Knox E-FOTA One (for Both One UI and One UI Core)
This version works on Samsung Galaxy devices with One UI and the latest One UI Core devices (e.g., Galaxy A22). For any earlier One UI Core models (e.g., Galaxy A21s), please use a different version of the Knox E-FOTA One agent available at https://play.google.com/store/apps/details?id=com.samsung.android.knox.core.efota.
You can also see the full list of supported devices at http://www.samsungknox.com/supported-devices.
About Knox E-FOTA
Knox E-FOTA (Enterprise Firmware-Over-The-Air) is a business solution that allows IT administrators to control OS versions on Samsung mobile devices:
1) Ensure that the latest security patches are deployed to corporate devices on schedule.
2) Test new OS versions before deployment, ensuring compatibility for in-house apps.
Mandatory Firmware Update—Push firmware updates for highest level of security and be compliant of company IT regulations.
Stable OS Deployment for Business Apps/Services—Create an IT environment that guarantees the highest performance of corporate applications.
Flexible OS Update Options—Provide various options to cover any type of business operation without sacrificing the business outcome.
Note to End Users
The Knox E-FOTA One application works only when your device is registered on the Knox E-FOTA One console by your IT administrator.
Please contact your IT administrator if you face any technical issues installing and/or using this app.
The following permissions are required for the app service. For optional permissions, the default functionality of the service is turned on, but not allowed.
- Telephone: Used to check device-unique identification information for Knox E-FOTA One service (IMEI, Device ID)
- Storage: Used to store the firmware files
By Lothar Zeitler – Senior Program Manager | Microsoft Endpoint Manager - Intune
The E-FOTA service is provided by Samsung as part of Samsung Knox and can be connected to Microsoft Endpoint Manager. In this blog article, we look at the possibilities of E-FOTA in combination with Enterprise Mobility Management (EMM) and how to connect E-FOTA with Microsoft Endpoint Manager.
Note: Knox E-FOTA requires licensing from Samsung. See: Knox licenses (samsungknox.com) to learn more.
With the Knox service, Samsung offers E-FOTA (Enterprise Firmware-Over-The-Air) updates for Samsung Android devices. With E-FOTA, for example, device groups can be created for individual update settings, such as which updates are to be installed on the devices and at what times. In addition, admins can set whether the user is still allowed to change the device configuration or not. E-FOTA offers granular update management for corporate devices.
Devices managed in Microsoft Intune can be integrated into E-FOTA update management. Devices do not have to be adopted specifically into E-FOTA (e.g. CSV import), but can be added and managed immediately with group membership. As a further advantage, it can be ensured that only devices managed by Intune are managed with E-FOTA.
Device groups in Azure Active Directory (Azure AD) can be used to classify devices which will be assigned to the corresponding E-FOTA configuration groups (campaigns) in E-FOTA. Examples can be pilot groups to test firmware updates, or groups for corporate divisions which will receive different versions of updates or kiosk devices which will execute update installation in a certain time window.
These E-FOTA groups (campaigns) can each have different update settings and the corresponding Azure AD device groups can be assigned to them individually. Thus, if an Azure AD group is assigned to a campaign, all the Azure AD group devices receive the settings from the campaign to which the Azure AD groups are assigned.
This article requires Azure AD and that the device management is in Microsoft Intune. Besides Intune and Azure AD, we also need access to Samsung Knox.
The following demonstrates how to use E-FOTA within an existing Intune environment where Samsung devices are already managed.
In the Intune console, we see two Samsung devices:
(Devices – Android Devices)
Intune admin console - All Android devices blade
To get started, an Azure AD group needs to be created that contains these two Samsung models, this will bring them into the update management in E-FOTA later. The group is dynamically created to automatically add new registered Samsung devices. If new devices come into the group, they are also automatically assigned to the setting assigned to the appropriate campaign in E-FOTA.
To create a dynamic group, we go to Groups > New Group in the Intune console. In this example, we use "Samsung EFOTA G950U1 A520F" as the name. Because devices are to be added to the respective devices’ group, we use the Dynamic Device group type.
Dynamic Device group configuration
For the group criteria, we use Samsung as the manufacturer, as well as specific models for a granular control of the group membership.
The criteria in our example is:
Note that more complex logical groupings can no longer be displayed in the UI/Querybuilder and therefore it must be entered in the Rule Syntax field. After entering the rule, Save and Create to confirm your rule. The devices will be added automatically to the group. Keep in mind, the process of adding devices can take a few minutes.
