Microsoft

Microsoft Intune Feedback

Suggestion box powered by UserVoice

How can we improve Microsoft Intune

Allow blocking of iOS update

I want the ability to block updating to the newest iOS version. I have users who don't listen when I send out an email blast to not update their devices but I still get users who either don't read or just ignore the email. I want the ability to set the highest version that I want available and to disable updating to the newest version until I release it. Same type of deal as when I have to approve Windows updates.

194 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Kellan shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

I know it’s not a total, perpetual block, but as of the week of August 27 you can configure the days and times when you don’t want devices to install any updates. In a future update, you’ll be able to delay when a software update is visibly shown on the device, from one to 90 days.

When we deliver the 90-day delay, is that good enough to call this complete? As @Daniil points out, that’s what’s Apple is offering now. And it’s not great to get yourself too out of date with updates.

16 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Chris O'Leary commented  ·   ·  Flag as inappropriate

    In iOS 11.3 Apple implemented an MDM feature that would allow an MDM to push a specific version of iOS (determined in the MDM console) to a device that had updates deferred. To use an example here:

    1. iOS 12 comes out and I don’t want users to update to I use the MDM to defer updates, prohibiting end-users to update for up to 60 days.
    2. After completing my testing, I am happy with iOS 12, however iOS 12.0.1 has come out but I’ve not completed my testing with 12.0.1, so I’d like users to update to 12.
    3. I’d like to push out iOS 12 and not iOS 12.0.1, so I’d like to use my MDM to push out iOS 12.

    Does that makes sense? It's essentially a subtle enhancement to the 'defer updates' capability

  • D commented  ·   ·  Flag as inappropriate

    Hi Cathy, I understand that it is Apple's policy to not block updates completely but the 90 day update I think is more than enough time to delay in case additional testing is required before release.

    I personally think the 90-delay feature would be perfect as I can't imagine any strong enough use case to compromise security and completely block updates. I, would certainly be happy to consider this complete once successfully implemented. Happy to aid with testing if required.

  • D commented  ·   ·  Flag as inappropriate

    Daniil, thanks for that, will try this. If it's just XML, maybe the Intune team could now bake this into Intune, that would nice!

  • Daniil Michine commented  ·   ·  Flag as inappropriate

    As of iOS 11.3 it is possible to delay iOS updates for up to 90 days.

    You can deploy custom profile to the device to achieve this. This function is only possible on supervised devices.

    Here is an example:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>PayloadContent</key>
    <array>
    <dict>
    <key>PayloadDescription</key>
    <string>Configures restrictions</string>
    <key>PayloadDisplayName</key>
    <string>Restrictions</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.applicationaccess.9BA568AC-D316-4AC3-B0E4-23239786AC9C</string>
    <key>PayloadType</key>
    <string>com.apple.applicationaccess</string>
    <key>PayloadUUID</key>
    <string>9BA568AC-D316-4AC3-B0E4-23239786AC9C</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>enforcedSoftwareUpdateDelay</key>
    <integer>30</integer>
    </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Delay iOS Update</string>
    <key>PayloadIdentifier</key>
    <string>A0322235-BCB6-4138-8A12-19685E399074</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>ACACB93F-6F05-461F-B09D-35F6D9893FAB</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    </dict>
    </plist>

  • Martin Reinhard commented  ·   ·  Flag as inappropriate

    The suggestion for conditional access based on the iOS version does not solve my problem. We have a business app that does not support iOS 11 yet. Devices that have been updated by the user will therefore become unusable. The ability to create an iOS update policy is helpful but it would be better to delay the update installation to a certain date.

  • ON commented  ·   ·  Flag as inappropriate

    You take the problem in the wrong way : it is YOUR job as customer to test your iOS apps, BEFORE a new iOS version is released on the market. You should not send emails, asking your employees to "not upgrade until you/your IT dept certifies the new iOS release" : you should fix the bugs during the iOS beta phase.

    Therefore, an MDM system should NOT have any feature to block OS upgrades.

    @Klaus Østergren : about SAP apps, chances are high, that this rumor is totally wrong. SAP makes its best to perform testing during iOS beta phases, so that the apps work "at day 1" of an iOS release.

  • James commented  ·   ·  Flag as inappropriate

    This is something that we greatly desire in healthcare. We have apps that need to be tested before we can update the app or iOS. It would be great to have this feature for supervised devices. It would save some headaches and user issues.

  • Stewart McLaughlan commented  ·   ·  Flag as inappropriate

    Would be great to see this added as I have came across a lot of customers with LOB applications that haven't been developed yet to support the later versions of iOS. iOS push there updates out themselves so if you are using always on VPN on your iOS devices you could block the update site so the devices cannot check for new updates and then remove the block once you are happy the update can be installed.

  • John commented  ·   ·  Flag as inappropriate

    Apple built in the ability to manage iOS updates via MDM over a year ago. Please don't say this is a carrier issue. In fact Sept last year Microsoft actually touted this iOS 9 feature, but still has yet to support it:

    https://blogs.technet.microsoft.com/enterprisemobility/2015/09/09/day-zero-support-for-ios-9-with-intune/

    "Using MDM, IT administrators can now push OS updates to DEP-enrolled iOS devices. This makes it possible to ensure all the corporate iOS devices on your network are up to date with the latest security patches and management features."

    Here's an example of an MDM that actually implemented this feature for their customers:

    https://documentation.meraki.com/SM/Apps_and_Software/Deploying_OS_Updates_with_Systems_Manager

    Are there any plans to partner with Apple to actually support enterprise iOS features as they are released? What is the timeline for the release of support of the existing enterprise iOS features (such as this one) that Microsoft still doesn't support? 1 year later? 2 years later?

  • Mark Graff commented  ·   ·  Flag as inappropriate

    Not all that long ago we saw major issues with device check-ins and configuration deployments thanks to an update for iOS. I think we would much rather see the ability to block mobile OS updates until we have the ability to test and verify they will work with intune We want to keep devices + Intune functional.

  • Kellan commented  ·   ·  Flag as inappropriate

    Not really as blocking users is the last thing I want to do. Then once they are blocked, there is no way to go back to a previous version of iOS so you are stuck with a user who can't use the phone.

    So that really isn't a solution as this is the situation that I am trying to avoid by preventing them from updating in the first place.

  • Klaus Østergren commented  ·   ·  Flag as inappropriate

    I have heard of applications like SAP addons and other own developed Line-of-Business apps where it is requirement to the MDM solution that OS upgrades can be prevented. So in my opinion the conditional access is not enough, though I from a BYOD perspective would not apply a such setting

  • Nils van Woensel commented  ·   ·  Flag as inappropriate

    Would be good if this is available.
    Apple pushes new updates to phones quickly and popups shown to update the phone.
    When I read the message about issues with 9.2 i already upgraded a few Iphones in my test environment and experienced some issues. E-mailing users later is a reactive solution and means that a lot colleagues already upgraded there phones or are not reading the e-mail.

Feedback and Knowledge Base