Samsung Knox E-FOTA

Samsung Knox E-FOTA is the mobile industry’s first firmware update management system on Android that allows IT admins to maximize cost efficiency when deploying OS updates to a fleet of Samsung mobile devices. With Knox E-FOTA, IT admins can do the following:

  • Ensure the latest security patches are deployed to devices immediately or on schedule.
  • Test updates before deployment to ensure compatibility between internal apps and new OS versions.

Key features

The following are the main benefits of Knox E-FOTA.

Select OS versions to deploy

IT admins can choose an OS version to deploy to ensure compatibility with internal apps. Without this service, they are forced to either block OS updates or allow updates to the latest OS version.

Force updates to target devices

IT admins can force OS updates to all of their devices. This allows them to efficiently manage devices, because all employee devices run the same OS version.

Schedule updates

IT admins can schedule OS updates for a set time and date1Knox E-FOTA only guarantees that the firmware update will start at a specified time and does not guarantee the OS update end time or duration. to prevent business interruptions. If an emergency security issue arises, they can immediately deploy the latest security patches.


Knox E-FOTA has two editions: Knox E-FOTA on MDM and Knox E-FOTA Advanced. This white paper focuses on the latter.

  • Knox E-FOTA on MDM is suitable for enterprises that wish to use their existing Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) console to access the Knox E-FOTA features. It supports Android OS 7.0 (Nougat) and higher. The server is a cloud-based service embedded in your EMM/MDM implementation through an API that Samsung provides.
  • Knox E-FOTA Advanced does not require an MDM/EMM because it functions through a standalone web console, the Knox E-FOTA Advanced admin portal. It supports Android OS 5.0 (Lollipop) and higher, and requires you to install a client app on the mobile devices. It has two server options:

The following table lists all of Knox E-FOTA's features.

Feature Knox E-FOTA on MDM Knox E-FOTA Advanced Description
Selective OS version Select an OS version to be deployed to the devices, and prevent updates to OS versions that have not been verified with internal apps.
Forced update (silent) Deploy OS updates to devices without requiring user interaction.
Scheduled update Set a specific date and time range (for example, non-business hours) to download and install an OS update.
Forced update (critical)   Allow the user to postpone an update (with a maximum delay duration) during an ongoing critical job. The user can't decline the update.
Monitoring dashboard   View the status of update operations through a dashboard.
Independent web console   Perform administrative tasks at
On-premise service   Use an in-network or dedicated host-based FOTA service.
Retry setting   Specify what actions to make in the event of an update failure.
Network bandwidth control   Deploy firmware updates within a set maximum bandwidth.
Wi-Fi only mode   Save on cellular usage costs by restricting downloads and updates to occur only through Wi-Fi.
Grouping target devices Group devices by device model so you can perform operations on multiple devices simultaneously
Select target device by label   Group devices using custom labels so you can deploy select OS updates based on the end users’ business function, location, and so on.
Server resource control   Only public IP addresses in an allowlist can reach their target domains for firmware management.


  • 1 port for Knox E-FOTA On-Premise.
  • 14 ports for Knox E-FOTA on MDM. This can increase to 24 if static IPs will be used.

Read more about the Knox E-FOTA features on the product page.

Benefits of using Knox E-FOTA

The following are common device management pain points that businesses experience and how E-FOTA addresses each one.

Device management pain points Knox E-FOTA benefits
Security issues—Businesses and government agencies need to be protected immediately from cyber attacks, such as malware and ransomware. However, it is difficult to prevent hundreds or thousands of end users from postponing or declining an update. Device security—Deploy the latest verified firmware along with the latest security patches—also called Security Maintenance Releases (SMR)—to all corporate-liable devices immediately without requiring user interaction.
Business interruptions—OS updates cause a temporary downtime during business hours. Efficient rollout—Maintain productivity by specifying a time when devices download updates to minimize business interruptions. IT admins can stagger the deployment of updates (for example, by region) to ensure operational continuity.
Compatibility issues—The latest OS updates don't always work with the internal apps employees use in their daily operations. Incompatibility issues cause business interruptions. Software compatibility testing—Only enforce updates once the software is tested to ensure compatibility between internal apps and new OS versions. This helps minimize the need for IT support for compatibility issues.

Tedious device management—Having hundreds or thousands of devices with different OS versions makes device management a tedious process.

Regulatory bodies require up-to-date firmware—Businesses in highly regulated industries need to use the latest validated OS versions in order to meet certification and regulatory requirements.

Devices with no set users need to be maintained—Devices in the field and kiosk devices need to be kept up to date in the absence of onsite IT admins.

Forced remote updates—Remotely deploying forced updates ensures that all enterprise devices are always running the latest validated OS version. Having a uniform view of all devices allows IT admins to manage them more efficiently. Silent updates do not require user interaction so they can't be postponed or rejected.
FOTA restrictions—FOTA restrictions prevent OS updates over the internet On-premise solutionKnox E-FOTA Advanced On-premise allows enterprises to deploy OS updates to devices within their corporate firewall.