How to block iOS updates

A common question we receive through our support channel is this: How can we prevent our devices from updating to the latest version of iOS?

Often, organizations wish to vet the latest iOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. By delaying the deployment of the latest version of iOS within their organization, they buy additional time to run these checks before green lighting the upgrade.

The official method

Starting with iOS 11.3 and macOS 10.13.4, MDM administrators are able to specify a number of days to delay a software update, with a maximum delay of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.

To enable this feature, iOS devices must be in supervised mode.

Other options

Before iOS 11.3 and macOS 10.13.4, Apple did not provide a means to block or delay OS software updates, either within iOS or macOS, or via MDM. We have seen these common methodologies used by our customers.

Install tvOS beta configuration profile

We have yet to verify this, but numerous sources (including Daniel in the comments section, thanks Daniel!) that installing the tvOS Beta Configuration Profile provided by Apple will block the update messages from appearing on iOS.

The tvOS Beta Configuration Profile is restricted to distribution among registered Apple Developers only. You can access the program at the Apple Developer Portal. You should also be able to find the tvOS profile freely on the web with a little work.

Block the update servers

Blocking communication with the Apple update servers at the company network level may also help prevent updates. By disallowing traffic to the update servers on the company network, devices will be unable to update themselves. The pitfall of this methodology is that the device will be able to update itself if it joins a different WIFI network or has a cellular connection.

The two update servers that we are aware of are: appldnld.apple.com and mesu.apple.com.

Ask users to delay updating

Send an announcement to all staff requesting that they hold off from updating their devices. iOS will always prompt users before it begins an update and a user can prevent the device from updating by denying the prompt. The most effective company announcements generally disclose the concerns of updating early, including the potential incompatibilities with business-related apps. This helps staff understand how an early update may negatively affect them and aligns them with the interests of the company.

Is delaying an update recommended?

In short: it’s a double edged sword. On one hand, delaying the release of an iOS update can prevent a situation where users are not able to use apps they depend on due to software incompatibilities. On the other hand, it can leave devices with outdated versions of iOS which may have publicly known security vulnerabilities, exposing your organization to much greater risks.

One thing to consider when making a decision to upgrade or not is what the specific upgrade is for. If it’s a minor update, for instance an update from 9.3.2 to 9.3.5, it likely contains security fixes. It also is unlikely to have any incompatibilities with existing apps. If the update is a major one, for instance 9.3.5 to 10.0.1, there will be a higher risk of finding incompatibilities with apps.

Planning for the future

Ideally, your organization is ready for iOS updates on the day of their release and can avoid having to delay updating altogether. Apple makes the GM (the version slated for public release) of major iOS updates available before the release date, often a week or more in advance, and these versions can be tested by IT beforehand.