The beginner’s guide to MDM

Learn how to protect and manage your mobile devices with this step-by-step guide covering everything from planning groups and creating policies, to reporting.

Download Now
Device Management

Managing mobile patches and updates with E-FOTA adds security

Most IT managers take a pretty authoritarian view on patches and updates for their desktop and laptop computers. Systems get patched when IT says they should be patched, how IT says they should be patched, and everything has to be kept up-to-date … or else.

This approach increases security by ensuring that systems are protected from the latest threats, but it also increases reliability: By synchronizing application and operating system updates, IT can make sure business-critical applications are fully tested in the target desktop environment.


So why don’t IT managers apply this same approach to enterprise mobile devices?

The answer is, they can, they should and many do. All the major mobile phone platforms no longer require physical connection to a desktop device for software updates. Instead, software updates and security patches have moved to an Over-the-Air (OTA) model. This means that devices can download updates using Wi-Fi or, if data quotas are not a problem, even cellular networks. In the world of OTA updates, this detethering of mobile devices suddenly gives IT managers a lot of opportunities for managing and controlling the update process, because when a device can download updates at any time, everything gets a whole lot simpler.

What is FOTA?

When updating Android platforms, developers and system vendors use the acronym FOTA for “Firmware Over the Air,” to make it clear they’re talking about updating not just applications, but the underlying operating system of the smartphone, tablet or any other Android device. In recent years, Android moved to something called “seamless updates,” also known as A/B System Updates. With seamless updates, Android devices have two slots (partitions) for the operating system on the internal drive: current and unused. Android runs from the current slot, while the unused slot is updated during the FOTA process. When an update has been staged and is ready to go, the operating system can reboot and the updated slot becomes current, while the old slot is marked as unused. If something goes wrong, the device falls back to the last known good partition.

How to build an effective incident response plan

icon of a documentWhite Paper

Get this free guide on how to respond to mobile security breaches — or thwart them altogether. Download Now

In the U.S., most Android phones get their updates through the carriers’ networks, with versions and timing determined by the carriers. However, IT managers can take control of the update process through their Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tools. Samsung, for example, calls this “E-FOTA,” for “Enterprise FOTA,” indicating that the control shifts from the carrier to the enterprise.

How E-FOTA gives IT greater control over updates

Because FOTA mostly happens in the background, the IT manager has the option to control exactly what updates are pushed, when they are pushed and how users are prompted to reboot their devices to make use of the patched or upgraded operating system. FOTA has the same security infrastructure as the rest of Android — all updates have to be properly signed to let the user device check that it is receiving only authentic and verified updates.

FOTA moves smartphone patching and updating from the users, who used to drag their phones to a desktop and plug it into a USB port, to an OTA process controlled by carriers and enterprise IT departments. With tools such as Samsung E-FOTA, the IT manager uses a cloud-based console or tool within their EMM to take control of the entire patching process. This improves security and reliability of mobile devices to match expectations of desktop devices: synchronized updates managed in such a way that applications and operating systems all mesh together.

There are a few advantages of enterprise IT taking control of firmware updates for mobile devices:

  • Users don’t have to take any specific action
  • Software versions can be synchronized across groups of users
  • Update testing and approval are managed and predictable rather than chaotic and reactive
  • Updates can be done on a schedule — out of working hours if appropriate, or immediately if an urgent need comes up

IT leaders will find that these make up an exact reflection of the benefits they saw in managing updates on desktop devices.

IT managers who want to make sure that mobile devices — now as mission critical as laptops and desktops in many organizations — are secure and reliable should consider taking control of FOTA as a first step in building a solid mobile computing base.

Keeping devices and their data truly secure requires comprehensive lifecycle device management. Samsung combines device security, deployment and management in Knox Suite, which includes Knox Platform for Enterprise, Knox Mobile Enrollment, Knox Manage and Knox E-FOTA in a single license with one sign-on.

Learn best practices for thwarting mobile security breaches and responding when they occur in our guide, Building a Cyber Incident Response Plan.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder