How To's » Restrict iOS updates with MDM
Home » How To's » Restrict iOS updates with MDM

How to block OS updates in iOS devices with MDM?

Since an OS update can contain new feature enhancements orcritical bug fixes OS update management becomes essential in every organization. Just as ensuring all devices are running on the updated OS versions, in some cases it's necessary to restrict OS updates on iOS devices. Some of the resons to restrict OS update on iOS devices include:

  • Critical enterprise app(s) may not fully support the latest OS resulting in bugs & issues.
  • Enterprise network bandwidth may get affected if several devices update at once.
  • Bugs in the latest OS may prevent enterprise apps from functioning properly.

Follow the steps given below to block iOS updates 

Prerequisite(s)

Block iOS updates is only supported for Supervised devices. The device must be Supervised for restricting OS update, preferably using Apple Configurator for devices below 11.3. Know more about Supervising iOS devices here.

Steps to block OS updates with MDM

Restricting OS updates for devices above 11.3

Mobile Device Manager Plus allows admins to create a policy to automate the OS updates on mobile devices. Once this policy is configured and applied to devices, the users cannot update the current OS on the devices based on configured policy and will be shown the message Your iPhone is running the latest software update allowed by your administrator. Follow these steps to create the OS update policy:

  1. Navigate to Device Mgmt -> Automate OS updates
  2. Create a new iOS policy.
  3. Select Delay for and specify the number of days you want to prevent manual OS update
  4. Create and distribute the policy to the required groups or devices.

NOTE: You can block iOS updates only upto 90 days, after which the users can manually update the OS on the devices. For more information on automating OS updates, refer this document.

Restricting OS updates for devices below 11.3

The domain mesu.apple.com is used by Apple devices for updating the OS. If the devices cannot contact this domain, the OS update is restricted . The most optimal way to prevent the domain from being accessed by the device, configure a proxy through which all internet communications are routed. In this proxy, Blocklist the domain as explained below:

Restrict OTA-based OS updates

To restrict OS updates across all networks,

  1. In the MDM console, navigate to Device Mgmt -> Profiles. Click on Create Profile and select iOS profile.
  2. Configure Global HTTP Proxy as explained here. The proxy should be configured such that it is reachable for device outside the corporate network(to be managed by MDM at all times) and the domain mesu.apple.com is blocklisted. This domain is used by iOS devices for updating the OS.

 To restrict OS updates only in enterprise networks, ensuring the enterprise network is not affected,

 Blocklist the domain mesu.apple.com in the organization firewall/proxy or any third-party filters being used.

 Restrict iTunes-based OS updates

  1. Select Restrictions and click on Advanced Security.
  2. Select Restrict USB connections and pairing with iTunes. This ensures the OS can be updated through iTunes, only if the device is connected to the machine used for Supervising the device using Apple Configurator. If the device is connected to other machines, the device doesn't pair with the machine.

 Once both the policies are configured, save and publish the profile. To distribute the profiles,

  1. Click on Device Mgmt, click on Groups & Devices.
  2. Select the group(s)/device(s) to which the profile is to be associated.
  3. Click on Associate Profile and select the created profile.
  4. Click Save to push the profiles to the managed devices.

You can update the OS for few devices by connecting them to the specific machine, which was used for Supervising the devices through Apple Configurator.

NOTE: If you cannot restrict OS updates as explained above, contact our Support team for alternate solutions.