Samsung does not provide official firmware or security update image in the form of zip or any downloadable format for Soti MobiControl or other EMM solution to do targeted upgrade with any script or using other means.

As you said, there is paid service (E-FOTA) offered by Samsung. If there is no budget, the current option is to use the brute-force approach to block/unblock firmware upgrade for each device model.

My understanding is that consumer level devices can only have the OS updates blocked or enabled on MobiControl to stop the devices actioning any updates.

E-FOTA is a Samsung Server side block/configuration tool offered as a paid for licensed portal. You ca then control the OS updates from this portal to required devices.

As for specific OS updates on a one by one device basis,using a 3rd party firmware provider such as https://www.sammobile.com/ and the ODIN flashing tool may be of use.

James

While I did use flash images from  https://www.sammobile.com/  to upgrade some test or personal devices in the past,  I've never used them for production devices, nor recommended my corporate customers to use the flash images there, as I don't know where they get their flash images (may be read out with adb and related tools), or if such flash images have been tampered with.

Besides, there is also a possibility that the wrong flash image been used to flash a device, as some Samsung model-/parts- numbering  and internationalization schemes can create some confusion, and subtle differences may be overlooked, especially for non-professionals.  The safest approach is always to  allow the official device firmware to automatically download the right flash image file from Samsung official support site for upgrade.

While I did use flash images from  https://www.sammobile.com/  to upgrade some test or personal devices in the past,  I've never used them for production devices, nor recommended my corporate customers to use the flash images there, as I don't know where they get their flash images (may be read out with adb and related tools), or if the such flash images that have been tampered with.

Besides, there is also a possibility that the wrong flash image been used to flash a device, as some Samsung model-/parts- numbering  and internationalization schemes can create some confusion, and subtle differences may be overlooked, especially for non-professionals.  The safest approach is always to  allow the official device firmware to automatically download the right flash image file from Samsung official support site for upgrade.

SamMobile.com is fairly reputable; I've been using their images on production devices for quite some time. Their files are from Samsung Kies and OTA update CDNs.

Firmware tampering is easily prevented since firmware (flash) signatures are verified thanks to Samsung's bootloader. An unmodified Samsung device will not accept unsigned files unless an exploit was used (fairly rare!). If they did, rooting will be much, much easier since anyone can load unsigned customized firmware with SuperSU pre-installed. This is why projects like TWRP exist: ability to flash a custom recovery module and to further allow modifications to the system. To even get this far, one has to enable the "Unlock OEM Bootloader" option in Android's Developer Options. You don't need to go through these steps if you are flashing original signed device updates.

Also, you can't just flash another device model's firmware accidentally. In some instances, you can flash different product codes (aka regions) such as Rogers to Bell firmware but you'll be greeted with a "Enter network unlock code" when the device boots up. Solution? Just go back a few steps and flash the right firmware. As long as you double-check the device model number and its product (region) code, you'll be fine.

Of course, I'm just a stranger on the internets, so don't implicitly trust what I say. Testing these updates on a few devices first before doing a mass-rollout is just common-sense.