Knox White Paper
Device Software Update Management
Frequent software updates are often necessary to resolve bugs, patch security vulnerabilities, and enhance device capabilities. But IT admins must understand and validate software changes prior to mass deployment. Samsung released the mobile industry’s first firmware update management system on Android to enable IT to test and validate software updates and to control roll-out scope and timing.
Why manage device software updates?
In enterprises with fragmented platforms and firmware versions, mobile device deployment and support becomes a time-consuming and tedious task. Proprietary enterprise apps and websites behave inconsistently on different firmware versions, so features require testing and troubleshooting on a widening array of device platforms.
Controlling the rollout of software updates allows IT admins to:
- Homogenize the firmware versions and capabilities of deployed device models.
- Carry out interoperability or compatibility testing with in-house or proprietary servers, apps, and endpoint settings.
- Ensure that known issues are patched before deployment of major firmware version updates.
- Perform field tests of new firmware and software on a subset of devices before mass deployment.
- Force the use of firmware versions that have been validated to meet industry certification or regulation requirements.
Strict control over device firmware updates
Samsung developed Enterprise Firmware Over-the-Air (E-FOTA) to enable enterprises to save time and support costs, and manage the mobile infrastructure as efficiently as possible.
With E-FOTA, enterprises can control device software updates as follows:
- Select the highest firmware version allowed on devices — This option ensures that device users can’t independently update to an unsupported firmware version, preventing issues that could negatively impact employee productivity, support costs, and data security.
- Force the download of a specific firmware version onto select devices — Enterprises can download new firmware to a few test devices to run interoperability or compatibility tests. This mandatory download is done with proprietary systems and apps to find any corner cases that might result in operational or performance issues.
- Mass deploy a new firmware version — Mass deployment prevents software version fragmentation so IT teams don’t need to support multiple legacy firmware versions for each deployed device model.
- Schedule updates during non-peak work times — This option ensures updates don’t interfere with employee productivity.
Knox control over user updates
A wide range of EMM partners support Samsung's firmware management features, integrating firmware management with other asset management activities. IT admins can use these tools to test and deploy software updates in a consistent and low-risk way. Through EMM solutions, enterprises can restrict users from loading unauthorized firmware, through their devices or USB-connected computers.
Through the Knox Platform, enterprises can:
- Prevent firmware rollback – This option prevents valid, but out-of-date firmware versions from being maliciously or accidentally installed onto an enterprise’s devices. On Samsung Knox devices, a Rollback Prevention fuse encodes the minimum acceptable version of Samsung-approved software. With specific updates, the next set of fuses are burned to indicate the new update is now the minimum version allowed to boot. You can't disable this basic, built-in security feature.
- Disable automatic firmware updates – IT admins can prevent users from going to their Android Settings to enable or disable automatic firmware updates.
- Disable all OTA updates – IT admins can prevent users from going to their Android Settings to enable or disable software updates in general. This restriction includes updates for firmware, security patches, bug fixes, and apps.
- Disable USB-connected updates – IT admins can prevent users from booting into Download Mode and installing a manual software update. This restriction includes updates through the Odin, Kies, and Smart Switch update tools.
- An enterprise wants to test a new version of Android before deploying it to all mobile devices.
- An enterprise IT admin uses an EMM console to select some test devices, and set the highest firmware version to the latest version.
- The IT admin then forces the download of the latest firmware onto the test devices.
- The IT admin recruits various employees to use the test devices with various enterprise apps and report any issues.
- When all issues are resolved, the IT admin schedules a firmware upgrade for low-peak time period, notifying devices users to keep their devices powered during this time.
- Avoids security issues from unforeseen problems with new firmware and proprietary systems or apps.
- Minimizes IT support for firmware versions that have not been tested or approved.
- Minimizes employee downtime from incompatibilities with new firmware.
- Minimizes employee downtime from firmware upgrades during peak work hours.
- Knox platform v2.7.1 or higher
- EMM support