Keep Me Upadted!

With iOS/iPadOS 16 scheduled to be released in the next few days, many organizations will put restrictions on deferring software updates to buy in time to get ready with the new OS. At the same, there will be many zero-day vulnerabilities for which you might want to keep your devices updated to a specific version. 

Hope this will help you to configure the software update policies and keep your iOS devices updated. The software update policies can only be applied to devices enrolled as supervised. This seems straightforward, but practically speaking, it’s NOT that simple! 

Continue reading the post to configure the policy for your tenant.

The software update policies can only be applied to supervised devices with iOS/iPadOS 13 minimum required version. 

Concept:

With these software update policies, you can:

1. Either choose to deploy the latest available update or choose to deploy an older update.
2.  Configure the update to install at a specific time. 

If you are configuring software update policies for Shared iPads, then the update will only install when no user is signed in to a Shared iPad and the device is charging. Else the update will fail.

Configure The Policy

• Sign in to the MEM Portal.
• Select Devices > Update policies for iOS/iPadOS > Create profile.
• On the Basics tab, specify a name for this policy, specify a description (optional), and then select Next.

• On the next page, you have the options to configure the policy options:
  • Select a specific version to install
  • Configure the schedule for the policy

These options look interesting. But before we apply the policy, let us understand them in detail.

• Latest update: Deploys the most recently released update for iOS/iPadOS.
• If you select a previous version, you must also deploy a device restriction policy to hide the visibility of software updates from the device.
• Update at next check-in: The update installs on the device the next time it checks in with Intune. This option requires no extra configurations.
• Update during scheduled time: You configure one or more windows of time during which the update will install upon check-in.
• Update outside of scheduled time: You configure one or more windows of time during which updates won’t install upon check-in.
• Weekly schedule: If you choose a schedule type other than update at the next check-in, configure the following options.

• Configure the policy as required and assign it to the respective security group.

End User Experience

When you assign these policies, you might notice discrepancies between expected and experienced behavior.

1. Expected behavior when OS update is released to iPad:

• Notification on the device that the new OS is available.
• OS version and “Download and Install” is displayed in the Settings app.
• Installation is prompted for acceptance with the possibility to Postpone or Install during the time window (configured in the policy) if connected to power.
• If accepted, by entering Passcode, the iPad will install new iOS; if connected to power.
• If postponed, the iPad will not update, and a new prompt will appear from time to time.
• If power is not connected, the iPad will not update

  2. Experienced behavior when new OS is released to iPad:

•   Notification on the device that a new OS is available.
• OS version and “Download and Install” is displayed in Settings.
• Installation is prompted for acceptance with the possibility to Postpone or Install during a limited time (configured policy) if connected to power.
• If accepted, by entering Passcode, the iPad will install new iOS; if connected to power.
• If accepted, the iPad will install randomly outside the time frame by entering the Passcode.
• If accepted, by entering the Passcode, the iPad will install even if power is not connected (more than 50% battery).
• If Postponed, the iPad will install after 3 Postponed warnings.
• iPad shows a notification that a new OS is available. When checked in Settings iPad shows the latest MDM released OS. After some time, a warning prompt is displayed.
• “Pad shows “New update available” – Installation is accepted.

Bonus Content: Reasons for Discrepancies

(Reasons are in chronological order)

1. When the user checks for the update in Settings Apps, the update can be deleted if it falls within the delay period set on the device. This behavior ties in with most of the other scenarios.
2. When the Passcode is stashed, and the MDM uses the ‘Download’ and ‘InstallASAP” options in the ScheduleOSUpdate command – the device will update.
3. Update Cadence. This was introduced in iOS 14.6 and can be configured with the Settings command. 

This value defines how the system presents software updates to the user. When there’s more than one available update for the user, the system behaves as follows:

0: Presents both options to the user.
1: Presents the lower numbered (oldest) software update version.
2: Presents only the highest numbered (most recent) release available for the device.

Hope this will help you to configure the software update policies and keep your iOS devices updated.

Share this post:

• Facebook
• Twitter
• LinkedIn