This is a follow up article to the one I wrote last week where we had a look at managing updates for our Samsung devices with E-fota and Intune. If you haven’t seen it you can read it here:
To be able to enroll and manage our Samsung devices in to E-fota they need to have the Knox E-fota app Installed. We can add the app and deploy it directly from Intune with Managed Google Play however there’s a huge draw back by doing so, Let me explain.
If we would assign and deploy the app from Intune directly to our devices the app will Install. However for the device to actually enroll in to E-fota the end-user or IT Admin needs to open the app to start the enrollment process. This for many organizations is a big no no since it exponentially increases the likelihood that we won’t have all of our devices enrolled and managed that we want to.
When managing our devices we want the device to automatically enroll in to E-fota and this can be done but its not super obvious how to do that when you first get started working with E-fota, Knox and Intune.
Automatic enrollment through the Knox Service Plugin (KSP) App
This is from my point of view the best way to making sure that all our devices are enrolled in to E-fota automatically without the need for the someone to open up the E-Fota app and perform the enrollment.
The Knox Service Plugin is built on top of Androids OEMConfig and we can use this together with Intune to configure policies and settings on our devices that are manufacturer specific, In this case Samsung specific.
Note.
Each manufacturer has their own OEMConfig app thats available in Google play. For example
Samsung – Knox Service Plugin
Lenovo – Lenovo OEMConfig
Zebra – Zebra OEMConfig powered by MX
Nokia – OEMConfig for Nokia
To summarize there are 3 steps we need perform to be able to reach our goal of automatically enroll our devices managed by Intune in to E-fota with the KSP app.
- Add the Knox Service Plugin App from Managed Google Play to Intune
- Deploy and assign the KSP app to our devices
- Create and configure OEMConfig policy to enabled and enroll our device in to E-fota
Lets get started.
Add the Knox Service Plugin App from Managed Google Play to Intune
From the endpoint.microsoft.com portal go to Apps -> Android and click on Add
In the list select, Managed Google Play
Search for Knox Service Plugin and approve the app
Once the app has been approved, click on Sync or wait for the automatic sync to run. From there you will be able to find the app in the list of applications in Intune.
Deploy and assign the KSP app to our devices
Assign the app to the group of devices you want it to be deployed to.
The Knox Service Plugin app will appear on your devices.
Create and configure OEMConfig policy to enabled and enroll our device in to E-fota
Navigate to Device -> Android -> Configuration Profiles and create a new profile by clicking on Create profile
From the list that appears select Android Enterprise under platform and OEMConfig under Profile type
Give the profile a name and click on Select an OEMConfig App and choose the correct OEMConfig app from the list. In this case its the Knox Service Plugin
Under configuration settings, click on Configure for the policies that’s called
Device-wide policies (Selectively applicable to Fully Manage Device (DO) or Work Profile-on company owned devices (WP-C) mode as noted)
Set the Enable device policy controls to True
Scroll down a bit in the list until you see the option called Firmware update (FOTA) policy and click on Configure
Set the following policies to True
Enable firmware controls
Allow firmware update over-the-air
Enable E-FOTA client installation & launch
Continue with creating the policy and assigning it to the group of devices you want. It should look something like this ones you are done with the policy creation.
Once the policy has been assigned and applied to our device, you will see the following on the actual device.
A notification pops up about agreeing to the terms and conditions
(I’m investigation if there’s a way of hiding or skipping this one but at the time of writing this article I have not found a way to do that)
The Knox Service Plugin applies the policies and automatically installs the Knox E-fota app and performs the enrollment to E-fota.
That’s it for now, Don’t forget to follow me on twitter @timmyitdotcom
Looking for RSS feed on this site
DOes This require Knox Suite licence?
Does this support profile owner enrollment (COPE)? I have tried the same steps but the license validation fail for E-FOTA app which gets installed in personal side.
Hi!
How did you manage, that the E-Fota App is installed in the personal profile?
I did everything what samsung said – followed every guide I found.
KSP is configured with all settings … I can say “apply policies” but the app doesn’t install in the personal profile.
A campaign is assigned in the e-fota portal … phones are all stuck on “not enrolled” 🙁
I’m running into a problem with applications like Outlook on the android after enabling this feature.
KSP disables all device admin apps and there’s no possible way to activate it.
Hi,
I have a problem with the group in the E-FOTA administration.
I was able to connect to AAD. I have a choice of groups that I want to connect to Knox administration.
After selecting a test group, I don’t see the devices in the group, even though the groups are populated with devices in Azure/Intune administration.
Don’t know where the error could be?
Thanks for any help..