Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Block IOS updates through iOS restrictions

I was thinking for 1:1 deployments to manage the updates if there could a specific preset under Mobile Devices-Configuration profile-Content Filter -Filter type to specifically block the IOS update servers

Posted: 2/15/18 at 4:05 PM by beth.lindner

Thank you for the great explanation of why managing iOS software updates is a struggle. Your contribution to this community is greatly appreciated.

Order by:

Posted: 1/13/16 at 10:54 AM by gbeidleman

Yes and/or... a toggle button under: Restrictions > Functionality
that gives us a 1 step "Allow iOS updates" option similar to turning the App Store on or off.

Reason needed:
As Apple continues to push out IOS updates, we need an easy way to prevent students/staff from updating their devices to avoid that update from breaking the JSS/Self Service.


Posted: 1/27/16 at 11:04 AM by timwillmore

Yes, yes, yes! @gbeidleman You have the right idea on where to implement the restriction! If I could vote for this more than once, I would.


Posted: 1/28/16 at 9:38 AM by gbeidleman

Please spread the word!!! @timwillmore :)


Posted: 9/9/16 at 4:30 AM by BadinChuck

This is imperative and shouldn't be considered a 'feature'. If Apple continues to ignore the legitimacy of true roll backs of an iOS update (allowing IT to roll back to the last iOS version within a week or two of the most current update doesn't offer a true option in the real world) then preventing an update in the first place must must be available.

Any OS update should first be put through it's paces in a non production test environment. The final release is all that matters. BETA testing future updates is not the answer in a production environment.

While many people dislike MS, at least their OS and software products offer the aforementioned options.



Posted: 9/9/16 at 3:32 PM by dmillertds

Unbelievable this doesn't exist, really. I second your MS comment. Love 'em or hate 'em, at least their management concepts match reality and WORK!

Upvote and upvote often.


Posted: 9/13/16 at 12:17 PM by nhennig

Yeah, I tried what OP was suggesting. I added the configuration profile to blacklist the two update URLs. It did not work. All my student iPads can see and install the iOS 10 update. I even have them blocked in our lightspeed filter. No luck.

This is how I attempted to do it through Lightspeed:


Posted: 9/16/16 at 10:05 AM by dosman1

I vote yes for the implementation of the restriction! Thanks!


Posted: 10/25/16 at 2:35 PM by bvondeylen

It would also be advantageous for the fact that when an iOS update is released, the servers get bogged down and everything becomes slow. If we could incrementally deploy the iOS updates when the servers are better, a little at a time, it would benefit our networks as well. We have 2,500 iPads. When an update is released, we do not need 2,500 iPads updating.


Posted: 10/25/16 at 7:48 PM by cdenesha

The Content Filter is only used for web browsing so it won't work. You can block with a global proxy file (PAC.js).


Posted: 10/25/16 at 8:00 PM by mchit

@cdenesha How do we use that a global proxy file (PAC.js) to block it ? Could you please share any link or info ? Thank you. :)


Posted: 10/25/16 at 10:37 PM by cdenesha

@mchit Check out this post!


Posted: 10/26/16 at 9:36 AM by alex.wyatt

I think this qualifies as an "Apple has to allow it first" thing...but I agree 100% that they need to implement it!


Posted: 9/13/17 at 3:08 PM by cindy.murphy

I am hoping this is has been updated and I can block iOS11. Is this possible?


Posted: 9/19/17 at 5:52 PM by ChicagoGuy1984

I really need to block users from Updating to IOS 11.0 - it breaks our VPP managed apps. Apple really needs to start to try harder. Other than the iPad Pro, I am not impressed with anything they have released in the past 18 months. Hardware and Software!


Posted: 9/26/17 at 9:01 AM by groggonaught

@BadinChuck You would only be installing beta updates if you've signed up for them. Apple wants you to update to the latest version of iOS.

@gbeidleman Why would iOS updates break your JSS?


Posted: 10/2/17 at 1:45 PM by Vasean

iOS 11 introduced the ability to pass Wi-Fi credentials along to other iOS 11 devices even if those credentials are configured via configuration profile. This ability poses an enormous risk for secured networks with outside devices potentially able to connect to a network simply by having access to a managed device with the configuration profile installed.

One of two restrictions needs to be added:

Disable the "Share Wi-Fi" feature
Blocking the ability to install iOS 11


Posted: 10/2/17 at 1:59 PM by miregan

Could block iOS updates on the network firewall. I know it doesnt answer your question, but this is what we do and when I need to update iOS devices and the new iOS has been tested, I allow the traffic through.


Posted: 10/16/17 at 9:40 AM by cparets

I would be content to at least block the prompts/alerts. I have a restrictions that does not allow notifications from the Settings app. There is no badge on the app, but still, the prompts to upgrade to iOS 11 are there. Am I missing something? Ideally I'd like to block them from upgrading altogether, at least for a little while, but lets not advertise the upgrades!


Posted: 10/16/17 at 10:59 AM by miregan

@cparets How are you able to block notifications from the settings app? I was under the impression that using the notifications payload didnt work for that app unless I am mistaken...


Posted: 10/16/17 at 1:58 PM by cparets

@miregan I made a config profile and under Notifications, I added the Settings app and unchecked everything for Settings.

It does seem to stop the badge on the Settings app, but the prompt to upgrade/update still pops up.


Posted: 10/16/17 at 2:00 PM by miregan

Thanks, didnt think that stopped the badge


Posted: 10/16/17 at 2:18 PM by cparets

@miregan It did for me! Just wish I could stop the alert.


Posted: 10/17/17 at 7:51 AM by miregan

We block iOS updates through a global http proxy


Posted: 11/9/17 at 1:45 PM by j.miller

@miregan I would like to try blocking iOS updates with the global http proxy. Can you share details of how you accomplish this?


Posted: 11/9/17 at 1:52 PM by miregan

We have an external file server in which we host a pacs.js file. Its a really simple .js file

function FindProxyForURL(url, host) {
if (dnsDomainIs(host, "")) {
return "PROXY";
else {
return "DIRECT";

Then we set the proxy type to Automatic pointing to that external web server which causes our iPads to not find the update.


Posted: 11/13/17 at 7:45 AM by reon

voting up for this!


Posted: 2/2/18 at 2:09 AM by ibrahimk


Posted: 2/2/18 at 4:40 AM by JohnM007

It will be cool to have a parameter on the restriction that define the maximum version allowed on devices too