Automate OS Updates
Updating the OS on corporate devices is one of the paramount tasks for an IT admin, since devices need to be secured and running on the latest OS version. These are a few disadvantages with running an outdated OS version:
- Additional technical support for devices running on lower OS versions
- Enterprise apps must support these OS versions
- Unavailability of vital device or security features, which are specific to particular OS versions
However, if the users update the devices OS, it leads to another set of pitfalls:
- Critical enterprise app(s) may not fully support the latest OS version, resulting in bugs and issues.
- Enterprise network bandwidth may get affected if several devices update at once.
- Bugs in the latest OS may prevent enterprise apps from functioning properly.
- OS updates during work hours, may affect productivity
The solution is to schedule and automate OS updates. MDM supports automating OS updates for iOS, Android and Chrome OS.
This feature is available in Professional, Free, and Trial editions of MDM.
Pre-requisites
- In case of iOS devices running between 9.0 to 10.0, the device should be enrolled and Supervised via Apple Business Manager. Devices running iOS 10.0 or later, must be Supervised.
- In case of Android devices, the device must be running 6.0 or later and provisioned as Device Owner.
- The iOS devices must be connected to Wi-Fi to initiate the OS update.
OS update supported devices
Devices | Standard OS update | Custom Firmware update |
---|---|---|
Samsung | ||
Non-Samsung | ||
Rugged devices(Zebra, Honeywell) |
OS Update Scenarios
An OS update policy ensures the updates happen constantly at a periodic interval. This ideally
- Prevents bandwidth choking, as you can choose to update devices belonging to one particular group at any given time, to ease the bandwidth usage.
- Ensures OS updates can be scheduled during the maintenance period/non-service hours and thus, not affecting productivity. This is ideal for Kiosk-provisioned devices such as POS devices, as they are constantly in use.
- Ensures you first deploy it to a particular test group, identify possible bugs affecting the device functionality and enterprise app operations. If there are no such issues, you can then choose to deploy it to all the managed devices in the organization.
- Ensures once a policy is configured, all future updates get deployed automatically as specified in the policy.
- Ensures devices can be protected from security vulnerabilities and exploits, by instant forced deployment of updates, which patches these vulnerabilities and exploits.
Configure OS update policy
In case of iOS, you can choose to delay the OS update, while in case of Android, you can choose to configure the date/time, notification settings etc.,
iOS Update Policy
To configure iOS update policy, follow the steps below:
- On the MDM server, navigate to Device Mgmt from the top menu and click on Automate OS Updates from the left pane.
- Click on Create Policy and select iOS. Provide a name for the policy.
- In case of iOS devices, you can choose to delay the deployment to a specified number of days with the maximum being 90 days as mandated by Apple. We would recommend the users to set the maximum number of days around 85 days. Once you have specified the days, click on Save to publish the policy.
- Once you have configured the a foresaid settings, click on Save to publish the policy.
- Select the policy you want to distribute to devices and click on Distribute Policy. Select the device group and click on Select, to distribute the OS updated policy.
Android Update Policy
To configure Android update policy, follow the steps below:
- Navigate to Device Mgmt from the top menu and click on Automate OS Updates from the left pane.
- Click on Create Policy and select Android. Provide a name for the policy.
- Delay deployment, for a specified period of time and allow users to temporarily skip OS updates.
- Notify the users regarding OS updates, both on the device as well as e-mail
- Deployment schedule, to initiate the OS updates. You can configure the exact day(s)/week(s)/deployment duration, to create a window for deploying OS updates. It is to be noted that the deployment duration should be a minimum of two hours.
- Click on Save to publish the policy.
- Select the policy you want to distribute to devices and click on Distribute Policy. Select the device group and click on Select, to distribute the OS updated policy.
NOTE:
Some updates released by the vendors containing security fixes are critical for the devices. These updates can override delayed or scheduled settings configured in the OS update policy and pass the updates directly to the device itself. Hence security fixes are deployed immediately to the devices by the OEMs.
Freeze Period
During non-business days and holidays, you can suspend the system updates on Android devices. With Mobile Device Manager Plus, admins can configure a freeze period to suspend the OS updates on the devices for a scheduled period. When a device is within a freeze period:
- The device doesn't receive any notifications about system updates including security updates.
- System updates do not get installed on the device.
- Users are prevented from manually installing the latest OS updates on the device.
How to configure a freeze period in MDM
To configure a freeze period in an Android OS update policy, follow the steps mentioned below:
- Specify the Start Date and End Date during which the OS updates should be suspended on the device. The duration of the freeze period should not exceed 90 days.
- You can configure multiple freeze periods by using the (+) plus icon. Between every freeze period, there must be a minimum of 60 days.
- Click on Save to publish the policy.
- Select the policy you want to distribute to devices and click on Distribute Policy. Select the device group and click on Select, to distribute the OS update policy.
- If you have configured a freeze period from January 01 to January 31, the next freeze period can start from April 02.
- Freeze periods should not overlap each other. There should be a minimum of 60 days between two freeze periods.
