01 · The Problem
Regulated public-sector buyers in Latin America, the EU, and emerging markets increasingly write specific architectural requirements into their RFPs: in-country data residency, no third-party SaaS provider in the command-and-control path between the buyer and their device fleet, no foreign-government service dependencies, and contractual data-handling terms the buyer's procurement office can govern. These are not optional preferences; they are disqualifiers. A platform that cannot satisfy them architecturally is not eligible to bid.
The dominant enterprise UEM vendors — Microsoft Intune, Jamf, VMware Workspace ONE, IBM MaaS360, ManageEngine — operate as third-party SaaS layers. For Android, their architectures route commands through Google's Android Management API and Firebase Cloud Messaging. For Apple, their MDM servers operate in the vendor's cloud between the customer's Apple Business Manager tenant and the device fleet. Both halves of the device estate sit on US-hyperscaler infrastructure.
For most enterprises, that's an acceptable trade. For procurement contexts with in-country data-residency requirements, regulated healthcare under LGPD or HIPAA, public-sector buyers with sovereignty mandates, or EU government procurement frameworks, US-SaaS-in-the-data-path is not an architectural inconvenience — it is a procurement disqualification. The contract cannot include those vendors regardless of how good the product is in non-sovereignty-constrained deployments.
The architectural gap is real and growing. Public-sector buyers are increasingly forced into either (a) deploying a vendor that doesn't meet sovereignty requirements and accepting compliance risk, (b) building custom in-house platforms (expensive, slow, rarely operationally sustainable), or (c) declining to procure modern endpoint management entirely. None of those are good outcomes.
02 · Lockia's Approach
Public AOSP APIs, not Google AMAPI. Lockia's Cipher DPC is built on the public Android Enterprise APIs that ship in every Android Enterprise–capable device. The DPC enrolls as Device Owner at first boot. Command and policy decisions route through Lockia's own backend infrastructure, not through Google's services. Google services remain absent from the data path between the buyer and their fleet.
Lockia-operated MDM for Apple, deployed in customer region. Lockia operates Cipher MDM in your deployment region — no third-party MDM SaaS in your data path. Your Apple Business Manager tenant federates with the Lockia-operated MDM. Apple's APNs is mandatory infrastructure for any iOS MDM and remains in the path — that is non-negotiable Apple infrastructure that applies to every MDM, including ours. What is removed is the additional layer of third-party SaaS between ABM and your fleet.
Customer-region deployment. For sovereignty-bound contracts, Lockia operates the platform infrastructure in the jurisdiction the buyer's procurement contract specifies. The buyer's data-handling agreements govern the deployment terms; Lockia operates within those terms. This is the architectural property "customer-controlled data path" as defined in our Sovereign UEM platform overview — not a hosting-region promise, but a contractually deployable infrastructure model.
Compliance and procurement posture. Lockia's SOC 2 Type II audit is in progress with Prescient Security. The Cipher Protocol architecture is patent-pending (USPTO provisional 63/940,826, "Bypass-Resistant Device Locking", December 2025). Multi-region infrastructure operational in Miami, Mexico, Brazil, and Colombia, with additional regions being added. Lockia operates as a Florida LLC; Delaware C-Corp conversion is in progress, aligning with enterprise procurement preferences for vendor incorporation.
03 · How It Works
Sovereignty-requirements scoping
Lockia's deployment team reviews the buyer's procurement contract, identifies data-residency and architectural-sovereignty clauses, and confirms the deployment region and infrastructure footprint required.
Infrastructure provisioning
Lockia provisions infrastructure in the buyer-required region under terms the buyer's data-handling agreements govern. Cipher MDM and Lockia's backend deploy into the region; no cross-region data egress for command-and-control.
Apple Business Manager federation
The buyer's ABM tenant federates with the deployed Cipher MDM server. iOS devices enroll via ABM DEP. Apple's APNs is the mandatory command-transport infrastructure for any MDM; no other third-party SaaS sits in the path.
Android enrollment
Android devices enroll via QR provisioning. Cipher DPC activates as Device Owner at first boot. The command channel operates in the customer's deployment region.
Live operations + audit posture
Production fleet runs with policy enforced continuously. Audit logging captures every command and policy decision. The buyer's compliance officers have direct visibility into the data path; no third-party vendor sits between the buyer and the audit record.
04 · Compared To
Architectural facts. Public-sector procurement reviewers evaluating UEM platforms encounter the same architectural pattern across most named vendors. The comparison is not about feature parity — it is about which architecture the procurement contract can sign.
| Lockia | Microsoft Intune | VMware Workspace ONE | IBM MaaS360 | |
|---|---|---|---|---|
| Android substrate | Public AOSP DevicePolicyManager APIs (no Google partner-program dependency) | Google AMAPI partner-program SaaS | Google AMAPI partner-program SaaS | Google AMAPI partner-program SaaS |
| Apple MDM model | Lockia-operated Cipher MDM, in your deployment region, via buyer's ABM tenant | Microsoft cloud MDM (US-hosted) | VMware cloud MDM (US-hosted) | IBM cloud MDM (US-hosted) |
| Customer data path | Lockia-operated, in your deployment region — not Microsoft's cloud, not VMware's, not IBM's | Microsoft cloud (global) | VMware cloud (global) | IBM cloud (global) |
| Sovereignty posture | Architecture designed for sovereignty-bound contracts; deployments in development with public-sector buyers | US-hyperscaler dependency; sovereignty mandates typically disqualify | US-hyperscaler dependency; sovereignty mandates typically disqualify | US-hyperscaler dependency; sovereignty mandates typically disqualify |
| Procurement framework fit | LGPD, Mexico FDPL, EU sovereignty contracts, government data-residency clauses | Standard enterprise procurement; not sovereignty-aligned by architecture | Standard enterprise procurement; not sovereignty-aligned by architecture | Standard enterprise procurement; not sovereignty-aligned by architecture |
05 · Who this is for
Lockia's architecture is designed for sovereignty-bound procurement contexts including LATAM government, regulated healthcare, and public-sector buyers. We are currently in conversations with buyers in these segments. Contact us if your procurement framework requires customer-region deployment with no third-party SaaS in the command path.
06 · One of Many
Public-sector device sovereignty is one configuration of Lockia's Sovereign UEM platform. The same Cipher Protocol, the same Cipher DPC, the same Cipher MDM, the same Guardian AI agentic layer. What changes for public-sector deployment is the procurement framework (sovereignty clauses, data-residency requirements, vendor-incorporation preferences), the deployment region, and the audit posture. The architectural commitment is the same as for every other vertical Lockia serves.
For a procurement reviewer or a public-sector IT director evaluating Lockia: the platform designed for sovereignty-bound public-sector device management is the same platform retailers, banks, e-commerce operators, and resellers use to run their device programs. The architectural choice once; the vertical configurations downstream.
Next Step
If your procurement requirements include data-residency, sovereignty, or architectural restrictions on third-party SaaS in the command-and-control path, the most useful next step is a call with Lockia's deployment team. We will walk through your specific procurement contract language, your deployment region, and how Lockia's architecture maps to the audit posture your compliance office requires.