How to block Firmware updates on your Samsung Devices with Workspace One

This article is going to describe how to “Block” OS upgrades on Samsung devices using Workspace One UEM wherever your device are Android Enterprise or Device Admin.

In order to do so, we will need to Blacklist the application process which are responsible to process the Device Firmware upgrade.

1.) Building an App Groups containing the blacklist of these applications.

In your WS1 tenant go to APPS&BOOKS –> Application Settings –> App Groups and then Click “Add Group”.
Follow the screen shot as a sample and add your applications to be Blacklisted.
(I have added below the App list so you can copy past)
Assign then this App Group to the OG Desired.
PS: this will not take effect until applying the Application Control profile.
Application NameApplication ID
Software Updatecom.wssyncmldm
FOTA Clientcom.sec.android.fotaclient
SDM & Sync Servicecom.samsung.sdm
sync servicecom.samsung.syncservice
ATT updatecom.ws.dm
This list will vary depending on the device model as well as the carrier type device. For example ATT has specific software to Upgrade their Samsung devices.

If you have carrier specific Samsung device I recommend to use one of the free tool as per below to identify the Bundle ID of the App so you can block it.

This App once installed will provide a live overlay on your device showing the name of the Android process you are sitting. To identify the Firmware upgrade App simply navigate to Settings and look for the Firmware upgrade section. I will then show the bundle ID that you can then enter in the Blacklist field as per above.

2.) Deploying the Application Controle Profile to your devices.

In WS1 Console, go to Devices –> Profiles&Ressources –> Profiles then click Add Profile.
In the Android legacy or Enterprise profile payload chosen, ensure that you tick the box for Disable Access to Blacklisted Apps. If you are using Android Enterprise make sure to choose Work managed and or Work profile depending in your use case.

You can then assign the profile and verify on your device that you cannot access to the firmware update section.

While this method of blocking Apps in order to stop the Firmware update to function is working just fine, I recommend to use API driven functionality as it is lot more standard, consistent and secure. For this as part of the OEM config methodology (See here to understand more about OEM Config) Samsung has developed KNOX Service Plugin which is an App plugin where we will configure an App Config in order to apply certain policies to your devices. PS: This is only available on Android Enterprise use case.

Follow below steps in order to access the option to Block Firmware upgrade using OEM Config (KSP Knox Service Plugin) for Samsung devices:

In the WS1 UEM console go to Apps&Books –> Application –>Native –> Public then click Add Application.
Select the Android Platform and type the KSP name and click search.
Approve the App and accept the App permissions on behalf of the user.
Select the smart group or OG of your devices, select Auto deployment then click on Application Configuration.
Select Send configuration and click onto “Device-wide Policies” Configure button
In the firmware Update Policy you can now configure to granularly control how you want the OS upgrade to be configured. Make sure you select first Enable firmware controls to Enable.You can now save and assign this configuration and verify the result on the device.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: