Menu

Add Knox E-FOTA to your Android app

Your Android app runs on Samsung devices to:

  • Enable over-the-air (OTA) firmware updates
  • Set the maximum firmware version allowed on a device

This section uses sample Java code to show how to manage a device.

Prerequisites

Before you start, complete the following requirements for adding Knox E-FOTA to your Android app:

  1. Download the Knox SDK—This SDK provides access to the API methods that enterprises can use to manage their Samsung devices. Download the SDK through KPP.
  2. Activate your Knox license—For the latest and complete details, see the tutorial on how to Activate your Knox license.

Enable OTA firmware updates

To allow a device to update its firmware Over-The-Air (OTA), use the Knox SDK API method RestrictionPolicy.allowOTAUpgrade.

Example:

EnterpriseDeviceManager edm = (EnterpriseDeviceManager)
    getSystemService(EnterpriseDeviceManager.ENTERPRISE_POLICY_SERVICE);
RestrictionPolicy restrictionPolicy = edm.getRestrictionPolicy();
try {
    boolean allowOTAUpdate = true;
    restrictionPolicy.allowOTAUpgrade(allowOTAUpdate);
} catch (SecurityException e) {
    Log.w(TAG, "SecurityException: " + e);
}

Set firmware update permissions

To allow or prevent firmware updates to a device, use the Knox SDK API method RestrictionPolicy.allowFirmwareRecovery.

Set the API method to the following parameters

  • true—To allow firmware updates.
  • false—To prevent firmware updates.
Note—When allowing firmware updates, ensure that the device is also reverted back to getting firmware updates from its original B2C FOTA server. For more details, see Revert back to B2C FOTA server for firmware .

Example:

EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
RestrictionPolicy restrictionPolicy = edm.getRestrictionPolicy();
try {
    boolean allow = false; // disallow firmware recovery
    if (restrictionPolicy.allowFirmwareRecovery(allow)) {
        Log.w(TAG, "firmware recovery is not allowed");
    } else {
        Log.w(TAG, "Failed to set the policy.");
    }
} catch (SecurityException e) {
    Log.w(TAG, "SecurityException: " + e);
}

Check firmware recovery permission

To verify if a firmware recovery is allowed on a device, use the Knox SDK API method RestrictionPolicy.isFirmwareRecoveryAllowed.

The API method will return the following expected values:

  • true—Firmware recovery is allowed.
  • false—Firmware recovery is disallowed.

Switch to B2B Knox E-FOTA server for firmware

To specify the highest firmware version allowed on a device, use the Knox SDK API method RestrictionPolicy.setAllowedFOTAVersion.

By doing this, you switch the device from getting firmware from the Samsung B2C FOTA server to the B2B Knox E-FOTA server.

NOTE—AT&T and Verizon provide firmware updates from their own servers and don't use the Knox E-FOTA service.

First, identify the group of devices you want to switch, by specifying the MDM, customer, and device group. When you request a Knox E-FOTA license, you get your MDM ID and also a Customer ID. You can select your own name for a device group.

In the following example, we set the firmware version for:

  • MDM ID—d1e2f3g4h5
  • Customer ID—IDEEEE4444-FF55-AA66-BB77-CCCCCC888888
  • Group ID—TEST DEVICE GROUP

We will set the firmware version using these string values, note that these three values form a corpID.:

  • ap_versionG930FXXU1DQB3  (Application Processor)
  • csc_versionG930FOXA1DQB1  (Consumer Software Customization)
  • cp_versionG930FXXU1DQB1  (Cellular Processor)

Example:

EnterpriseDeviceManager edm = (EnterpriseDeviceManager) getSystemService(EnterpriseDeviceManager.ENTERPRISE_POLICY_SERVICE);
RestrictionPolicy restrictionPolicy = edm.getRestrictionPolicy();
// set the highest firmware version the device can update to
try {
    Bundle bundle = new Bundle();
    String str_corpId = "MDM_ID/Corp_ID/Group_ID";
    bundle.putString(RestrictionPolicy.UPDATE_FOTA_CORPID, str_corpId);

    boolean result = restrictionPolicy.setAllowedFOTAVersion("G920FXXU3DPDO/G920FXXU3DPA1/G920FOXA3DPD2", bundle);
    if (true == result) {
        // IT admin will be received the result by intent
    }
} catch (SecurityException e) {
    Log.w(TAG, "SecurityException: " + e);
}

Revert back to B2C FOTA server for firmware

Revert a device back to a B2C FOTA server by setting the corpID to null and by setting the following restrictionPolicy.setAllowedFOTAVersion parameters to null:

  • targetFirmwareVersion
  • bundle
NOTE—Depending on the network, server registration requires 2 seconds or more to respond with a result. When making consecutive setAllowedFOTAVersion() calls, allow the server to respond with a result before making the next call to prevent unexpected results.

Examples:

// reverted to receive updates from B2C FOTA server boolean result = restrictionPolicy.setAllowedFOTAVersion(null,null);

// receives firmware updates from B2B Knox E-FOTA server boolean result = restrictionPolicy.setAllowedFOTAVersion("G920FXXU3DPDO/G920FXXU3DPA1/G920FOXA3DPD2", bundle);

Listed in the table below are details on what happens when the corpIdand target firmware version exist or are null:

CORP ID Target Version B2B/B2C Result Target Version Operation
Exists
Exists
If device was previously registered as B2C or registered as B2B with a different Corp ID, the device will be registered with the B2B FOTA server with the specified Corp ID. Whether the device is newly registered or not, the device will only update to the specified target firmware passed to the setAllowedFOTAVersion API.
Exists
Null
If the device was previously registered as B2C or registered as B2B with a different Corp ID, the device will be registered with the B2B FOTA server with the specified Corp ID. Whether the device is newly registered or not, devices will be able to update the latest firmware available.
Null
Null
If a device was previously registered as B2B, the device will be removed from the B2B server and the device will now receive updates from the B2C FOTA Server. Devices will be able to update to the latest firmware available.
Null
Exists
Device will fail to register. No change in where the device receives its FOTA updates.