GrapheneOS has no ManagedProvisioning service (QR code based installer). Therefore, you need to grant the device owner rights to Headwind MDM launcher in another way.
For testing purposes, you can use adb to grant the device owner rights. Here is how to: https://qa.h-mdm.com/1411/
The adb method is not suitable for production purposes.
You need to rebuild Headwind MDM launcher and sign it by GrapheneOS platform keys. In the launcher source code, use the system build variant (Enterprise version only), or manually set SYSTEM_PRIVILEGES to true in app/build.gradle, and change the android:sharedUserId to android.uid.system in AndroidManifest.xml.
The platform keys can be found here: $ANDROID_ROOT/build/target/product/security/ More detailed instruction can be found here: https://stackoverflow.com/questions/51723768/how-to-sign-android-app-with-platform-keys-using-gradle
Embedding Headwind MDM into GrapheneOS source
Another method is to embed the launcher into GrapheneOS source code instead.
Here is the how to do it in short:
Create a folder for Headwind MDM in <grapheneos-source-root-directory>/package/apps/HMDM
Inside this directory create an Android.mk file with below content
LOCAL_PATH := $(call my-dir)
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE := HMDM
LOCAL_CERTIFICATE := platform
LOCAL_SRC_FILES := HMDM.apk
LOCAL_MODULE_CLASS := APPS
LOCAL_MODULE_SUFFIX := $(COMMON_ANDROID_PACKAGE_SUFFIX)
Put the apk file in the same folder (HMDM.apk for example)
Now we've to include the apk in the system image to do that, to do that we've to mention the module name in the PRODUCT_PACKAGES list in the file:
For android 11 - aosp-root-dir/build/target/product/handheld_system.mk
So just add HMDM in the list here is a screenshot: