Manage Android OS versions and security updates with Samsung Knox E-FOTA One and Microsoft Intune

In March this year Samsung announced a new edition of their Knox E-FOTA solution, Knox E-FOTA One. E-FOTA stands for Enterprise Firmware-Over-The-Air. E-FOTA enables enterprise IT admins to remotely deploy OS versions and security updates to corporate devices without requiring user interaction.

One of the benefits of E-FOTA One is the EMM integration, which gives us the ability to sync device and group information for FOTA activities management. A complete comparison list can be found on the Samsung Knox website.

At the launch of E-FOTA One, only VMWare Workspace One and Knox Management were available, but since May Microsoft Intune is added as supported EMM.

And when Microsoft Intune is involved in a solution, you got my attention. So let`s have a look at this new solution combined with Intune.

In short;
We start by requesting a trial license for Knox E-FOTA One. After that, we switch to the Azure portal, to create an App registration for E-FOTA One in Azure Active Directory (AAD). When the App registration is finished, we switch back to the E-FOTA One portal to connect E-FOTA to Intune and sync the device group(s). As soon as the groups are synced, we assign the group a license.
As soon as this is all in-place, it`s time to create a campaign and assign it to a group.
Before we have a look at the end-result, we deploy the Android app.

For my tests I used a Samsung S7 Edge with Android 8, which I enrolled in Intune using Samsung Knox Mobile Enrollment, as Fully Managed (Device Owner).

Pre-requisites

To use Knox E-FOTA One in combination with Microsoft Intune, there are some pre-requisites. These are the E-FOTA One pre-requisites;

  • Samsungknox.com account
  • A (trial) license for Knox E-FOTA One
  • Knox supported device with Android N or later (Android P or later for the OOBE experience)

These are the Microsoft Intune pre-requisites;

  • Microsoft Intune licenses
  • Application (Client) ID
  • Directory (Tenant) ID
  • Client secret

Request a Knox E-FOTA One (trial) license

I assume you already have a Samsung Knox account.
Knox E-FOTA can be found on the dashboard of your Samsung Knox account. Sign-in to Samsung Knox.
Click Try for free under Knox E-FOTA.
On the next page, agree to the terms to open the Knox E-FOTA portal.

On the licenses tab of the Knox E-FOTA portal, you can request a 90-day trial by clicking on Get a license. Here you can also enter a license key when you already have purchased licenses for E-FOTA One.

If you need a trial, click Generate license.
My trial license was applied and activated in a couple minutes. A conformation email was received with the license information.

Create an App registration in Azure AD

E-FOTA One needs read access to our devices and (device) groups in AAD. These permissions can be provided by creating an App registration in AAD. We also create a client secret as part of the app registration. With that secret string E-FOTA can prove its identity when requesting a token.
So actually there is no real integration with Intune, but you provide access to Azure AD.

  • Sign-in to the Azure portal
  • Browse to Azure Active DirectoryApp registrations
  • Click +New registration
  • Enter a Name
  • Keep Accounts in this organizational directory only selected
  • Click Register

Copy and save the values of Application (Client) ID and Directory (Tenant) ID for later use.

  • Browse to Certificates& Secrets
  • Click New client secret
  • Enter a Description
  • under Expires, select Never
  • Click Add

Copy and save the value of the client secret for later use.

  • Browse to API permissions
  • Click Add a permission
  • Click Microsoft Graph
  • Under permissions search for Device.Read.All, Group.Read.All and DeviceManagementManagedDevices.Read.All and select those
  • Click Add permissions
  • Click Grant admin consent for <company name>
  • Click Yes when prompted

The App registration is finished.
The saved IDs and client secret are used in the next step, to connect E-FOTA to Intune.

Connect E-FOTA One to Microsoft Intune

To start syncing our Azure AD (device) groups we need to connect E-FOTA one and Microsoft Intune by using the App registration information.
By using our synced device groups, we can target different campaigns (more on that later) to different groups of devices.

  • Open the Knox E-FOTA portal
  • Browse to EMM groups
  • Click Connect EMM
  • Select Microsoft Intune
  • Enter the previously saved Application (client) ID, Client secret and Directory (tenant) ID
  • Click Connect
  • Select the Azure AD groups you`d like to sync to E-FOTA
  • Click Add E-FOTA groups

The connection between E-FOTA and Microsoft Intune is setup. The selected groups are synced and shown on the EMM groups tab.
Every six hours groups are synced between Microsoft Intune (AAD) and E-FOTA One. You also have the option to perform a manual sync from the EMM groups tab.

