Allow blocking of iOS update (supervised)
I want the ability to block updating to the newest iOS version. I have users who don't listen when I send out an email blast to not update their devices but I still get users who either don't read or just ignore the email. I want the ability to set the highest version that I want available and to disable updating to the newest version until I release it. Same type of deal as when I have to approve Windows updates.
The OP didn’t specify BYOD or supervised. We released the ability to delay updates up to 90 days on supervised devices and this is the most the platform allows – we’d need Apple to allow us to do it on BYOD devices – so I tweaked the title to indicate it’s on Supervised devices, and am marking it complete.
Thanks for your feedback!
Chris O'Leary commented
In iOS 11.3 Apple implemented an MDM feature that would allow an MDM to push a specific version of iOS (determined in the MDM console) to a device that had updates deferred. To use an example here:
1. iOS 12 comes out and I don’t want users to update to I use the MDM to defer updates, prohibiting end-users to update for up to 60 days.
2. After completing my testing, I am happy with iOS 12, however iOS 12.0.1 has come out but I’ve not completed my testing with 12.0.1, so I’d like users to update to 12.
3. I’d like to push out iOS 12 and not iOS 12.0.1, so I’d like to use my MDM to push out iOS 12.
Does that makes sense? It's essentially a subtle enhancement to the 'defer updates' capability
James Read commented
Having the ability to delay updates should be good enough.
Antti Saarinen commented
Sorry to go little different direction. Is this feature also for android phones?
Hi Cathy, I understand that it is Apple's policy to not block updates completely but the 90 day update I think is more than enough time to delay in case additional testing is required before release.
I personally think the 90-delay feature would be perfect as I can't imagine any strong enough use case to compromise security and completely block updates. I, would certainly be happy to consider this complete once successfully implemented. Happy to aid with testing if required.
Daniil, thanks for that, will try this. If it's just XML, maybe the Intune team could now bake this into Intune, that would nice!
Daniil Michine commented
As of iOS 11.3 it is possible to delay iOS updates for up to 90 days.
You can deploy custom profile to the device to achieve this. This function is only possible on supervised devices.
Here is an example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<string>Delay iOS Update</string>
Martin Reinhard commented
The suggestion for conditional access based on the iOS version does not solve my problem. We have a business app that does not support iOS 11 yet. Devices that have been updated by the user will therefore become unusable. The ability to create an iOS update policy is helpful but it would be better to delay the update installation to a certain date.
You take the problem in the wrong way : it is YOUR job as customer to test your iOS apps, BEFORE a new iOS version is released on the market. You should not send emails, asking your employees to "not upgrade until you/your IT dept certifies the new iOS release" : you should fix the bugs during the iOS beta phase.
Therefore, an MDM system should NOT have any feature to block OS upgrades.
@Klaus Østergren : about SAP apps, chances are high, that this rumor is totally wrong. SAP makes its best to perform testing during iOS beta phases, so that the apps work "at day 1" of an iOS release.
This is something that we greatly desire in healthcare. We have apps that need to be tested before we can update the app or iOS. It would be great to have this feature for supervised devices. It would save some headaches and user issues.
Ian Conway commented
Cathy Moya - Any update on this?
Stewart McLaughlan commented
Would be great to see this added as I have came across a lot of customers with LOB applications that haven't been developed yet to support the later versions of iOS. iOS push there updates out themselves so if you are using always on VPN on your iOS devices you could block the update site so the devices cannot check for new updates and then remove the block once you are happy the update can be installed.
Apple built in the ability to manage iOS updates via MDM over a year ago. Please don't say this is a carrier issue. In fact Sept last year Microsoft actually touted this iOS 9 feature, but still has yet to support it:
"Using MDM, IT administrators can now push OS updates to DEP-enrolled iOS devices. This makes it possible to ensure all the corporate iOS devices on your network are up to date with the latest security patches and management features."
Here's an example of an MDM that actually implemented this feature for their customers:
Are there any plans to partner with Apple to actually support enterprise iOS features as they are released? What is the timeline for the release of support of the existing enterprise iOS features (such as this one) that Microsoft still doesn't support? 1 year later? 2 years later?
Mark Graff commented
Not all that long ago we saw major issues with device check-ins and configuration deployments thanks to an update for iOS. I think we would much rather see the ability to block mobile OS updates until we have the ability to test and verify they will work with intune We want to keep devices + Intune functional.
Not really as blocking users is the last thing I want to do. Then once they are blocked, there is no way to go back to a previous version of iOS so you are stuck with a user who can't use the phone.
So that really isn't a solution as this is the situation that I am trying to avoid by preventing them from updating in the first place.
Klaus Østergren commented
I have heard of applications like SAP addons and other own developed Line-of-Business apps where it is requirement to the MDM solution that OS upgrades can be prevented. So in my opinion the conditional access is not enough, though I from a BYOD perspective would not apply a such setting
Nils van Woensel commented
Would be good if this is available.
Apple pushes new updates to phones quickly and popups shown to update the phone.
When I read the message about issues with 9.2 i already upgraded a few Iphones in my test environment and experienced some issues. E-mailing users later is a reactive solution and means that a lot colleagues already upgraded there phones or are not reading the e-mail.