Dynamic membership rule configuration
After the first Azure AD group for E-FOTA has been created, E-FOTA and Intune must be connected. The communication between E-FOTA and Azure AD takes place via the Graph API. Access to Azure AD resources, such as groups, requires identification in Azure AD. An application must be registered in Azure AD for this purpose. An application can be a web or mobile app as well as a web-API.
Note:This Samsung Knox site offers great guidance on E-FOTA.This blog essentially follows this guide.
First, the app must be registered in Azure AD. The best way to do this is to use the Azure Portal (portal.azure.com). A new app can then be registered under Azure AD > App registrations > New registration.
On the registration page, the name of the app needs to be specified. The app should only be made known for the organization by selecting Accounts in this organizational directory only. The Register action finishes the registration in Azure AD.
Knox E-FOTA One app registration
After successful registration, a summary of the registration appears. For further configurations, it is important to remember the Application (client) ID and the Directory (tenant) ID.
Knox E-FOTA One app registration summary
The next step is to create a client secret. This ensures that it is only possible to communicate with the app if the client secret is known. To create a client secret in Azure AD for the Knox E-FOTA One app, go to Certificates & secrets via the app properties and then select the New client secret option in the Client secrets section. Add a Description, we suggest including the name, e.g. "Client secret for Knox E-FOTA One" and select when the secret should expire. In this example, we set the value to "never." Add generates the Secret.
Knox E-FOTA One - Clients & secrets configuration
The generated client secret is required on a later step.
Client secret for Knox E-FOTA One
As a last step, API entitlements need to be set. Access to Intune Groups is performed by Microsoft Graph, which ensures that the devices administrated in Intune are established in E-FOTA. The following requirements are needed:
The entitlements can be added through API-Permissions and Add a permission. Microsoft Graph is selected on the page Request API permissions.
API permissions request for Microsoft Graph
Select API Permission in the following dialog box and search for the permissions Device.Read.All, Group.Read.All and DeviceManagementManagedDevices.Read.All. Add them by clicking Add permission. If this process is completed, the relating permissions will have to be acknowledged with the command Grant admin consent for <org>.
API Permission request - Granting admin consent for your organization
At this point, the configuration in Azure AD is complete. The following steps must be set out in the Samsung Knox E-FOTA console:
Here it is important to establish the connection from E-FOTA to the corresponding Azure AD. This is done via the app that was previously created in Azure AD. After logging into the Samsung Knox setting, Microsoft Intune can be added by selecting EMM Groups and Connect EMM in the E-FOTA section.
After clicking Microsoft Intune, the following dialogue will appear: «Connect with your EMM Dialog». The values for Client ID, Client Secret and Tenant ID are learned from the Azure AD app’s properties Knox E-FOTA One.
Connect with your EMM dialog box
After registering successfully, device groups from Azure AD will be displayed.
Here, we select the dynamic group which was set up at the beginning. Later, further groups can be added as well.
Add dynamic device groups to E-FOTA
All the devices which are members of the group will be added in E-FOTA. An explicit registration of the devices in Samsung Knox is not necessary.
Note: EMM groups with E-FOTA:
- Groups are synchronized every six hours.
- Devices deleted in EMM are deleted from E-FOTA as well.
- Devices added to an EMM group are added to E-FOTA automatically.
- If devices are transferred to another EMM group, the assignment will reflect in E-FOTA accordingly.
Learn more about Managing EMM groups (samsungknox.com).
If the devices are in the E-FOTA system, these can become part of a campaign. Each campaign, in turn, can contain an individual setting profile. In the E-FOTA console you’ll find a menu entry to configure a campaign.
Screenshot of the Knox E-FOTA Campaigns console
With the function Create Campaign, a new update configuration can be created in E-FOTA.
In this example, the campaign is named, ”EFOTA for Intune Devices”. Various settings can be configured after the campaign is created.
Knox E-FOTA portal - New campaign information
As the final step, the devices must be assigned to the campaign. Under Assign devices and firmware you will find the corresponding option, Assign Devices.
Knox E-FOTA portal - Assigning devices
Note: In the case of devices that have been recently added, it can take several hours until the list showing the available firmware options is generated.
Knox E-FOTA portal - Selecting the target firmware to push to devices
Learn more on how to Create a campaign (samsungknox.com).
After Azure AD and E-FOTA have been configurated, the devices still need to be set up in Microsoft Intune so that the device can establish a connection with the E-FOTA service.
