Automate OS Updates
Updating OS present in corporate devices, is one of the paramount tasks for an IT admin. There are a lot of disadvantages with running an outdated OS version, as listed below:
- Additional technical support for devices running lower versions of the OS
- Enterprise apps must support these OS versions
- Unavailability of vital device/security features, which are specific to particular OS versions
However, if the users update the devices OS, it leads to another set of pitfalls:
- Critical enterprise app(s) may not fully support the latest OS version, resulting in bugs and issues.
- Enterprise network bandwidth may get affected if several devices update at once.
- Bugs in the latest OS may prevent enterprise apps from functioning properly.
- OS updates during work hours, may affect productivity
The solution is to schedule and automate OS updates. MDM supports automating OS updates for iOS, Android and Chrome OS.
This feature is available in Professional, Free, and Trial editions of MDM.
Pre-requisites
- In case of iOS devices running between 9.0 to 10.0, the device should be enrolled and Supervised via Device Enrollment Program(DEP). Devices running iOS 10.0 or later, must be Supervised.
- In case of Android devices, the device must be running 6.0 or later and provisioned as Device Owner.
- The iOS devices must be connected to Wi-Fi to initiate the OS update.
OS Update Scenarios
An OS update policy ensures the updates happen constantly at a periodic interval. This ideally
- Prevents bandwidth choking, as you can choose to update devices belonging to one particular group at any given time, to ease the bandwidth usage.
- Ensures OS updates can be scheduled during the maintenance period/non-service hours and thus, not affecting productivity. This is ideal for Kiosk-provisioned devices such as POS devices, as they are constantly in use.
- Ensures you first deploy it to a particular test group, identify possible bugs affecting the device functionality and enterprise app operations. If there are no such issues, you can then choose to deploy it to all the managed devices in the organization.
- Ensures once a policy is configured, all future updates get deployed automatically as specified in the policy.
- Ensures devices can be protected from security vulnerabilities and exploits, by instant forced deployment of updates, which patches these vulnerabilities and exploits.
Configure OS update policy
In case of iOS, you can choose to delay the OS update, while in case of Android, you can choose to configure the date/time, notification settings etc.,
iOS Update Policy
To configure iOS update policy, follow the steps below:
- On the MDM server, navigate to Device Mgmt from the top menu and click on Automate OS Updates from the left pane.
- Click on Create Policy and select iOS. Provide a name for the policy.
- In case of iOS devices, you can choose to delay the deployment to a specified number of days with the maximum being 90 days as mandated by Apple. We would recommend the users to set the maximum number of days around 85 days. Once you have specified the days, click on Save to publish the policy.
- Once you have configured the aforesaid settings, click on Save to publish the policy.
- Select the policy you want to distrbute to devices and click on Distribute Policy. Select the device group and click on Select, to distribute the OS updated policy.
Android Update Policy
To configure Android update policy, follow the steps below:
- On the MDM server, navigate to Device Mgmt from the top menu and click on Automate OS Updates from the left pane.
- Click on Create Policy and select Android. Provide a name for the policy.
- Delay deployment, for a specified period of time and allow users to temporarily skip OS updates.
- Notify the users regarding OS updates, both on the device as well as e-mail
- Deployment schedule, to initiate the OS updates. You can configure the exact day(s)/week(s)/deployment duration, to create a window for deploying OS updates. It is to be noted that the deployment duration should be a minimum of two hours.
- Click on Save to publish the policy.
- Select the policy you want to distrbute to devices and click on Distribute Policy. Select the device group and click on Select, to distribute the OS updated policy.
Chrome OS Update Policy
To configure Chrome OS update policy, follow the steps below:
- On the MDM server, navigate to Device Mgmt from the top menu and click on Automate OS Updates from the left pane.
- Click on Create Policy and select Chrome. Provide a name for the policy.
- Select the type of OS updates to be installed. You can choose between Stable, Beta and Developer Channel in addition to the default delegated release channel. The Stable release are the OS updates that are tested by the Chrome OS team and are safe to be installed in your production environment. Dev and Beta release can be used to test out the features that'll be available in the next release, before they are marked Stable.
- Choose to automate the deployment or let the user install the update when available.
- Schedule the OS update to be completed over a span of few days in case you are simultaneously updating a large number of devices or have bandwidth considerations.
- Restrict the users from updating to newer version over the one specified. This ensures users don't update to a version that is not approved by your organization.
- Auto reboot devices upon installing the OS update.
- Click on Save to publish the policy.
- Select the policy you want to distrbute to devices and click on Distribute Policy. Select the device group and click on Select, to distribute the OS updated policy.
If the OS update fails, MDM will automatically retry during the next few hours. If it still fails, MDM will try updating every single day, until the next schedule. To initiate update instantly, re-distribute the policy again. Further, in case of Android devices the OS update gets downloaded irrespective of whether the devices are connected to Wi-Fi or Cellular Data. The actual OS update is carried out as per the OS update policy applied to the devices using MDM.
Points to remember
iOS
- In iOS devices, when OS update policy is configured as immediately, MDM will detect the update and distribute it to the devices within 24 to 48 hours.
- In case of iOS devices, OS update can happen only if the user enters the passcode to initiate the OS update. To deploy OS immediately, MDM requires the passcode if set on the device to be removed for updating OS. You can choose to exclude passcode-protected devices for the OS updates, if need be. Additionally you can also distribute a Passcode policy to the devices, to ensure the users are prompted to set a passcode, as specified in the policy after the passcode has been automatically removed for updating OS.
- OS update can only be restricted upto 90 days, after which the users can manually update the OS on the devices.
- Using Apple Caching Server, in your organization ensures the OS updates happen from the caching server, thereby ensuring faster updates as well as save bandwidth.
- Even if an OS update policy is distributed, users can still update the OS by themselves.
- In case the OS update policy is configured to delay the update for specific number of days, then device OS is updated to the next version and not the latest version available after the period specified. For example, an iOS device running 12.0 is updated to 12.1 even if the latest versions is 12.3.
Android
- Once an OS update is available, the device is notified of the same. The device then informs ME MDM app of the same. ME MDM app checks if there is any OS update policy associated to the device and the OS is updated pertaining to the associated OS update policy.
- The devices will be notified of the impending OS update and it also allows the users, to skip the OS update a stipulated number of times. Once it has exceeded, users have no option but to update the OS.
- Once the policy is distributed, users have no option to update the OS by themselves unlike iOS devices. Updates on the devices will happen only through the policy.
- OS update can only be restricted upto 30 days, after which the users can manually update the OS on the devices.