How to Block iOS Updates

Last updated April 10, 2019

A common question we receive through our support channel is this: How can we prevent our devices from updating to the latest version of iOS?

Often, organizations wish to vet the latest iOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. By delaying the deployment of the latest version of iOS within their organization, they buy additional time to run these checks before green lighting the upgrade.

The Official Method

Starting with iOS 11.3 and macOS 10.13.4, MDM administrators are able to specify a number of days to delay a software update, with a maximum delay of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.

To enable this feature, iOS devices must be in supervised mode.

Other Options

Before iOS 11.3 and macOS 10.13.4, Apple did not provide a means to block or delay OS software updates, either within iOS or macOS, or via MDM. We have seen these common methodologies used by our customers.

Install tvOS Beta Configuration Profile

We have yet to verify this, but numerous sources (including Daniel in the comments section, thanks Daniel!) that installing the tvOS Beta Configuration Profile provided by Apple will block the update messages from appearing on iOS.

The tvOS Beta Configuration Profile is restricted to distribution among registered Apple Developers only. You can access the program at the Apple Developer Portal. You should also be able to find the tvOS profile freely on the web with a little work.

Block the Update Servers

Blocking communication with the Apple update servers at the company network level may also help prevent updates. By disallowing traffic to the update servers on the company network, devices will be unable to update themselves. The pitfall of this methodology is that the device will be able to update itself if it joins a different WiFi network or has a cellular connection.

The two update servers that we are aware of are: appldnld.apple.com and mesu.apple.com.

Ask Users to Delay Updating

Send an announcement to all staff requesting that they hold off from updating their devices. iOS will always prompt users before it begins an update and a user can prevent the device from updating by denying the prompt. The most effective company announcements generally disclose the concerns of updating early, including the potential incompatibilities with business-related apps. This helps staff understand how an early update may negatively affect them and aligns them with the interests of the company.

Is Delaying an Update Recommended?

In short: it’s a double edged sword. On one hand, delaying the release of an iOS update can prevent a situation where users are not able to use apps they depend on due to software incompatibilities. On the other hand, it can leave devices with outdated versions of iOS which may have publicly known security vulnerabilities, exposing your organization to much greater risks.

One thing to consider when making a decision to upgrade or not is what the specific upgrade is for. If it’s a minor update, for instance an update from 9.3.2 to 9.3.5, it likely contains security fixes. It also is unlikely to have any incompatibilities with existing apps. If the update is a major one, for instance 9.3.5 to 10.0.1, there will be a higher risk of finding incompatibilities with apps.

Planning for the Future

Ideally, your organization is ready for iOS updates on the day of their release and can avoid having to delay updating altogether. Apple makes the GM (the version slated for public release) of major iOS updates available before the release date, often a week or more in advance, and these versions can be tested by IT beforehand.

Comments (12)

The best method to block iOS updates I’ve been using is to install a profile called ‘tvOS Beta Configuration Profile’. I don’t know how it works. But after installing it, I’ll no longer see the annoying notification. The configuration profile is cryptographically signed by Apple (in fact, configuration profile that redirects OTA update catalog through “Internal Settings” will fail to install if it is not), therefore, can be trusted.

Thanks for the tip, Daniel. We’ll add it to our article. We’re also looking over the tvOS Beta configuration profile to better understand how it achieves this.

Hello. Having the same concern here, it seems i was blocking mesu,apple.com and appldnld.apple.com but the new updates passed anyway ? I don’t get it.

Anyone knows if there’s a new url or care to share that configuration profile ? What’s the name of the profile, is it iOS_10_beta_Configuration_Profile.mobileconfig ? Thanks for any input ! Vincent

I did. It also ends up blocking a whole slew of other Apple services. Like basically everything… I loved it. Developers did not.

“The best method to block iOS updates I’ve been using is to install a profile called ‘tvOS Beta Configuration Profile’.”

– I’ve come across that advice a few times now, but no one has explained how to do that.

Does this apply to iPads? Which versions of the hardware, and which versions of iOS is this method appropriate for?

Hey I would like to block ios updates on my iphone and ipad which are connected through my wifi so I would like to block it completely

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now
  • How to Enroll an Apple TV in MDM - 4 Methods

    By on January 24, 2019
    Read more
  • How To Sign macOS PKGs for Deployment with MDM

    By on October 4, 2018
    Read more
  • How To Use Custom Configuration Profiles With Custom Attributes

    By on September 17, 2018
    Read more

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now