Open Source MDM
Device management is one of the most invasive things you can install - it can push policy, read inventory, and wipe a phone remotely, which means the agent on every device has near-total authority over it. The open source platforms here let you see exactly what that agent can do and run the management server yourself, so the power to enroll, configure, and erase your fleet stays inside your own infrastructure rather than a vendor's.

Fleet
Open MDM platform for managing, updating, and securing devices across every OS

MicroMDM
Mobile Device Management server for Apple devices with an API-first workflow

NanoMDM
Minimal Apple MDM server and library with MySQL and PostgreSQL backends

Headwind MDM
Open source mobile device management for Android with QR enrollment and web-based app deployment
How to choose an open source MDM
Start with the enrollment model, because MDM capability depends on how the device enters management. Corporate-owned, supervised, user-owned, kiosk, and shared-device workflows expose different controls. Check whether the MDM supports the operating systems you actually run, not just the logos on the homepage. For mobile fleets, confirm support for platform vendor enrollment programs, push notification plumbing, certificate issuance, and profile installation. For laptops, look at whether the tool can enforce local account, disk encryption, update, and inventory policies without relying on brittle scripts.
Policy depth matters more than the number of checkboxes. A useful MDM should handle Wi-Fi, VPN, certificates, passcodes, app allowlists or blocklists, OS update deferrals, lost-device workflows, and selective or full wipe with clear audit trails. Look closely at how it models groups, inheritance, and exceptions. A flat policy model becomes painful once you have contractors, field devices, executives, labs, and kiosks with different risk profiles. Also verify privacy boundaries for BYOD devices, especially what inventory fields are collected and what actions admins can perform.
Treat the server side as security infrastructure, not just an admin dashboard. MDM depends on long-lived signing keys, push certificates, device tokens, directory mappings, and privileged APIs. Review how the project stores secrets, rotates certificates, records admin actions, and backs up enrollment state. If you need integration with identity providers, ticketing, SIEM, asset inventory, or configuration management, inspect the API before you commit. The exit path matters too: inventory, users, devices, profiles, and audit logs should be exportable in formats your team can use during an incident or migration.
Related categories
Frequently asked questions
What does an open source MDM actually control?+
An MDM can install configuration profiles, enforce passcode and encryption rules, deploy apps, collect inventory, trigger lock or wipe actions, and manage network settings such as Wi-Fi, VPN, and certificates. The exact control surface depends on the operating system, device ownership model, and enrollment method. A user-owned phone usually exposes fewer controls than a supervised or corporate-owned device.
Is open source MDM practical for iPhone and iPad fleets?+
It can be, but the MDM still has to work through Apple platform rules. You need APNs connectivity, valid push certificates, profile signing, and support for supervised enrollment if you want stronger controls. The tool cannot bypass platform limits. Before choosing one, test enrollment, app deployment, OS update policy, remote wipe, and certificate renewal on real devices.
How should I evaluate Android support in an MDM?+
Check which Android management modes are supported: work profile for BYOD, fully managed for corporate-owned devices, dedicated device for kiosks, and company-owned work profile for mixed use. Those modes behave differently. Also test enrollment through QR code, zero-touch, or token-based flows, plus app distribution, compliance reporting, factory reset protection, and certificate-based Wi-Fi.
Do I need to self-host an open source MDM?+
Not always, but MDM is a strong candidate for self-hosting because it holds device identifiers, admin privileges, certificates, and wipe capability. If you use a hosted option, ask where keys are stored, who can access the admin plane, how backups are encrypted, and what happens during account termination. Self-hosting gives control, but also puts certificate renewal and uptime on your team.
What licensing issues matter for open source MDM?+
Look at whether the license permits internal modification, hosted use, redistribution, and integration into a managed service. Some licenses have network-use obligations or require source availability for modified versions. Also check whether mobile apps, agents, admin UI, and server components share the same license. MDM often includes multiple pieces, and the licensing story may not be uniform across them.
How hard is it to migrate from a commercial MDM?+
Migration is usually a staged re-enrollment project, not a simple database import. Device inventory and user lists may import cleanly, but management authority typically has to move device by device or group by group. Profiles, app assignments, and compliance rules need mapping because each MDM models them differently. Plan pilot groups, communication, rollback, and a deadline for unenrolled devices.
Will existing devices need to be wiped during migration?+
Sometimes. BYOD devices can often unenroll from one MDM and enroll in another without a wipe, although managed apps and profiles may be removed. Corporate-owned supervised devices may require special release, reassignment, or factory reset depending on how they were enrolled. Kiosks and shared devices often need rebuilds. Test each ownership model before announcing a fleet-wide migration.
What should I check for app deployment?+
Confirm support for the app sources you use, managed app configuration, forced install, uninstall, update behavior, and per-group assignment. For mobile platforms, app licensing and private app workflows may depend on vendor stores. For desktop fleets, package format and install scripts matter more. Also verify reporting: admins need to know whether an app is pending, installed, failed, or removed.
How does an MDM handle certificates and Wi-Fi access?+
A mature MDM should issue or deliver certificates, install trusted roots, configure Wi-Fi profiles, and renew credentials before devices fall off the network. Check whether it integrates with your certificate authority or only uploads static certificates. Static files are fine for small fleets but weak at scale. Certificate renewal failure is one of the fastest ways to create a support incident.
What security controls should the admin console have?+
Require role-based access, MFA support through your identity provider, detailed audit logs, session controls, and separation between read-only inventory users and admins who can wipe devices. MDM admins can affect entire fleets, so broad shared accounts are a bad sign. Also review how secrets are stored, how API tokens are scoped, and whether destructive actions require confirmation or approval.
Can an open source MDM support BYOD without over-collecting personal data?+
Yes, if it supports the platform's personal and work separation model and exposes clear privacy settings. Look for work profile support, selective wipe, limited inventory collection, and admin views that avoid personal app or location data unless required. Your policy should tell users exactly what the MDM can see and what actions the company can take.
What integrations are important for MDM operations?+
Directory sync is usually first, because device policies follow users, groups, and departments. After that, look for SSO, SIEM export, ticketing hooks, asset inventory sync, and a documented API for automation. MDM does not live alone. A device that fails compliance may need a help desk ticket, a network access change, or a security alert.
How should backups work for an MDM server?+
Back up the database, uploaded profiles, signing material, certificates, configuration files, and any object storage used by the server. A database dump without keys may not restore device management. Practice restoration in a separate environment and document certificate renewal dates. Losing enrollment state or push credentials can force widespread re-enrollment, which is much more painful than restoring a normal web app.
Will open source MDM scale to thousands of devices?+
It can, but scaling depends on message queues, push handling, database design, inventory frequency, and how policy recalculation is implemented. Test with realistic check-in rates and large group changes, not just idle enrolled devices. Watch for slow dashboards, delayed commands, and database locks during app or policy rollouts. MDM traffic is bursty, especially after outages or network reconnects.
What happens if an open source MDM project is abandoned?+
Your risk depends on how cleanly you can export data and how much custom enrollment logic you rely on. Keep copies of device inventory, profiles, policies, certificates, and migration notes outside the system. Favor tools that use standard platform protocols and documented APIs. If development stalls, you may still run it for a while, but security fixes and platform compatibility become the concern.