AFM — Android Free Manager

Open-source Mobile Device Management for Android Enterprise. Released as a reference implementation. AGPLv3. Community-driven.

---

What is AFM

Android Free Manager (AFM) is a multi-tenant Mobile Device Management (MDM) platform for Android Enterprise devices, built on top of the Google Android Management API.

It provides the technical foundation for:

• Device enrollment via QR, link, or token
• Policy management (150+ Android Enterprise policy fields)
• Fleet dashboard and compliance reporting
• Remote commands: lock, reboot, wipe, reset password
• Managed Google Play app distribution
• Multi-tenant SaaS architecture
• Self-hosted deployment

Who built this and why

AFM was designed and implemented by P3Consulting OÜ, an Estonian software company. We open-sourced this reference implementation because:

1. The Android MDM space lacks open alternatives to Intune/Workspace ONE/Knox
2. Small MSPs and system integrators deserve a starting point they can own
3. Open source is good marketing for our consulting services

AFM is released as a reference implementation. It is feature-complete as an MDM foundation, but it is not actively maintained by P3Consulting. If you want a production-supported, commercial product built on the same foundation — with advanced features, rugged-device integrations, and enterprise support — see Anvil MDM.

Is this actively developed?

Short answer: no. This is a reference release, snapshot of the codebase as of the initial publication. We don't plan to merge pull requests or respond to issues ourselves.

What the community can do:

• Fork it and run your own maintained version
• Use it as a learning resource for Android Management API integration
• Build your own product on top of it — as long as you respect AGPLv3

What P3Consulting offers commercially:

• Anvil MDM — the actively developed, rugged-device-optimized commercial product
• Custom MDM development and consulting — hello@p3consulting.tech

Stack

Component	Technology
Backend	FastAPI (Python 3.11+), SQLAlchemy async, Alembic
Database	PostgreSQL 16
Cache	Redis 7
Frontend	React + Vite + TypeScript + shadcn/ui + Tailwind
API	Google Android Management API via google-api-python-client
Deploy	Docker Compose (reference)

Architecture

┌─────────────┐         ┌──────────────┐         ┌─────────────────┐
│   Frontend  │ ──REST──▶   FastAPI    │ ──SDK──▶│  Google AMAPI   │
│  (React)    │         │   Backend    │         │                 │
└─────────────┘         └──────┬───────┘         └────────┬────────┘
                               │                          │
                        ┌──────▼──────┐             ┌─────▼──────┐
                        │  Postgres   │             │  Android   │
                        │  + Redis    │             │  Devices   │
                        └─────────────┘             └────────────┘

Ten core models (User, Tenant, Device, Policy, DeviceGroup, EnrollmentToken, AuditLog, AISettings, TenantSettings, BaseModel) back ten REST API groups mirroring the Google AMAPI surface plus multi-tenant concerns.

Quick start (development)

Prerequisites: Python 3.11+, Node 20+, Postgres 16, Redis 7.

# 1. Clone
git clone https://github.com/P3consultingtech/afm.git
cd afm

# 2. Backend
cd backend
python -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
cp .env.example .env  # edit DATABASE_URL, REDIS_URL, GCP creds
alembic upgrade head
uvicorn app.main:app --reload --port 8000

# 3. Frontend (in another terminal)
cd frontend
npm install
npm run dev  # http://localhost:5173

For Google Android Management API:

• Create a GCP project
• Enable Android Management API
• Create a service account with role Android Management User
• Download JSON key → point GCP_CREDENTIALS_PATH to it in .env

The backend falls back to mock mode when GCP is not configured, so you can run the full UI without a real Google binding for development.

Production considerations

This codebase is not battle-tested at scale. Before deploying to production:

1. D-U-N-S + Google enterprise quota — required if you run multi-tenant
2. Webhook or polling — AFM does not yet sync device state back from Google (see TODO in code); implement a Pub/Sub webhook or periodic devices.list poll
3. Audit logs — the AuditLog model exists but is not populated; wire up in critical endpoints
4. Tenant isolation — review carefully before going multi-tenant
5. Rate limiting — none on the API endpoints; add nginx/Cloudflare in front
6. Secrets management — do not ship .env files, use a real secrets manager

For all of the above (and much more) already solved, see Anvil MDM.

License

AFM is licensed under the GNU Affero General Public License v3.0 (AGPLv3). See LICENSE.

What this means for you:

• ✅ You can use AFM for anything, including commercial use
• ✅ You can modify it and redistribute
• ❌ If you run a modified version as a network service (SaaS), you must share the modified source with your users

This is a deliberate choice — it keeps the playing field fair for everyone building on AFM, and prevents cloud vendors from repackaging the work without contributing back.

If AGPL doesn't fit your commercial model, contact us at licensing@p3consulting.tech for alternative licensing options.

Contributing

We welcome community forks and derivative projects, but we do not actively review pull requests or respond to issues. See CONTRIBUTING.md for details.

Related projects

• Anvil MDM — actively developed commercial product built on AFM's foundation, with rugged-device integrations, fleet battery intelligence, NFC badge issuance, and enterprise support.
• P3Consulting — the Estonian consultancy behind AFM. We build security, MDM, and Android Enterprise solutions. Get in touch.

Security

If you believe you've found a security vulnerability, please follow the process in SECURITY.md. Do not open a public issue.

---

_{Built with stubborn care by P3Consulting OÜ · Tallinn, Estonia}