How to restrict OS updates in iOS devices?

Description

As IT administrators, there are several scenarios where OS updates are to be restricted in iOS devices. Some of the possible cases are:

  • Critical enterprise app(s) may not fully support the latest OS resulting in bugs & issues.
  • Enterprise network bandwidth may get affected if several devices update at once.
  • Bugs in the latest OS may prevent enterprise apps from functioning properly.

Follow the steps given below to restrict the OS updates for devices

Prerequisite(s)

The device must be Supervised for restricting OS update, preferably using Apple Configurator for devices below 11.3. Know more about Supervising iOS devices here.

Steps

Restricting OS updates for devices above 11.3

Mobile Device Manager Plus allows admins to create a policy to automate the OS updates on mobile devices. Once this policy is configured and applied to devices, the users cannot update the current OS on the devices based on configured policy. Follow these steps to create the OS update policy

  1. Navigate to Device Mgmt -> Automate OS updates
  2. Create a new iOS policy.
  3. Select Delay for and specify the number of days you want to prevent manual OS update
  4. Create and distribute the policy to the required groups or devices.

NOTE: The OS update can only be restricted upto 90 days, after which the users can manually update the OS on the devices. For more information on automating OS updates, refer this document.

Restricting OS updates for devices below 11.3

The domain mesu.apple.com is used by Apple devices for updating the OS. If the devices cannot contact this domain, the OS cannot be updated. The most optimal way to prevent the domain from being accessed by the device, configure a proxy through which all internet communications are routed. In this proxy, blacklist the domain as explained below:

Restrict OTA-based OS updates

To restrict OS updates across all networks,

  1. In the MDM console, navigate to Device Mgmt -> Profiles. Click on Create Profile and select iOS profile.
  2. Configure Global HTTP Proxy as explained here. The proxy should be configured such that it is reachable for device outside the corporate network(to be managed by MDM at all times) and the domain mesu.apple.com is blacklisted. This domain is used by iOS devices for updating the OS.

 To restrict OS updates only in enterprise networks, ensuring the enterprise network is not affected,

 Blacklist the domain mesu.apple.com in the organization firewall/proxy or any third-party filters being used.

 Restrict iTunes-based OS updates

  1. Select Restrictions and click on Advanced Security.
  2. Select Restrict USB connections and pairing with iTunes. This ensures the OS can be updated through iTunes, only if the device is connected to the machine used for Supervising the device using Apple Configurator. If the device is connected to other machines, the device doesn't pair with the machine.

 Once both the policies are configured, save and publish the profile. To distribute the profiles,

  1. Click on Device Mgmt, click on Groups & Devices.
  2. Select the group(s)/device(s) to which the profile is to be associated.
  3. Click on Associate Profile and select the created profile.
  4. Click Save to push the profiles to the managed devices.

You can update the OS for few devices by connecting them to the specific machine, which was used for Supervising the devices through Apple Configurator.

NOTE:If you cannot restrict OS updates as explained above, contact our Support team for alternate solutions.