Assign a license to the EMM group

The next step is to assign an E-FOTA One license to the synced EMM group, so the members of the group are licensed.

  • On the EMM Groups tab, Select one or more groups
  • Click on Actions
  • Click Enroll devices in groups
  • Select the license
  • Click Done

The status of the group is switched to Enrolled.

If we click on the group name, the devices which are member of the group are shown. The status for those devices is now Enrollment Pending.

<br>

<br>

Create and assign a campaign

In a campaign we configure all the preferred options to deploy a new OS version or security patch to our managed Android devices. By creating different campaigns and assigning those to different groups, we can first test updates on a small number of devices, before deploying those to all other devices.
In my example I create a campaign to update my old Samsung S7 Edge to the security patch of december 2019.

  • Browse to the Campaigns tab
  • Click Create campaign
  • Under Basic info give the campaign a Name and Description (optional)
  • Choose the date for the Campaign period under Schedule
  • Choose the Firmware installation period (at least a period of 3 hours)
  • Still under Schedule, choose a Firmware download period
  • Make a choice if you allow an update to be postponed
  • Under Network and speed, pick the Download network
  • Make your choice for Battery level for installation under Device Condition
  • Make your choice for Factory reset (I would recommend Intune to use this, if you need to block factory reset)
  • Fill in the Support contact details
  • At the bottom choose a Model and Carrier code
  • Click Select from firmware list
  • Select the firmware version/ security patch to deploy
  • Click Select
  • Back at the Campaign information tab click Create and activate
  • Browse to the EMM groups tab
  • Select the group of choice
  • Click Actions and click Assign campaign
  • Select the Campaign which you want to assign
  • Click Assign

The campaign is assigned to the EMM group.

Deploy the Knox E-FOTA One app

To manage the OS version and security patch updates the Android app Knox E-FOTA One is needed on the devices.

Out-of-box installation of Knox E-FOTA client app is available for devices purchased through a reseller that have Android P or later, the client app is automatically installed during the out-of-box experience.

If this is not the case for your devices, you can still use Microsoft Intune to deploy the app to the device.

The E-FOTA One app typically prompts the user to read and accept the privacy policy. We can prevent this by updating the Privacy policy setting.

  • Click your account name in the top right corner of the E-FOTA portal
  • Click Privacy policy setting
  • Select Skip Knox E-FOTA Terms & Conditions and Privacy Policy
  • Click Save
  • Confirm by clicking Change

I won`t go in detail how to deploy the app using Microsoft Intune.
Search in Managed Google Play via Intune for Knox E-FOTA and you will find the app.

With all previous steps taken, the setup is finished. Time for testing our security patch deployment!

The end-result

Let`s first have a look at the end-users device.

As soon as you open the app you see the enrollment status of the device. The user can manually check for campaign updates.
Clicking on the three dots only gives you Software information, Support and About.

As soon as a campaign is applied, the enrollment status changes to Campaign active.

If a new OS version or security patch is assigned, a pop-up is shown on the device to notify the user.

In the E-FOTA app, information about the upcoming firmware update is shown. Also shown is when the update will be installed.

When the installation time period is reached, the installation screen is shown with the auto-install timer.
If the user is allowed to postpone the update, that option is also shown.

The installation is complete.

Let`s switch to the E-FOTA portal.
On the Dashboard tab, you find an overall overview (yes my lab is pretty empty) of the enrolled (or failed) devices.

The previously created campaign is active, the update is installing is shown on the devices tab.

From the Campaign tab, you can see the succes rate of the active campaigns.

Short conclusion

If you need to take full control of your Samsungs OS version and patch updates, E-FOTA One is a welcome solution for this. Everything which is available at this moment, does work as expected. We`re able to sync device groups from Azure AD, so we can target different campaigns to different groups. With this we are able to create deployment rings, to first test new updates on a small number of devices.
A small thing I don`t like (but maybe I missed something), before the enrollment of a device is finished, the app needs to be opened once by the end-user, even if the change in Privacy policy setting is made.

I`m curious what the next releases will bring to E-FOTA One, as this is just a pretty new solution. I keep an eye on the release notes.

PS; Thanks Leon for pointing me to this new solution.

Be the first to comment

Leave a Reply

Your email address will not be published.


*