01 · The Problem
OEMs participating in regulated device financing, carrier subsidy, or sovereign fleet deployments face a structural lock-in problem. The major options are: (1) become a Google Android Enterprise certified partner, (2) bundle Knox (Samsung-only), or (3) integrate Trustonic SDK. Each comes with substantial integration cost and ongoing dependency on the substrate vendor.
Google's certified partner program is gated by Google. Knox is Samsung-only and limits portfolio diversification. Trustonic requires Trustonic SDK integration and routes through Trustonic infrastructure for attestation and lock decisions. None of these models allow the OEM to ship devices with reset-resistant device control built directly on the public AOSP DevicePolicyManager APIs, without a third-party SDK or partner program in the data path.
For an OEM shipping to LATAM markets where carrier subsidy and BNPL financing programs are major distribution channels, the requirement is increasingly clear: ship Cipher-equivalent device control as a stock factory configuration, integrate directly with the financing or subsidy partner's policy server, and avoid Google or Samsung certification dependencies in the data path.
02 · Lockia's Approach
Factory-installed Cipher DPC. Lockia provides the Cipher DPC binaries and integration manifest for OEM imaging pipelines. Cipher DPC activates as Device Owner at first boot, requiring no QR enrollment, no end-user setup wizard, and no retail-side configuration. The device ships from the factory already in a sovereign-managed state, ready to receive policy from the OEM's downstream partner at activation.
AOSP-based, no Google certification required. Cipher DPC is built on the public AOSP DevicePolicyManager APIs. It does not require the OEM to participate in Google's Android Enterprise certified partner program. The OEM ships devices with Cipher pre-installed regardless of Google's roadmap for the AMAPI surface or which vendors hold partner-program status in a given quarter.
Lockia controls the DPC layer directly. Unlike PayJoy or Trustonic — both of which build wrappers or SDKs on top of third-party DPC architectures — Lockia owns the device-side control plane. There is no second vendor in the device-state-to-policy-decision path. When a downstream partner sends a lock command, it reaches the OEM's device through Lockia's command channel without traversing another vendor's infrastructure.
For OEMs that have already shipped devices into the market without pre-installation, Lockia operates Zeno — a provisioning channel that activates Cipher on existing devices via remote provisioning rather than requiring factory return. Zeno is the upgrade path for OEMs adopting Cipher mid-product-lifecycle.
03 · How It Works
End-to-end OEM integration typically runs four to eight weeks depending on the OEM's imaging pipeline maturity. No Google certification cycle. No Samsung Knox licensing. No Trustonic SDK contract. The OEM's commercial relationship is directly with Lockia.
Engineering kickoff
Lockia provides Cipher DPC binaries, signing keys, and integration manifest under a direct OEM commercial agreement. No third-party SDK licensing.
Imaging pipeline integration
OEM bundles Cipher DPC into the factory image alongside standard system applications. Integration typically completes within four to eight weeks depending on pipeline maturity.
First-boot activation
Cipher DPC enrolls as Device Owner before the device leaves the factory. Hardware-attested identity established. Device ships in sovereign-managed state.
Commercial registration
Lockia issues an OEM tenant identifier. Downstream partners (financing, carrier, fleet) bind their policy server to the OEM tenant at customer activation.
Production shipment
Devices arrive at retail or distribution already Cipher-enrolled. Activation at the partner's policy server completes the deployment — no retail-side enrollment friction.
04 · Compared To
Architectural facts. Trustonic requires Trustonic SDK integration. Knox is Samsung's in-house architecture, Samsung-only. Google DLC is Google's certified-partner program. The comparison reflects what each architecture commits the OEM to, not how each vendor positions.
| Lockia | Trustonic | Knox | Google DLC | |
|---|---|---|---|---|
| Architecture | Sovereign UEM (AOSP DPC, direct OEM) | SDK integration (third-party in path) | Samsung-only, Samsung-managed | Google certified partner program |
| OEM scope | Any Android Enterprise OEM | OEMs willing to integrate Trustonic SDK | Samsung handsets only | Google-certified devices only |
| Certification dependency | None — direct OEM agreement | Trustonic SDK licensing | Samsung internal | Google partner program gating |
| DPC ownership | Lockia (full control of device-side plane) | Trustonic (third-party in path) | Samsung (Knox-controlled) | Certified integrator |
| Customer data path | Lockia-hosted, customer-region | Trustonic cloud + Google | Samsung cloud | Google + certified integrator cloud |
05 · Deployment Patterns
Anonymized patterns from OEM integrations. Specific manufacturer names, SKU portfolios, and confidential partnership terms are omitted; the patterns are detailed enough to be credible without identifying the OEM.
A Chinese OEM shipping to LATAM markets. The OEM ships budget-tier Android handsets through carrier subsidy and retail financing channels in Mexico, Colombia, and Peru. After integrating Cipher DPC at the factory, the OEM offers downstream financing partners reset-resistant device control as a stock SKU feature, without requiring per-customer custom imaging. The integration eliminated the prior per-partner custom-image proliferation, which had been a sustained engineering cost.
A regional Android OEM bundling Lockia with operator channel programs. The OEM partners with three LATAM Tier-2 operators on subsidized handset distribution. Cipher pre-installation eliminates the QR enrollment step at the carrier distribution warehouse, accelerating the warehouse-to-retail timeline from forty-eight hours to under eight. The operator partners report reduced first-touch enrollment friction in entry-level prepaid segments where customer self-service capacity is limited.
An emerging-market device manufacturer building Cipher into a new product line. The manufacturer's product roadmap targets sovereignty-conscious public-sector buyers in Latin America. Cipher's AOSP-only architecture matches the procurement requirement — no Google certification dependency in the device control path — making the product line viable for public-sector buyers that disqualify AMAPI-built device fleets at procurement evaluation.
06 · One of Many
OEM pre-configuration is the device-side foundation for every downstream Sovereign UEM deployment. The same factory-installed Cipher DPC supports device financing programs, carrier subsidy contracts, public-sector fleet operations, and any other vertical that consumes the OEM's hardware. The OEM's commercial relationship with Lockia is once; the downstream verticals are the partner ecosystem the OEM unlocks.
For an OEM evaluating the architecture: the engineering investment is shared across all downstream channels. A single Cipher-enabled product line serves financing, subsidy, and public-sector procurement simultaneously — without per-vertical certification cycles or per-channel SDK integration. One factory integration. Multiple downstream partner relationships.