Back to top


Last updated July 26th, 2023

Knox E-FOTA enables enterprise IT admins to remotely deploy OS versions and security updates to corporate devices without requiring user interaction.

Test updates before deployment to verify compatibility between in-house apps and new OS versions, all while increasing the security of enterprise devices by ensuring the latest security patches are deployed on a schedule.

Three Galaxy smartphones with screens showing firmware update progress.


This document is intended for:

  • System Security Architects — Understand how Knox E-FOTA works, and how you can use it to update fleets of enterprise devices.
  • IT Admins — Learn to manage over-the-air updates for enterprise devices.

Try the solution

Streamline your mobile update workflow using Knox E-FOTA. Enable version control management, and deploy OS updates by setting updates to occur outside business hours to avoid disruptions to productivity.

About Knox E-FOTA

Knox E-FOTA is an enterprise solution that controls OS versions on Samsung mobile devices to maximize cost efficiency. It helps IT admins do the following:

  • Ensure that the latest security patches are deployed to devices on schedule.
  • Test updates before deployment, ensuring compatibility between in-house apps and new OS versions.

Key Features

  • Forced updates — Simplify your device management experience by deploying forced updates so that all devices have the same OS version on every device. You can push updates without requiring user interaction.
  • Selective OS version — The latest OS version isn’t always compatible with your in-house apps. Ensure operational continuity by controlling which OS version to deploy to your devices. You can lock them to that version until you’re ready to deploy the latest OS version.
  • Scheduled updates — Minimize business interruptions by scheduling firmware updates to occur outside business hours.

For a full list of all features, visit the product page for Knox E-FOTA.


  1. Software compatibility testing — Only enforce updates once the software is tested to ensure compatibility between internal apps and new OS versions. This helps minimize the need for IT support for compatibility issues.
  2. Device security — Deploy the latest verified firmware along with the latest security patches — also called Security Maintenance Releases (SMR) — to all corporate-liable devices immediately without requiring user interaction.
  3. Efficient rollout — Maintain productivity by specifying a time when devices download and install updates to minimize business interruptions. IT admins can stagger the deployment of updates (for example, by region) to ensure operational continuity.
  4. Efficient device management — Remotely deploying forced updates ensures that all enterprise devices are always running the latest validated OS version. Having a uniform view of all devices allows IT admins to manage them more efficiently. Silent updates do not require user interaction so they can’t be postponed or rejected.

How does Knox E-FOTA work?

Firmware-over-the-air (FOTA) is a service that allows IT admins to efficiently and securely push firmware updates to a fleet of enterprise mobile devices. Typically, the latest firmware updates are pushed to devices by their service provider through a Samsung Business-To-Consumer (B2C) FOTA server. The problem with this is that the latest firmware isn’t always compatible with a company’s in-house apps.

Without Knox E-FOTA, companies can only address this problem by doing the following:

  • Always update to the latest OS version
  • Block all OS updates using their EMM

Knox E-FOTA allows admins to select a firmware version to deploy, even if it’s not the latest version. Devices are then locked to that version. When admins have performed compatibility testing on a later firmware version, they can then update devices to the tested version.

With Knox E-FOTA, businesses push firmware updates from a Samsung Business-To-Business (B2B) FOTA server There are exceptions, such as AT&T and Verizon, which provide firmware updates from their own servers and not through Samsung’s Knox E-FOTA service. The B2B FOTA server then syncs the device information with the B2C FOTA server.

Downloading firmware versions

Knox E-FOTA gives you access to a list of official firmware released via the general Samsung FOTA service within the last 12 months. An additional firmware list could be provided following an extra consultation.

When pushing a firmware update, Samsung generates a delta file or a change file for updating from the current firmware version to a target version. This is then released via the general Samsung FOTA server and delivered to enterprise devices over-the-air.

Firmware files are available from the Knox E-FOTA server for an average of 12 months.

Illustration of the firmware lifecycle, comprising current and target versions, intersected by intermediate versions.


In some cases, especially when upgrading devices to a major Android OS version, you may be required to download several delta files to reach the target firmware version. On Knox E-FOTA Advanced, this means you may need to run several campaigns incrementally to reach a target version. On Knox E-FOTA and Knox E-FOTA on MDM, only one campaign is needed; the required delta files are sequentially installed automatically. Regardless of which Knox E-FOTA edition you’re using, this will result in devices rebooting multiple times.

Compare the Knox E-FOTA editions

There are three editions available for the Knox E-FOTA service:

  • Knox E-FOTA
  • Knox E-FOTA Advanced
  • Knox E-FOTA on MDM

This section describes their key differentiating features.

Feature Knox E-FOTA on MDM Knox E-FOTA Advanced Knox E-FOTA Description
Selective OS version Select an OS version to be deployed to the devices, and prevent updates to OS versions that have not been verified with internal apps.
Forced update (silent) Deploy OS updates to devices without requiring user interaction.
Scheduled update Set a specific date and time range (for example, non-business hours) to download and install an OS update.
Forced update (critical) Allow the user to postpone an update (with a maximum delay duration) during an ongoing critical job. The user can't decline the update.
Additional campaign options

Set the following options:

  • Allow firmware download while roaming.
  • Allow installation only when connected to a charging dock.
Ability to view the campaign status View the status of campaign operations.
Monitoring dashboard Widgets for device and campaign statuses are available on Knox E-FOTA Advanced. Monitor various areas of Knox E-FOTA through a dashboard.
Independent web console Perform administrative tasks through a web portal.
Network bandwidth control Deploy firmware updates within a set maximum bandwidth.
Wi-Fi only mode Save on cellular usage costs by setting downloads and updates to occur only through Wi-Fi.
Ability to update multiple models per campaign In a single campaign, you can assign multiple device models to different firmware releases.
Sequential updates per campaign Update from any version to a target version with just one campaign. That is, you don't need to create multiple campaigns to incrementally update a device from its current version to a target version.
Ability to sync device group and organization information with EMM Streamline your device management tasks by importing device groups from your EMM. Connecting Knox E-FOTA to your EMM helps ensure that your device groups are never out of sync. Device information is managed in the EMM so that the Knox E-FOTA admin doesn't have to do it manually.
Automatic client app installation through EMM For certain EMMs (for example, Knox Manage and VMware), you can simplify the onboarding process by pushing the Knox E-FOTA client app to devices through the Knox E-FOTA admin portal.
Push and poll Pushing is supported on Knox E-FOTA on MDM. Polling is supported on Knox E-FOTA Advanced.

Push campaign updates immediately from the Knox E-FOTA server to assigned devices. There's no need to wait for devices to poll the Knox E-FOTA server.

Poll the server for campaign updates. The client app (that is, the agent on the device) periodically checks the policy and applies any campaign updates that may not have been successfully applied to it.

Device registration through Knox Deployment Program (KDP)

Resellers can automatically upload your devices to Knox E-FOTA so that you don't have to add them yourself. You can auto-approve their uploads and auto-assign the devices to a default campaign.

This feature is only available through KDP.

Out-of-box installation of Knox E-FOTA client app For devices purchased through a reseller that have Android P or later, the client app is automatically installed during the out-of-box experience.
Support for multiple licenses Add licenses as needed to support more devices, while keeping existing licenses active.
Consolidated admin access Sign in to once and gain access to all Knox Cloud Services (KCS) products you're subscribed to.
Consistent user experience The Knox E-FOTA admin portal has a user interface that's consistent with other KCS products on

Is this page helpful?