Integrating Samsung Knox E-FOTA One with Microsoft Intune

This week is all about Samsung Knox Enterprise Firmware-Over-The-Air (E-FOTA). Samsung Knox E-FOTA is available in three editions, of which Samsung Knox E-FOTA One is the most advanced edition. That edition is also the subject of this post. Knox E-FOTA enables organizations to manage OS versions and security updates on corporate Samsung Knox devices. That enables organizations to extensively test updates on their devices in combination with their apps to make sure that new OS versions and security updates won’t cause any issues. Together with Microsoft Intune that experience can be even better. Microsoft Intune can be used to configure already managed Samsung Knox devices to use Knox E-FOTA and Microsoft Intune can also be used to synchronize groups with Samsung Knox devices to Knox E-FOTA. Those groups with devices can be used for targeting and enrollment in Knox E-FOTA. To get to the full experience, this post will go through the following:

Important: Knox E-FOTA One requires a paid license. More information about Samsung Knox licensing can be found here.

Note: Knox E-FOTA One doesn’t need to be used in combination with a MDM solution. It can also be used as a standalone solution for managing OS version and security updates.

Synchronizing groups with Knox E-FOTA One

The main integration between Knox E-FOTA One and Microsoft Intune is the ability to synchronize groups from Microsoft Intune – technically Azure Active Directory (Azure AD) – to Knox E-FOTA One. Those groups can be used to synchronize the devices in that group, to enroll those devices, to automatically assign a license those devices and to assign a campaign to those devices. To achieve that integration, an app should be registered in Azure AD that provides the required permissions to Knox E-FOTA.

Create an app registration in Azure AD to provide the required permissions

The first action is to create an app registration in Azure AD to provide the required permissions via Microsoft Graph to Knox E-FOTA. That app registration contains two important configurations that are required for Knox E-FOTA. The app registration needs the correct permissions and a client secret should be created for usage within Knox E-FOTA. The bullets below go through the minimal configuration that is required and will make sure that the required access is available.

  • Open the Azure portal, navigate to Azure Active Directory > App registrations to create a new app registration and save the Directory (tenant) ID and the Application (client) ID (available at the locations with the green arrows in Figure 1) for usage within the Knox E-FOTA configuration
  • Navigate to API permissions, provide the app registration with at least the application API permissions of Device.Read.All, DeviceManagementManagedDevices.Read.All and Group.Read.All and grant admin consent for those permissions (as shown in Figure 2), to make sure that Knox E-FOTA will have enough permissions to perform the required actions
  • Navigate to Certificates & secrets, create a new secret and save the value (available at the location with the green arrow in Figure 3) for usage within the Knox E-FOTA configuration

Connect Knox E-FOTA One with Azure AD

The second action is to connect Microsoft Intune – technically Azure AD – as an EMM in Knox E-FOTA. That connection will enable Knox E-FOTA to synchronize groups and group members for usage within Knox E-FOTA. The bullets below go through the required steps to connect Microsoft Intune as EMM.

  • Open the Knox E-FOTA portal, navigate to EMM groups and click CONNECT EMM
  • On the Pick your EMM to manage devices page (as shown in Figure 4), select Microsoft Intune
  • On the Connect with your EMM page (as shown in Figure 5), provide the Client ID (as shown in Figure 1), the Client Secret (as shown in Figure 3), the Tenant ID (as shown in Figure 1) and click CONNECT
  • On the Add device groups to E-FOTA page (as shown in Figure 6), switch the SYNC slider with the required groups and click ADD E-FOTA GROUPS

Once the required device groups are enabled for synchronization to Knox E-FOTA, the synchronization will start. Once the synchronization is finished, the groups will be available as EMM groups and will show the number of synchronized devices in that group (see Figure 7).

Note: The device groups are synchronized every 6 hours from Microsoft Intune to Knox E-FOTA One. 

Enroll devices in groups in Knox E-FOTA One

When the Samsung Knox devices and the device groups are synchronized in to Knox E-FOTA, it’s time to enroll those devices. When a Samsung Knox device is enrolled in to Knox E-FOTA, that device can be assigned to a campaign. Also, when a Samsung Knox device is enrolled in to Knox E-FOTA, that enables the campaign configuration to create specific configurations – besides locking the current firmware – that are related to the enrolled devices. Enabling a Samsung Knox device to enroll in to Knox E-FOTA, that requires a configuration in Knox E-FOTA One.

  • Open the Knox E-FOTA portal, navigate to EMM groups select one or more of the just synchronized device groups and select ACTIONS > Enroll devices in groups
  • On the Select License page (as shown in Figure 8), select the license and click DONE

Once the required active license is assigned to the device group, that changes the status of the device group from Synced to Group enrolled (see Figure 9).

Once a license is assigned to a Samsung Knox device, that device can now actually enroll in to Knox E-FOTA. When using Knox E-FOTA in combination with Microsoft Intune, the most obvious methods for enrolling a Samsung Knox device in to Knox E-FOTA is by using OEMConfig for existing devices and by relying on the out-of-the box experience for new devices. The out-of-the-box experience doesn’t need any additional configurations anymore once the license is assigned. The Samsung Knox device will simply check-in with Knox E-FOTA and the magic will happen automatically. This should be the preferred option.

The OEMConfig method for existing devices, does require some additional configurations in Microsoft Intune. The main configuration requirements and steps can be found in an earlier post here. Within an OEMConfig profile, in the Firmware update (FOTA) policy section, at least Enable firmware controls and Enable E-FOTA client installation & launch should be set to true (as shown in Figure 10). The first setting is to make sure that the settings in that section are applied and the second setting is to actually trigger the installation and automatic configuration of Knox E-FOTA.