- As long as the OS update policy is present on the device, the freeze period configured will be followed for the consequent years.
Chrome OS Update Policy
To configure Chrome OS update policy, follow the steps below:
- Navigate to Device Mgmt from the top menu and click on Automate OS Updates from the left pane.
- Click on Create Policy and select Chrome. Provide a name for the policy.
- Select the type of OS updates to be installed. You can choose between Stable, Beta and Developer Channel in addition to the default delegated release channel. The Stable release are the OS updates that are tested by the Chrome OS team and are safe to be installed in your production environment. Dev and Beta release can be used to test out the features that'll be available in the next release, before they are marked Stable.
- Choose to automate the deployment or let the user install the update when available.
- Schedule the OS update to be completed over a span of few days in case you are simultaneously updating a large number of devices or have bandwidth considerations.
- Restrict the users from updating to newer version over the one specified. This ensures users don't update to a version that is not approved by your organization.
- Auto reboot devices upon installing the OS update.
- Click on Save to publish the policy.
- Select the policy you want to distrbute to devices and click on Distribute Policy. Select the device group and click on Select, to distribute the OS updated policy.
Custom Firmware Update Policy
To configure Custom Firmware update policy, follow the steps below:
- Navigate to Device Mgmt from the top menu and click on Automate OS Updates from the left pane.
- Click on Create Policy and select Custom Firmware. Provide a name for the policy.
- Click on Browse and upload the firmware file downloaded from OEM vendor's website.
- Enter the Local File Path, in which the OS update file needs to be added, as specified by your vendor.
- Select whether the OS update file should be downloaded during the scheduled deployment window or can happen anytime.
- Choose whether the OS update file should only be downloaded on the device over WiFi
- Configure the deployment schedule to initiate the OS updates. You can configure the exact day(s)/week(s)/deployment duration, to create a window for deploying OS updates. It is to be noted that the deployment duration should be a minimum of two hours.
- Notify the users regarding OS updates, both on the device as well as e-mail.
- You can also allow users to temporarily skip OS updates.
- Click on Save to publish the policy.
- Select the policy you want to distribute to devices and click on Distribute Policy. Select the device group and click on Select, to distribute the OS updated policy.
- Once the policy is associated with the device and the OS package is downloaded, a prompt will appear asking for a device restart to install the package. Click on Install Now to install immediately. If prompt is ignored, the device will automatically restart in 5 minutes and install the package.
- The root directory to place the file will be storage/emulated/0 which is the root directory for all Android devices.
- Ensure that the device has a stable internet connection and battery level is higher than 70 percentage to prevent OS update failure.
To update the firmware in Honeywell devices, refer Honeywell documentation.
If the OS update fails, MDM will automatically retry during the next few hours. If it still fails, MDM will try updating every single day, until the next schedule. To initiate update instantly, re-distribute the policy again. Further, in case of Android devices the OS update gets downloaded irrespective of whether the devices are connected to Wi-Fi or Cellular Data. In case of Apple devices, the OS update gets downloaded only when devices are connected to Wi-Fi. The actual OS update is carried out as per the OS update policy applied to the devices using MDM.
Points to remember
iOS
- When OS update policy is configured as immediately, MDM will detect the update and distribute it to the devices within 24 to 48 hours.
- OS update can happen only if the user enters the passcode to initiate the OS update. To deploy OS immediately, MDM requires the passcode if set on the device to be removed for updating OS. You can choose to exclude passcode-protected devices for the OS updates, if need be. Additionally you can also distribute a Passcode policy to the devices, to ensure the users are prompted to set a passcode, as specified in the policy after the passcode has been automatically removed for updating OS.
- Users using below iOS 11.3 will have an option to perform the update directly from their mobile devices despite enabling delay.
- OS update can only be restricted upto 90 days, after which the users can manually update the OS on the devices.
- Using Apple Caching Server, in your organization ensures the OS updates happen from the caching server, thereby ensuring faster updates as well as save bandwidth.
- In case the OS update policy is configured to delay the update for specific number of days, then device OS is updated to the next version and not the latest version available after the period specified. For example, an iOS device running 12.0 is updated to 12.1 even if the latest versions is 12.3.
- OS update policy applies the delay period to the available update from its date of release. If the expiry date of the update falls during the delay period, MDM mandatorily initiates the update 10 days prior to its expiry. If an update has already expired, the next update is pushed considering any delay period set.
Android
- Once an OS update is available, the device is notified of the same. The device then informs ME MDM app of the same. ME MDM app checks if there is any OS update policy associated to the device and the OS is updated pertaining to the associated OS update policy.
- The devices will be notified of the impending OS update and it also allows the users, to skip the OS update a stipulated number of times. Once it has exceeded, users have no option but to update the OS.
- Once the policy is distributed, users have no option to update the OS by themselves unlike iOS devices. Updates on the devices will happen only through the policy.
- OS update can only be restricted upto 30 days, after which the users can manually update the OS on the devices.