How to block iOS updates

A common question we see from MacAdmins is this: How can we prevent our devices from updating to the latest version of iOS?

Blocking or delaying a software update occurs when an administrator intentionally prevents the latest software version from installing via automatic download because of risks it may pose to the organization's digital environment. Delaying updates gives you time to test that update for any functional or compatibility issues.

You can block an iOS update in a few ways:

Disable automatic updates in System Settings
Defer software deployments
Block the update servers
Ask users to delay updates

Why block software updates?

Organizations delay deploying the latest iOS to validate its compatibility with their business-related apps. This delay buys extra time to run functionality testing in their environment before approving the upgrade for the entire user population.

1. Disable automatic updates in System Settings

This method is done manually on each machine.

Click System Settings.
Click General.
Click the Software Update button.
Click the lowercase 'i' button (information) to show details.
Toggle the switch off next to Download new updates when available.
Toggle the switch off next to Install macOS updates. (This step will require password authentication.)
Click the Done button to exit.

2. Defer software deployments

This method is deployed to multiple machines at once through an MDM solution.

Deferred software deployment can delay the application of new operating system updates on Apple devices for a certain period, giving IT administrators time to vet updates for compatibility with the existing infrastructure.

Upon a new software release from Apple, IT administrators can use the MDM server to defer its deployment on managed devices for up to 90 days. This delay, available from iOS 11.3 and macOS 10.13.4, allows devices to bypass immediate updates and install them automatically after the deferral period.

It's important to note that deferred software updates apply to major software updates (e.g., iOS 13 to iOS 14) and minor software updates (e.g., iOS 14.4 to iOS 14.5).

Security updates (e.g., iOS 14.4 to iOS 14.4.1) cannot be deferred and will still be installed immediately once available.

With this restriction enabled, the devices ignore any newly available updates. After the deferral period ends, the devices automatically install the update.

How to block iOS updates in SimpleMDM with a restriction configuration profile

To enable this feature, iOS devices must be managed in supervised mode.

In SimpleMDM:

Click Configs.
Click Profiles.
Click Create Profile.
Click Restrictions.
Name your restrictions profile.
Scroll down to the iOS update delay header and click the No delay box to customize your deferral time frame with the drop-down menu.
Click on the number of days you'd like to defer the update.
Ensure the iOS box is checked under Scope on the bottom left of the page before saving.
Click Save.
Deploy the restriction to your desired Device Groups under Devices > Groups.

Note: You can apply all iOS restrictions to this configuration profile for deployment in one package or uncheck all boxes except iOS update delay to deploy only this specific restriction.

3. Block the update servers

Blocking traffic to Apple's update servers on the company network can prevent device updates, but this comes with risk.

Note: Blocking these update servers may potentially disrupt other services beyond updates.

Apple does not publish an official list of all its software update servers, and despite historical use, these URLs are subject to change as Apple grows its infrastructure.

We are aware of two update servers:

appldnld.apple.com
mesu.apple.com

Unconfirmed, but these may also be update servers:

softwareupdates.apple.com
updates-http.apple.com
mzstatic.com
swscan.apple.com
xp.apple.com
updates-http.cdn-apple.com

The pitfall of this method is that the device can still update itself if one of the following occurs:

It joins a different Wi-Fi network
It obtains a cellular connection

Blocking Apple's servers to prevent updates could trigger unintended consequences, as these domains convey much more than simple software updates. Doing so also risks restricting access to crucial app updates, system functionality, and vital security patches.

4. Ask users to delay updates

With this approach, you'll send an announcement to all staff to pause device updates. As iOS always asks users before commencing an update, denying the prompt can prevent early acceptance. In your announcement, point out the pitfalls of early updating, like possible app incompatibilities, to align staff understanding with company interests.

While this method is viable, all IT professionals know that relying on end users is risky business. We recommend avoiding methods that open yourself up to human error whenever possible.

Is delaying an update recommended?

No, we do not recommend delaying software updates — at least not permanently. However, choosing whether to delay updates depends on your organization's unique needs.

While there can be reasons to delay software updates, it's essential to consider software update benefits, such as:

Enhanced security
New features
Performance improvements

That's why organizations should always maintain a balanced approach: Organizations should admit new updates only after proper testing and compatibility checking within a prioritized time frame of fewer than 90 days.

Pros: Delaying the release of an iOS update can allow users to keep using apps they depend on for longer if the next update introduces software incompatibilities.

Cons: Delaying can leave devices with outdated versions of iOS, which may have publicly known security vulnerabilities, exposing your organization to more significant risks.

Ideally, organizations are ready for iOS updates upon release, negating update delays. Apple provides the GM (or public release version) of significant updates in advance to allow for IT testing.

One thing to consider when deciding to upgrade or not is what the specific upgrade is for:

If it's a minor update — for instance, an update from 9.3.2 to 9.3.5 — it likely contains security fixes. It is also unlikely to have any incompatibilities with existing apps.
If the update is a major one — for instance, 9.3.5 to 10.0.1 — there is a higher risk of finding incompatibilities with apps.

No one likes to accumulate tech debt. The safest approach is to stay updated and compliant, face software changes head-on, and proactively evolve with technology as far as your budget permits.

How to block iOS updates FAQs

What factors should I consider when deciding to block iOS updates?

Enterprise organizations may want to block the latest iOS updates due to:

Compatibility: New updates may contain changes incompatible with existing enterprise software or applications that can cause functionality issues. By blocking updates, organizations can test their compatibility before rolling them out.
Stability: New updates occasionally come with bugs that can lead to system instability. It's often safer for organizations to stick with a slightly older, well-tested version of the system software until any bugs have been identified and fixed.
Training and support: Sudden changes in the OS can confuse employees and require additional training and increased IT support. By delaying updates, organizations can adequately prepare their teams for any changes.
Bandwidth: If an organization has hundreds or even thousands of devices, simultaneous downloading of a significant iOS update can significantly impact network bandwidth (especially during business hours).
Control: By managing the deployment of iOS updates, organizations can maintain more control over their tech environment and ensure all changes align with their more extensive IT strategies.

What does GM stand for?

GM stands for golden master.

It's a term commonly used in software development to indicate the final version of a software release that is ready for public distribution after the testing phase.

For Apple's iOS updates, the golden master is the version intended for public release. It is usually made available a week before the official release date.

SimpleMDM is a mobile device management solution that helps IT teams securely update, monitor, and license Apple devices in minutes while automatically monitoring Apple updates. Try it free for 30 days!