Create and assign a campaign in Knox E-FOTA One

To actually start managing OS versions and security updates on Samsung Knox devices, a campaign should be created in Knox E-FOTA. That campaign contains the actual update configuration information. That includes information about the schedule, the network and speed, the device conditions, the support contact and the actual firmware version. The bullets below go through the steps to create a campaign.

  • Open the Knox E-FOTA portal, navigate to Campaigns and click CREATE CAMPAIGN to open the Campaign information wizard
  • In the BASIC INFO section (as shown in Figure 11), provide the following information
    • Campaign name: Specify a name for the campaign to distinguish it from other similar campaigns
    • Description: (Optional) Specify a description for the campaign to further differentiate campaigns
  • In the SCHEDULE section (as shown in Figure 12), provide the following information
    • Campaign period: Configure the period when Samsung Knox devices start downloadung and installing the required update, by setting a fixed period with a Start date and End date or by setting a Start date only
    • Firmware installation period: Configure the timeframe within the campaign period when Samsung Knox devices start installing the required update, by selecting a timeframe
    • Firmware download period: Configure the timeframe within the campaign period when Samsung Knox devices start downloading the required update, by selecting Anytime or a timeframe
    • Postpone installation: (Optional) Configure if the user is allowed to postpone the installation and configure how often that’s allowed and the duration between the reminders

Note: Keep in mind that this configuration only guarantees that the installation and download is started within the configured timeframe.

  • In the NETWORK AND SPEED section (as shown in Figure 13), provide the following information
    • Download network: Configure the network that the Samsung Knox devices should be using for downloading the required update, by selecting Wi-Fi only or Any (Wi-Fi or Mobile)
    • Download speed: (Optional) Configure the download speed that the Samsung Knox devices should be using for downloading the required update, by specifying a number of MB in 10 mins
  • In the DEVICE CONDITION section (as shown in Figure 14), provide the following information
    • Battery level for installation: (Optional) Configure how much battery life Samsung Knox devices must have for starting with installing the required update, by selecting a percentage
  • In the FACTORY RESET section (as shown in Figure 15), configure if a factory reset is allowed
  • In the SUPPORT CONTACT DETAILS section (as shown in Figure 16), provide the following information
    • Phone number: (Optional) Specify a phone number that can be used for contacting support
    • E-mail address: (Optional) Specify an email address that can be used for contacting support
  • In the ASSIGN DEVICES AND FIRMWARE section (as shown in Figure 17), configure a line in the table for every Samsung Knox device model that should be supported with this campaign
    • For each MODEL configure the FIRMWARE VERSION by choosing between Latest firmware, Lock current firmware or Select from firmware list to determine the firmware version that should be running on the assigned Samsung Knox devices
      • Once selecting Latest firmware, choose between Any or Up to to determine that the latest firmware version is of the latest supported OS version or of the specified OS version
      • Once selecting Select from firmware list, simply select a firmware version from the list

Important: Make note that the ASSIGN DEVICES is not used in this section, as the idea is to use the the synchronized device groups from Microsoft Intune for assigning the campaign.

Once the campaign is created, it can be assigned to Samsung Knox devices. The easiest method to assign the campaign to specific devices – and the goal of this post – is to assign the created campaign to a synchronized device group. That also makes sure that new Samsung Knox devices – assuming that those are part of the synchronized device group – are automatically assigned to the required campaign. That assignment can be created by navigating to EMM groups, selecting the required device group and clicking Actions > Assign campaign. That brings up the Select campaign page (as shown in Figure 18) to select the created campaign.

Once the campaign is assigned to the specified device group, that changes campaign to the name of the campaign and campaign status to Active of the device group (see Figure 19).

Note: After the campaign is active, the Knox E-FOTA app automatically polls once every 24 hours to check for any policy changes made to the campaign.

Experience the user experience with Knox E-FOTA One

The user experience is pretty seamless no matter the configuration path that’s been used. A new Samsung Knox device, or a newly configured Samsung Knox device, will automatically enroll in to Knox E-FOTA after the enrollment in to Microsoft Intune. The Knox E-FOTA is installed and requires the user to ACCEPT AND CONTINUE (as shown in Figure 20). After that the Knox E-FOTA policy is downloaded and applied (as shown in Figure 21). Once Knox E-FOTA is configured, the app shows the assigned campaign and its status.

The same user experience is applicable to already existing Samsung Knox devices. Those devices are configured by using OEMConfig with the Samsung KSP app. Once the configuration is applied, the Knox E-FOTA app will be installed and the same user experience will start.

More information

For more information about Microsoft Intune and Samsung Knox E-FOTA One, refer to the following docs.

13 thoughts on “Integrating Samsung Knox E-FOTA One with Microsoft Intune”

      • Hi Peter!
        First, thanks for a great article.
        I also wonder if you have had any experience with E-Fota in a Managed Home Screen environment.
        I manage to get the E-Fota app installed by using the “Enable E-FOTA client installation & launch” option in KSP, it installs the app but it is never launched. My guess is that some additional system apps must be enabled but I dont know which.

        Reply
  1. Hi,
    I have a problem with the group in the E-FOTA administration.
    I was able to connect to AAD. I have a choice of groups that I want to connect to Knox administration.
    After selecting a test group, I don’t see the devices in the group, even though the groups are populated with devices in Azure/Intune administration.

    Don’t know where the error could be?

    Reply

Leave a Reply to john Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.