Regarding this step, there are two possibilities in Microsoft Intune:
The E-FOTA app can be downloaded/pushed to the Samsung devices with the Intune app installation. After the app is installed, the device is ready to be included in a campaign but the user has to activate the device by starting E-FOTA.
The second option is to automate the process. With Microsoft Intune, OEMConfig profiles can be created and configured to help set up the E-FOTA client on Samsung devices. The installation/configuration of the required software happens fully automated. Only the E-FOTA disclaimer must be confirmed once.
Note: Additional Information on OEMConfig can be found on: Use OEMConfig on Android Enterprise devices in Microsoft Intune - Azure | Microsoft Docs.
Automating the process is more complex, we will walk you through the steps.
First you must create an Android Enterprise Configuration Profile with the type OEMConfig.
Android Enterprise Configuration Profile with the OEMConfig profile
After choosing a profile name, the Knox Service Plugin (KSP) is selected. The KSP processes the OEMConfig profile’s settings.
Selecting the Knox Service Plugin as the OEMConfig app
Under Configuration Settings, the E-FOTA special settings can then be searched and configured. It is also possible to make further, non-E-FOTA settings here. To find the E-FOTA options, you can search via the locate link with the search term E-FOTA.
Enabling the E-FOTA settings
After adding the E-FOTA options to the configuration, the settings can be configured.
Configuring the E-FOTA options
The last step is to automatically assign the device group to be configured using OEMConfig. This is done under assignments.
Once the assignment has been made, the registration with the E-FOTA service and the setting of the parameters from the OEMConfig proceeds largely automatically. Not much can be seen on the respective device itself during execution. In the system notifications of the device, the actions (e.g. installation of E-FOTA) or the sequence can be tracked.
The only necessary interaction is to confirm the E-FOTA disclaimer. Below, screenshots show a few notifications during the installation/configuration processes as well as the disclaimer.
User experience to confirm the E-FOTA disclaimer
If a device is successfully assigned to a campaign, it receives the update management settings from E-FOTA. The E-FOTA console can be used to check the devices' status and their allocation to campaigns. If the status is "Campaign active", the device updates are successfully managed through E-FOTA.
Knox E-FOTA portal - Device overview
Samsung Knox offers granular update management by E-FOTA services for Samsung devices. These settings are in addition to the standard EMM settings. With the integration of Azure AD, Microsoft Intune and Samsung E-FOTA, the strengths of the respective platforms can be easily combined.
For further information on E-FOTA, see: Knox E-FOTA (samsungknox.com) to learn more.
If you have any questions on this post, just let us know by commenting back on this post. You can also ask quick questions at @IntuneSuppTeam out on Twitter.
Blog post updates:
12/22/20: Clarified post that Samsung E-FOTA Update Management requires licensing from Samsung.
Using Samsung E-FOTA
Enterprise Firmware Over the Air (E-FOTA) is a software update mechanism developed by Samsung that allows you to control the rollout of software updates to your enterprise devices. Every software update brings a possibility of malfunctions, whether they are due to compatibility issues with other software or new security vulnerabilities. E-FOTA allows you to delay an update while you thoroughly test its functionality across the devices in your deployments. When you are satisfied with an update's stability, you can distribute the update to your devices in a controlled manner.
You can also use E-FOTA to force devices to stay up to date with the latest version or, in some cases, skip over updates. You cannot, however, use E-FOTA to downgrade a device's software to an earlier version. In all cases, device users cannot block the upgrade and their interaction is not required.
E-FOTA manages all of Samsung's official firmware updates including major firmware upgrades (for example, Android 8.0), security patches, bug fixes, and app updates. The E-FOTA server provides a list of available firmware versions which include a description of the contents of each update.
E-FOTA is supported on Samsung devices running Android 7.0 or later with Samsung Knox 2.71 or later. You must purchase E-FOTA licenses from Samsung or an authorized reseller to use the feature. Once you have acquired your licenses and added them to SOTI MobiControl, you can enroll your devices in E-FOTA and begin managing their update process.
Visit Samsung E-FOTA for more information on the capabilities of E-FOTA.
.How to upgrade via FOTA on Samsung Devices
You will also like:
- Buffy costume ideas
- Benjamin moore brown paint
- 2000 peterbilt 357
- Inflatable bimini top
- W202 for sale
- Us form 1040 instructions
- Vagina infection medication
- Pitbull puppies syracuse ny
- Unicorn mayonnaise
- Ibex rv reviews
- Cabins in smokeys
- Ps4 ip address puller