By Lothar Zeitler – Senior Program Manager | Microsoft Endpoint Manager - Intune
The E-FOTA service is provided by Samsung as part of Samsung Knox and can be connected to Microsoft Endpoint Manager. In this blog article, we look at the possibilities of E-FOTA in combination with Enterprise Mobility Management (EMM) and how to connect E-FOTA with Microsoft Endpoint Manager.
Note: Knox E-FOTA requires licensing from Samsung. See: Knox licenses (samsungknox.com) to learn more.
With the Knox service, Samsung offers E-FOTA (Enterprise Firmware-Over-The-Air) updates for Samsung Android devices. With E-FOTA, for example, device groups can be created for individual update settings, such as which updates are to be installed on the devices and at what times. In addition, admins can set whether the user is still allowed to change the device configuration or not. E-FOTA offers granular update management for corporate devices.
Devices managed in Microsoft Intune can be integrated into E-FOTA update management. Devices do not have to be adopted specifically into E-FOTA (e.g. CSV import), but can be added and managed immediately with group membership. As a further advantage, it can be ensured that only devices managed by Intune are managed with E-FOTA.
Device groups in Azure Active Directory (Azure AD) can be used to classify devices which will be assigned to the corresponding E-FOTA configuration groups (campaigns) in E-FOTA. Examples can be pilot groups to test firmware updates, or groups for corporate divisions which will receive different versions of updates or kiosk devices which will execute update installation in a certain time window.
These E-FOTA groups (campaigns) can each have different update settings and the corresponding Azure AD device groups can be assigned to them individually. Thus, if an Azure AD group is assigned to a campaign, all the Azure AD group devices receive the settings from the campaign to which the Azure AD groups are assigned.
This article requires Azure AD and that the device management is in Microsoft Intune. Besides Intune and Azure AD, we also need access to Samsung Knox.
The following demonstrates how to use E-FOTA within an existing Intune environment where Samsung devices are already managed.
In the Intune console, we see two Samsung devices:
(Devices – Android Devices)
To get started, an Azure AD group needs to be created that contains these two Samsung models, this will bring them into the update management in E-FOTA later. The group is dynamically created to automatically add new registered Samsung devices. If new devices come into the group, they are also automatically assigned to the setting assigned to the appropriate campaign in E-FOTA.
To create a dynamic group, we go to Groups > New Group in the Intune console. In this example, we use "Samsung EFOTA G950U1 A520F" as the name. Because devices are to be added to the respective devices’ group, we use the Dynamic Device group type.
For the group criteria, we use Samsung as the manufacturer, as well as specific models for a granular control of the group membership.
The criteria in our example is:
(device.deviceManufacturer -eq "samsung") and ((device.deviceModel -contains "SM-G950U1") or (device.deviceModel -contains "SM-A520F")).
Note that more complex logical groupings can no longer be displayed in the UI/Querybuilder and therefore it must be entered in the Rule Syntax field. After entering the rule, Save and Create to confirm your rule. The devices will be added automatically to the group. Keep in mind, the process of adding devices can take a few minutes.
After the first Azure AD group for E-FOTA has been created, E-FOTA and Intune must be connected. The communication between E-FOTA and Azure AD takes place via the Graph API. Access to Azure AD resources, such as groups, requires identification in Azure AD. An application must be registered in Azure AD for this purpose. An application can be a web or mobile app as well as a web-API.
Note: This Samsung Knox site offers great guidance on E-FOTA.This blog essentially follows this guide.
First, the app must be registered in Azure AD. The best way to do this is to use the Azure Portal (portal.azure.com). A new app can then be registered under Azure AD > App registrations > New registration.
On the registration page, the name of the app needs to be specified. The app should only be made known for the organization by selecting Accounts in this organizational directory only. The Register action finishes the registration in Azure AD.
After successful registration, a summary of the registration appears. For further configurations, it is important to remember the Application (client) ID and the Directory (tenant) ID.
The next step is to create a client secret. This ensures that it is only possible to communicate with the app if the client secret is known. To create a client secret in Azure AD for the Knox E-FOTA One app, go to Certificates & secrets via the app properties and then select the New client secret option in the Client secrets section. Add a Description, we suggest including the name, e.g. "Client secret for Knox E-FOTA One" and select when the secret should expire. In this example, we set the value to "never." Add generates the Secret.
The generated client secret is required on a later step.
As a last step, API entitlements need to be set. Access to Intune Groups is performed by Microsoft Graph, which ensures that the devices administrated in Intune are established in E-FOTA. The following requirements are needed:
The entitlements can be added through API-Permissions and Add a permission. Microsoft Graph is selected on the page Request API permissions.
