Intune and Knox E-FOTA – Manage updates for your Samsung Android Enterprise devices

As an IT Admin you are probably familiar with the different processes and tools to manage updates for your Windows devices and servers in one form or fashion. For our Windows environment we have options like WSUS , ConfigMgr and Windows update for business if we want to have some control on our update schedule. This also gives us the capability to test new updates and patches on a small number of devices and then start the rollout to pilot and production.

Many ConfigMgr and MEM admins that have a Windows background (just like me) often struggles when we get asked what do we do about patches and updates for our Android devices that now are managed by Intune. The short answer is usually, ehm…. we dont.

As part of the Android Enterprise framework each manufacturer of a AE certified devices are required to release security updates and major updates for a certain period of time between 3 to 5 years depending on what type of device it is, Knowledge worker or Rugged device.

Link to Android Enterprise datasheet https://static.googleusercontent.com/media/www.android.com/en//static/2016/pdfs/enterprise/Android_Enterprise_Recommended_Datasheet_w_o_carrier.pdf

The release of an update is one thing but what about how do we even manage this in an enterprise environment where there are business cases for not having updates automatically install for example or planning for an update a head of time when there might be Line-Of-Business apps that are sensitive to updates or other processes and workflows that could be interrupted if we don’t have control and planned testing of new version and updates. And of course being able to make sure that our devices are up to date with the latest security updates.

Each OEM have their own way of dealing with updates and in this article we’ll have a look at Samsung Knox E-Fota and how we can integrate and extend our Intune environment with it.

Samsung Knox E-Fota (Enterprise Firmware-over-the-air)

Fota or Firmware-over-the-air as it stands for is a common phrase you’ll run into in an MDM scenario for mobile devices. Samsungs Knox E-fota offering is part of the Samsung Knox Suite and lets you manage the update to your Samsung devices.

https://www.samsung.com/us/business/solutions/services/mobility-software/e-fota/

Initial setup between E-fota & Azure AD

Once you have access to your Samsung Knox and have activated E-Fota the next step is to configure the intergration between E-Fota and Azure AD. To do this we need to configure an Enterprise Application in Azure AD. Lets get started.

Head over to https://central.samsungknox.com/ and log in with your account and click on Knox E-fota

Navigate to EMM groups and click on Connect EMM on the next page.

Select Microsoft Intune from the list of vendors available

Now we need to enter some information about Client ID, Client Secret and Tenant ID and there are a few things we need to do in Azure AD to get all of this information. Open up a new browser tab and continue to the next part of this guide which is App registration in Azure AD.

Note.
You can have multiple MDM systems linked up to your E-fota. For example if you are a MSP or have multiple envirorment’s you can still use the one E-fota portal to manage them all.

App registration in Azure AD

Go to portal.azure.com and go to App registration

Copy the Application (client) ID and the Directory (tenant) ID as we need this information when we go back to the E-fota portal.

Copy the value and have it ready for when we come back to the E-fota portal.

API Permissions

Next step is to configure the API Permissions on this app we just created.

The Application permissions we need to allow are the follwing:

  • Device.Read.All.
  • Group.Read.All
  • DeviceManagementManagedDevices.Read.All

Click on API Permissions in the left pane and then click on Add a permission

click on Microsoft Graph

Click and select Application permissions

Go through and add each permission that we need for this specific application.

  • Device.Read.All.
  • Group.Read.All
  • DeviceManagementManagedDevices.Read.All

Once we added all of them the final step is to grant admin consent for these.

Note.
for more information, read the samsung documentation on this:
https://docs.samsungknox.com/admin/efota-one/before-you-start-intune.htm?Highlight=intune

Back at the E-fota portal

Once we have created our Application in Azure and we have our Client secret we can now enter the information in E-fota. When we registered our Enterprise app in Azure AD we got the Application (client) ID and the Directory (tenant) ID and when we created our Client secret we got the Value that’s used for the Client Secret.

Next step is to sync one or more groups from Azure AD which contains your Samsung devices. There’s a limit on maximum 1000 groups in E-fota that can be synced.

In Azure AD I have a dynamic group which only contains all of my Samsung Xcover 5 devices and I just want to sync this specific group at this time.

Now when we have our group selected, the next thing you can do is to turn on the “Auto-sync” option in the tog right corner of the page. I like this feature mainly because it removes the necessary of going in and manually clicking on “Sync” from time to time.

Select the group by adding the check mark on the left side and click on Actions on the right side. Click on Assign license in groups and select the license you want to apply for all the devices in this group.

Enrolling a device with the E-fota App

A device needs to be enrolled in to E-fota and there are multiple ways of doing it. In this article I’ll cover one scenario and that’s enrolling it manually with the E-fota app. There are other methods that I will be covering in a future article.

Start with heading over to the Endpoint Manager portal and click on Apps -> Android and add a new application.

Select Managed Google Play App

Search for E-fota and click on the one that says Knox E-fota.

Approve the app, click on Sync and wait a minute or two for the app to show up in the list of applications available in Endpoint Manager.

Deploy the app to your group of devices that you want to use E-fota on.

Wait for the app to Install on your device and open the Knox E-FOTA app on the device.

The app will just for a few seconds perform the enrollment and if the device has been synced from Azure AD to E-fota. If the device is not visible in E-fota yet you could see a error message in the app telling you that the enrollment failed.

At this time we have not yet determined what to do with any updates yet so that’s what we will do next in the coming section when we want to create a campaign.

Creating a Campaign

A campaign is what’s actually determines the update behavior for our devices. I wont go in to depth on the different types in this article but instead just show one scenario that I have come across a few times.

you can also check out Samsungs documentation on this over at https://docs.samsungknox.com/admin/efota-one/create-campaign.htm

Scenario

  • Kiosk or dedicated devices are running Line-Of-Business Apps that are OS version sensitive
  • We need to block all updates so nothing gets installed automatically without our knowledge and consent

Go to Campaign in the left menu and click on “Create Campaign”

Start out with giving the campaign a name and set a start date only, since we don’t want it to end at a specific time we just want it to have a start date. From there we can skip over most of the other settings since we want to block updates and just head down to the section where we can add devices and firmware.

Here just click on “Add manually” and from the drop down menu select the model and under Firmware version select “Lock current firmware”.

Note.
When adding a device you will only see the type of devices and models that you have synced to E-fota. Meaning that can not select a device model that you don’t see or have synced to E-fota.

You will now see the newly created campaign in the over view, the next step is to head back over to EMM groups. Select the EMM group you have synced and go to Actions -> Assign Campaign and select the Campaign you want to assign to your group of devices.

Once the assignment is done you will now see that the group has been assigned to a campaign and if you go to your devices will also be able to see which campaign that has been assigned to it if the device has been enrolled.

Heading over to our device again and opening up the E-fota app we will now see that the newly created campaign has been applied and is now blocking all updates.

We have now successfully intergrated E-fota and MEM and can start managing updates for our Samsung devices.

Don’t forget to follow me on twitter @timmyitdotcom

One comment

Leave a Reply