Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Block IOS updates through iOS restrictions

I was thinking for 1:1 deployments to manage the updates if there could a specific preset under Mobile Devices-Configuration profile-Content Filter -Filter type to specifically block the IOS update servers

  1. mesu.apple.com
  2. appldnld.apple.com
Posted: by beth.lindner

Thank you for providing Apple with your feedback!! As of Jamf Pro 10.3.0, Apple has added the ability to defer software updates. This feature is available in the Restrictions payload of Configuration Profiles for Supervised, iOS 11.3 and later devices and for macOS 10.13.4 and later devices. Updates can be deferred for 1, 7, 30, 45, 60, or 90 days based on the date Apple released the updates to their software updates services. Although updates to the operating systems cannot be deferred indefinitely, the provided time period will allow a window for update validation processes. This doesn't exactly match the requested enhancement, but we feel this new feature will go a long way toward helping manage these updates. We look forward to your feedback on whether or not this feature helped solve the struggles we were looking for!

Comment
Order by:

Posted: by gbeidleman

Yes and/or... a toggle button under: Restrictions > Functionality
that gives us a 1 step "Allow iOS updates" option similar to turning the App Store on or off.

Reason needed:
As Apple continues to push out IOS updates, we need an easy way to prevent students/staff from updating their devices to avoid that update from breaking the JSS/Self Service.

Like

Posted: by timwillmore

Yes, yes, yes! @gbeidleman You have the right idea on where to implement the restriction! If I could vote for this more than once, I would.

Like

Posted: by gbeidleman

Please spread the word!!! @timwillmore :)

Like

Posted: by BadinChuck

This is imperative and shouldn't be considered a 'feature'. If Apple continues to ignore the legitimacy of true roll backs of an iOS update (allowing IT to roll back to the last iOS version within a week or two of the most current update doesn't offer a true option in the real world) then preventing an update in the first place must must be available.

Any OS update should first be put through it's paces in a non production test environment. The final release is all that matters. BETA testing future updates is not the answer in a production environment.

While many people dislike MS, at least their OS and software products offer the aforementioned options.

COME ON APPLE WAKE UP!!!

Like

Posted: by dmillertds

Unbelievable this doesn't exist, really. I second your MS comment. Love 'em or hate 'em, at least their management concepts match reality and WORK!

Upvote and upvote often.

Like

Posted: by nhennig

Yeah, I tried what OP was suggesting. I added the configuration profile to blacklist the two update URLs. It did not work. All my student iPads can see and install the iOS 10 update. I even have them blocked in our lightspeed filter. No luck.

This is how I attempted to do it through Lightspeed: http://community.lightspeedsystems.com/knowledgebase/how-to-block-ios-updates-using-the-rocket/

Like

Posted: by dosman1

I vote yes for the implementation of the restriction! Thanks!

Like

Posted: by bvondeylen

It would also be advantageous for the fact that when an iOS update is released, the servers get bogged down and everything becomes slow. If we could incrementally deploy the iOS updates when the servers are better, a little at a time, it would benefit our networks as well. We have 2,500 iPads. When an update is released, we do not need 2,500 iPads updating.

Like

Posted: by cdenesha

The Content Filter is only used for web browsing so it won't work. You can block with a global proxy file (PAC.js).

Like

Posted: by mchit

@cdenesha How do we use that a global proxy file (PAC.js) to block it ? Could you please share any link or info ? Thank you. :)

Like

Posted: by cdenesha

@mchit Check out this post!

Like

Posted: by alex.wyatt

I think this qualifies as an "Apple has to allow it first" thing...but I agree 100% that they need to implement it!

Like

Posted: by cindy.murphy

I am hoping this is has been updated and I can block iOS11. Is this possible?

Like

Posted: by ChicagoGuy1984

I really need to block users from Updating to IOS 11.0 - it breaks our VPP managed apps. Apple really needs to start to try harder. Other than the iPad Pro, I am not impressed with anything they have released in the past 18 months. Hardware and Software!

Like

Posted: by groggonaught

@BadinChuck You would only be installing beta updates if you've signed up for them. Apple wants you to update to the latest version of iOS.

@gbeidleman Why would iOS updates break your JSS?

Like

Posted: by Vasean

iOS 11 introduced the ability to pass Wi-Fi credentials along to other iOS 11 devices even if those credentials are configured via configuration profile. This ability poses an enormous risk for secured networks with outside devices potentially able to connect to a network simply by having access to a managed device with the configuration profile installed.

One of two restrictions needs to be added:

Disable the "Share Wi-Fi" feature
or
Blocking the ability to install iOS 11

Like

Posted: by miregan

Could block iOS updates on the network firewall. I know it doesnt answer your question, but this is what we do and when I need to update iOS devices and the new iOS has been tested, I allow the traffic through.

Like

Posted: by cparets

I would be content to at least block the prompts/alerts. I have a restrictions that does not allow notifications from the Settings app. There is no badge on the app, but still, the prompts to upgrade to iOS 11 are there. Am I missing something? Ideally I'd like to block them from upgrading altogether, at least for a little while, but lets not advertise the upgrades!

Like

Posted: by miregan

@cparets How are you able to block notifications from the settings app? I was under the impression that using the notifications payload didnt work for that app unless I am mistaken...

Like

Posted: by cparets

@miregan I made a config profile and under Notifications, I added the Settings app and unchecked everything for Settings.

It does seem to stop the badge on the Settings app, but the prompt to upgrade/update still pops up.

Like

Posted: by miregan

Thanks, didnt think that stopped the badge

Like

Posted: by cparets

@miregan It did for me! Just wish I could stop the alert.

Like

Posted: by miregan

We block iOS updates through a global http proxy

Like

Posted: by j.miller

@miregan I would like to try blocking iOS updates with the global http proxy. Can you share details of how you accomplish this?

Like

Posted: by miregan

We have an external file server in which we host a pacs.js file. Its a really simple .js file

function FindProxyForURL(url, host) {
if (dnsDomainIs(host, "mesu.apple.com")) {
return "PROXY 8.8.8.8:53";
}
else {
return "DIRECT";
}
}

Then we set the proxy type to Automatic pointing to that external web server which causes our iPads to not find the update.

Like

Posted: by reon

voting up for this!

Like

Posted: by ibrahimk

http://appleinsider.com/articles/18/02/01/it-pros-will-be-able-to-delay-apple-updates-for-90-days-with-ios-113-macos-10134

Like

Posted: by JohnM007

It will be cool to have a parameter on the restriction that define the maximum version allowed on devices too

Like