Fortress is a Free and Open Source (FOSS) app which leverages AOSP's "Work Profile" feature to provide a second space within your primary Android profile/user to install apps and keep them isolated from your personal apps.
Fortress is the profile owner (PO), the app that creates and administers the Android work profile on your device. It uses Android's standard DPC-first provisioning flow (ACTION_PROVISION_MANAGED_PROFILE) and holds the FortressDeviceAdminReceiver component that the Android system calls for all profile-lifecycle events.
-
Creates the work profile from the personal profile via the system provisioning wizard.
-
Optionally Installs Freighter into whichever profile it is running in.
The Freighter APK is bundled as an asset (built and bundled into
src/release/assets/by CI) so no download is needed. Freighter must be installed in both profiles to perform cross-profile app cloning. We need to bundle it in case your OEM doesn't give you any apps (browser or app store) inside the brand new Work Profile by default, otherwise we'd have no way of getting apps installed at all. That's why you can't simply install it from GitHub. -
Grants delegations to companion apps on each resume:
DELEGATION_ENABLE_SYSTEM_APP→ Freighter (so Freighter can enable hidden system apps such as Vanadium inside the profile).DELEGATION_PACKAGE_ACCESS→ Freezer (so Freezer can suspend/hide work-profile apps).DELEGATION_APP_RESTRICTIONS→ Foreman (so Foreman can push managed configuration onto work-profile apps).
-
Allowlists Freighter for cross-profile interaction (
setCrossProfilePackages) so the Connected Apps consent flow works. Does not useaddCrossProfileIntentFilter. -
Offers cross-profile hardening settings: personal→work sharing, work→personal clipboard, work→personal sharing, cross-profile contact search & caller ID, nearby notification & app streaming, and blocking screen capture for everything inside the Work Profile. These are profile-owner-only policies (not delegatable), so they live in Fortress itself rather than a companion app. The failed-unlock profile wipe feature is deliberately not offered at this time: for now (and maybe forever), Fortress intentionally has 0 destructive capability.
-
Shows a removal path when running inside the work profile, which a deep link to the Device admin apps settings screen where the user can deactivate Fortress as admin and remove the whole profile. Again, Fortress itself has no destructive capability, tearing down the Work Profile is done in Android settings.
Fortress itself does not clone or install arbitrary APKs across the profile boundary. That capability lives entirely in Freighter (a separate package), keeping the profile owner minimal.