
Carrier Unlocked
Any global carrier. Dual SIM and eSIM support. No MVNO restrictions.
04
MDM READY
WARDEN MDM
Single QR-code enrollment for full device management. Push policies, deploy apps, and lock devices fleet-wide from one console.
Utilized by tier 1 operators, military personnel, law enforcement, public safety officials, search and rescue teams, and forward-thinking civilians worldwide.
FLEET MANAGEMENT
One console. Every device. In ~3 seconds.
Stock MDMs were built for office workers. WARDEN was built for operators — deployed on GrapheneOS EUDs where a misconfigured device is a mission liability. Push policy, issue commands, lock or wipe any device in the fleet from a single console. Pre-loaded on every EUD V3. Included with every TAK OS subscription.
~3s
Command Delivery
60s
Default Heartbeat
1 QR
Full Enrollment
∞
Device Scale
Core Capabilities
01
POLICY
Push Policy
Drag a policy onto a device or group. Every enrolled device picks up the new config — apps, certs, restrictions, VPN — on next heartbeat. No USB cable. No IT ticket.
02
LOCKDOWN
Kiosk Mode
Lock any device to a single app for mission deployment. One app, no exit without an admin password. The EUD becomes a dedicated tool — ATAK only, nothing else.
03
SILENT
Silent App Install
Push ATAK, plugins, certs, and mission configs to every device in the fleet — no user prompts, no app store, no physical access. Upload an APK once, assign to thousands.
04
GROUPS
Fleet Hierarchy
Organize devices into nested groups — All Devices → Field Teams → Alpha Team. Each level inherits or overrides policy. One change at the top propagates down through the entire structure.
05
HARDENED
GrapheneOS-First
Policy presets engineered for the EUD V3 GrapheneOS stack. Knox-safe debloat removes unwanted vendor apps without breaking attestation. Pre-loaded and pre-licensed on every EUD V3.
06
COMPLIANCE
Audit Trail
Every enrollment, command, policy change, and token generation logged in chronological order. Filterable by device or action type. The compliance-grade chain of custody government procurement requires.
Enrollment Modes
MODE 01
Recommended
Device Owner
Full MDM. Factory-reset the device, scan a QR on the welcome screen. The launcher installs as Android Device Owner — you get everything.
- 1 Factory-reset the Android device (or unbox new hardware)
- 2 On the welcome screen, tap the blank area 6× — Android opens the hidden QR scanner
- 3 Generate an enrollment token in WARDEN, pre-bind a policy and group
- 4 Scan — launcher downloads, installs as device owner, auto-enrolls
Unlocks
Kiosk mode · Silent install/uninstall · Camera & USB disable · Screenshot block · Force encryption · Wi-Fi & VPN restrictions · File push · Full location reporting
MODE 02
BYOD / Lite
Device Admin
Lite MDM. Install the WARDEN launcher APK on an existing device — no factory reset required. Right for BYOD scenarios or when resetting isn't an option.
- 1 Install the WARDEN launcher APK via adb or download link
- 2 Open the app, enter server URL and an enrollment token
- 3 Device enrolls and begins checking in on every heartbeat
Available
Policy push · App catalog · Remote commands · Audit trail · Group assignment · Location reporting
Remote Commands
Issue a command. Device responds in ~3 seconds.
~3s delivery
Lock
Locks the screen immediately. Device requires auth to re-enter.
Reversible
Reboot
Restarts the device. Returns to locked BFU state on startup.
Reversible
Ring
Plays a loud alarm to locate a misplaced or lost device.
Reversible
Location
Forces the device to push its current GPS position immediately.
One-Shot
Unlock
Exits kiosk mode or unlocks the device screen remotely.
Reversible
Wipe
Factory-reset. Destroys all keys, certs, and case files. Confirmation required.
Irreversible
CORTEX Integration
The AI layer reads every heartbeat.
CORTEX, the TAK OS cognitive layer, pulls live device state from the Redis heartbeat feed. Battery, location, network, app status — available to the AI in real time. No other MDM product ships this.
Which Alpha Team devices are below 30% battery right now?
Overwatch Integration
Every device appears on the map.
Enable Push-to-TAK in policy and device positions stream into TAK Server as CoT contacts — visible on Overwatch alongside human EUDs. Your WARDEN fleet and your ATAK operators share the same common operating picture.
Bravo Team devices on Overwatch — no ATAK required on the management console.
Built to operate.
Hardware, software, procurement, and lifecycle — the field-ready details.
Boot, log in, operate. Every unit ships fully provisioned: ATAK, plugins, encrypted comms, VPN, SDR, and mesh stacks ready on first power-on.
No Google account. No setup wizard. No configuration required.
Hardened Android — open-source, maintained on an accelerated patch cycle independent of Google.
- Hardware-isolated cellular modem.
- Per-app network and sensor permissions.
- Duress PIN triggers full key + data wipe.
- Sandboxed Play Services with zero elevated privileges.
- Verified boot chain anchored to the Titan M2 chip.
Private TAK server provisioned at the factory and pre-paired with each device. Admin credentials are issued before the kit ships.
Five-unit field kits include three months of TAKOS at no charge. Federate, scale, or self-host on request — no infrastructure standup required.
NDAA Section 889 compliant. No banned-vendor components in the chip set, modem, or RF chain.
- TAA-compliant configurations for DoD, federal, and allied procurement.
- GSA-eligible kits available on request.
- Documentation packs (DoCs, BoMs, CoCs) available for contracting officers.
Factory-direct from Virginia Beach. Two-business-day standard ship. Expedited military procurement available.
Volume pricing at 10+ units. Custom kits scoped, sourced, and shipped to spec.
sales@getgotak.com · (757) 910-0259
BULK ORDERS & MILITARY QUOTES
Need 10+ units?
Contact our sales team for volume pricing, NDAA-compliant configurations, and custom deployment packages.
NEXT STEP
Deploy with confidence.
NDAA compliant. Ships in 2 business days. For bulk orders and military quotes, contact sales directly.
Ships in 2 business days
NDAA compliant
Carrier unlocked