Select API Permission in the following dialog box and search for the permissions Device.Read.All, Group.Read.All and DeviceManagementManagedDevices.Read.All. Add them by clicking Add permission. If this process is completed, the relating permissions will have to be acknowledged with the command Grant admin consent for <org>.
At this point, the configuration in Azure AD is complete. The following steps must be set out in the Samsung Knox E-FOTA console:
Here it is important to establish the connection from E-FOTA to the corresponding Azure AD. This is done via the app that was previously created in Azure AD. After logging into the Samsung Knox setting, Microsoft Intune can be added by selecting EMM Groups and Connect EMM in the E-FOTA section.
After clicking Microsoft Intune, the following dialogue will appear: «Connect with your EMM Dialog». The values for Client ID, Client Secret and Tenant ID are learned from the Azure AD app’s properties Knox E-FOTA One.
After registering successfully, device groups from Azure AD will be displayed.
Here, we select the dynamic group which was set up at the beginning. Later, further groups can be added as well.
All the devices which are members of the group will be added in E-FOTA. An explicit registration of the devices in Samsung Knox is not necessary.
Note: EMM groups with E-FOTA:
Learn more about Managing EMM groups (samsungknox.com).
If the devices are in the E-FOTA system, these can become part of a campaign. Each campaign, in turn, can contain an individual setting profile. In the E-FOTA console you’ll find a menu entry to configure a campaign.
With the function Create Campaign, a new update configuration can be created in E-FOTA.
In this example, the campaign is named, ”EFOTA for Intune Devices”. Various settings can be configured after the campaign is created.
As the final step, the devices must be assigned to the campaign. Under Assign devices and firmware you will find the corresponding option, Assign Devices.
Note: In the case of devices that have been recently added, it can take several hours until the list showing the available firmware options is generated.
Learn more on how to Create a campaign (samsungknox.com).
After Azure AD and E-FOTA have been configurated, the devices still need to be set up in Microsoft Intune so that the device can establish a connection with the E-FOTA service.
Regarding this step, there are two possibilities in Microsoft Intune:
The E-FOTA app can be downloaded/pushed to the Samsung devices with the Intune app installation. After the app is installed, the device is ready to be included in a campaign but the user has to activate the device by starting E-FOTA.
The second option is to automate the process. With Microsoft Intune, OEMConfig profiles can be created and configured to help set up the E-FOTA client on Samsung devices. The installation/configuration of the required software happens fully automated. Only the E-FOTA disclaimer must be confirmed once.
Note: Additional Information on OEMConfig can be found on: Use OEMConfig on Android Enterprise devices in Microsoft Intune - Azure | Microsoft Docs.
Automating the process is more complex, we will walk you through the steps.
First you must create an Android Enterprise Configuration Profile with the type OEMConfig.
After choosing a profile name, the Knox Service Plugin (KSP) is selected. The KSP processes the OEMConfig profile’s settings.
Under Configuration Settings, the E-FOTA special settings can then be searched and configured. It is also possible to make further, non-E-FOTA settings here. To find the E-FOTA options, you can search via the locate link with the search term E-FOTA.
After adding the E-FOTA options to the configuration, the settings can be configured.
The last step is to automatically assign the device group to be configured using OEMConfig. This is done under assignments.
Once the assignment has been made, the registration with the E-FOTA service and the setting of the parameters from the OEMConfig proceeds largely automatically. Not much can be seen on the respective device itself during execution. In the system notifications of the device, the actions (e.g. installation of E-FOTA) or the sequence can be tracked.
The only necessary interaction is to confirm the E-FOTA disclaimer. Below, screenshots show a few notifications during the installation/configuration processes as well as the disclaimer.
If a device is successfully assigned to a campaign, it receives the update management settings from E-FOTA. The E-FOTA console can be used to check the devices' status and their allocation to campaigns. If the status is "Campaign active", the device updates are successfully managed through E-FOTA.
Samsung Knox offers granular update management by E-FOTA services for Samsung devices. These settings are in addition to the standard EMM settings. With the integration of Azure AD, Microsoft Intune and Samsung E-FOTA, the strengths of the respective platforms can be easily combined.
For further information on E-FOTA, see: Knox E-FOTA (samsungknox.com) to learn more.
If you have any questions on this post, just let us know by commenting back on this post. You can also ask quick questions at @IntuneSuppTeam out on Twitter.
Blog post updates:
12/22/20: Clarified post that Samsung E-FOTA Update Management requires licensing from Samsung.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.