Free Edition
Mobile Device Management
Mobile Application Management
Mobile Security Management
Mobile Email Management
BYOD
Compliance
- CJIS
- HIPAA
- ISO
- PCI
- GDPR
Awards & Reviews
Supported Platforms
- iOS
- Android
- Android for Work
- Windows
- Samsung
- Samsung KNOX

How to restrict OS updates in iOS devices?

Description

As IT administrators, there are several scenarios where OS updates are to be restricted in iOS devices. Some of the possible cases are:

Critical enterprise app(s) may not fully support the latest OS resulting in bugs & issues.
Enterprise network bandwidth may get affected if several devices update at once.
Bugs in the latest OS may prevent enterprise apps from functioning properly.

Apple has started supporting automated OS updates, by which you can ensure the OS gets updated based on the policy configured while automatically restricting manual OS updates. This is supported only on devices running iOS 11.3 or later versions. For other devices, you need restrict device OS from being updated either OTA or through iTunes.

Prerequisite(s)

The device must be Supervised, preferably using Apple Configurator. Know more about Supervising iOS devices here.

Steps

The domain mesu.apple.com is used by Apple devices for updating the OS. If the devices cannot contact this domain, the OS cannot be updated. The most optimal way to prevent the domain from being accessed by the device, configure a proxy through which all internet communications are routed. In this proxy, blacklist the domain as explained below:

Restrict OTA-based OS updates

To restrict OS updates across all networks,

In the MDM console, navigate to Device Mgmt -> Profiles. Click on Create Profile and select iOS profile.
Configure Global HTTP Proxy as explained here. The proxy should be configured such that it is reachable for device outside the corporate network(to be managed by MDM at all times) and the domain mesu.apple.com is blacklisted. This domain is used by iOS devices for updating the OS.

To restrict OS updates only in enterprise networks, ensuring the enterprise network is not affected,

Blacklist the domain mesu.apple.com in the organization firewall/proxy or any third-party filters being used.

Restrict iTunes-based OS updates

Select Restrictions and click on Advanced Security.
Select Restrict USB connections and pairing with iTunes. This ensures the OS can be updated through iTunes, only if the device is connected to the machine used for Supervising the device using Apple Configurator. If the device is connected to other machines, the device doesn't pair with the machine.

Once both the policies are configured, save and publish the profile. To distribute the profiles,

Click on Device Mgmt, click on Groups & Devices.
Select the group(s)/device(s) to which the profile is to be associated.
Click on Associate Profile and select the created profile.
Click Save to push the profiles to the managed devices.

You can update the OS for few devices by connecting them to the specific machine, which was used for Supervising the devices through Apple Configurator.

NOTE:If you cannot restrict OS updates as explained above, contact our Support team for alternate solutions.