Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Block IOS updates through iOS restrictions

I was thinking for 1:1 deployments to manage the updates if there could a specific preset under Mobile Devices-Configuration profile-Content Filter -Filter type to specifically block the IOS update servers

  1. mesu.apple.com
  2. appldnld.apple.com
Comment

Posted: 1/13/16 at 10:54 AM by gbeidleman

Yes and/or... a toggle button under: Restrictions > Functionality
that gives us a 1 step "Allow iOS updates" option similar to turning the App Store on or off.

Reason needed:
As Apple continues to push out IOS updates, we need an easy way to prevent students/staff from updating their devices to avoid that update from breaking the JSS/Self Service.

Like

Posted: 1/27/16 at 11:04 AM by timwillmore

Yes, yes, yes! @gbeidleman You have the right idea on where to implement the restriction! If I could vote for this more than once, I would.

Like

Posted: 1/28/16 at 9:38 AM by gbeidleman

Please spread the word!!! @timwillmore :)

Like

Posted: 9/9/16 at 4:30 AM by BadinChuck

This is imperative and shouldn't be considered a 'feature'. If Apple continues to ignore the legitimacy of true roll backs of an iOS update (allowing IT to roll back to the last iOS version within a week or two of the most current update doesn't offer a true option in the real world) then preventing an update in the first place must must be available.

Any OS update should first be put through it's paces in a non production test environment. The final release is all that matters. BETA testing future updates is not the answer in a production environment.

While many people dislike MS, at least their OS and software products offer the aforementioned options.

COME ON APPLE WAKE UP!!!

Like

Posted: 9/9/16 at 3:32 PM by dmillertds

Unbelievable this doesn't exist, really. I second your MS comment. Love 'em or hate 'em, at least their management concepts match reality and WORK!

Upvote and upvote often.

Like

Posted: 9/13/16 at 12:17 PM by nhennig

Yeah, I tried what OP was suggesting. I added the configuration profile to blacklist the two update URLs. It did not work. All my student iPads can see and install the iOS 10 update. I even have them blocked in our lightspeed filter. No luck.

This is how I attempted to do it through Lightspeed: http://community.lightspeedsystems.com/knowledgebase/how-to-block-ios-updates-using-the-rocket/

Like

Posted: 9/16/16 at 10:05 AM by dosman1

I vote yes for the implementation of the restriction! Thanks!

Like

Posted: 10/25/16 at 2:35 PM by bvondeylen

It would also be advantageous for the fact that when an iOS update is released, the servers get bogged down and everything becomes slow. If we could incrementally deploy the iOS updates when the servers are better, a little at a time, it would benefit our networks as well. We have 2,500 iPads. When an update is released, we do not need 2,500 iPads updating.

Like

Posted: 10/25/16 at 7:48 PM by cdenesha

The Content Filter is only used for web browsing so it won't work. You can block with a global proxy file (PAC.js).

Like

Posted: 10/25/16 at 8:00 PM by mchit

@cdenesha How do we use that a global proxy file (PAC.js) to block it ? Could you please share any link or info ? Thank you. :)

Like

Posted: 10/25/16 at 10:37 PM by cdenesha

@mchit Check out this post!

Like

Posted: 10/26/16 at 9:36 AM by alex.wyatt

I think this qualifies as an "Apple has to allow it first" thing...but I agree 100% that they need to implement it!

Like

Posted: 9/13/17 at 3:08 PM by cindy.murphy

I am hoping this is has been updated and I can block iOS11. Is this possible?

Like

Posted: 9/19/17 at 5:52 PM by ChicagoGuy1984

I really need to block users from Updating to IOS 11.0 - it breaks our VPP managed apps. Apple really needs to start to try harder. Other than the iPad Pro, I am not impressed with anything they have released in the past 18 months. Hardware and Software!

Like

Posted: 9/26/17 at 9:01 AM by groggonaught

@BadinChuck You would only be installing beta updates if you've signed up for them. Apple wants you to update to the latest version of iOS.

@gbeidleman Why would iOS updates break your JSS?

Like

Posted: 10/2/17 at 1:45 PM by Vasean

iOS 11 introduced the ability to pass Wi-Fi credentials along to other iOS 11 devices even if those credentials are configured via configuration profile. This ability poses an enormous risk for secured networks with outside devices potentially able to connect to a network simply by having access to a managed device with the configuration profile installed.

One of two restrictions needs to be added:

Disable the "Share Wi-Fi" feature
or
Blocking the ability to install iOS 11

Like

Posted: 10/2/17 at 1:59 PM by miregan

Could block iOS updates on the network firewall. I know it doesnt answer your question, but this is what we do and when I need to update iOS devices and the new iOS has been tested, I allow the traffic through.

Like

Posted: 10/16/17 at 9:40 AM by cparets

I would be content to at least block the prompts/alerts. I have a restrictions that does not allow notifications from the Settings app. There is no badge on the app, but still, the prompts to upgrade to iOS 11 are there. Am I missing something? Ideally I'd like to block them from upgrading altogether, at least for a little while, but lets not advertise the upgrades!

Like

Posted: 10/16/17 at 10:59 AM by miregan

@cparets How are you able to block notifications from the settings app? I was under the impression that using the notifications payload didnt work for that app unless I am mistaken...

Like

Posted: 10/16/17 at 1:58 PM by cparets

@miregan I made a config profile and under Notifications, I added the Settings app and unchecked everything for Settings.

It does seem to stop the badge on the Settings app, but the prompt to upgrade/update still pops up.

Like

Posted: 10/16/17 at 2:00 PM by miregan

Thanks, didnt think that stopped the badge

Like

Posted: 10/16/17 at 2:18 PM by cparets

@miregan It did for me! Just wish I could stop the alert.

Like

Posted: 10/17/17 at 7:51 AM by miregan

We block iOS updates through a global http proxy

Like

Posted: 11/9/17 at 1:45 PM by j.miller

@miregan I would like to try blocking iOS updates with the global http proxy. Can you share details of how you accomplish this?

Like

Posted: 11/9/17 at 1:52 PM by miregan

We have an external file server in which we host a pacs.js file. Its a really simple .js file

function FindProxyForURL(url, host) {
if (dnsDomainIs(host, "mesu.apple.com")) {
return "PROXY 8.8.8.8:53";
}
else {
return "DIRECT";
}
}

Then we set the proxy type to Automatic pointing to that external web server which causes our iPads to not find the update.

Like

Posted: 11/13/17 at 7:45 AM by reon

voting up for this!

Like