Jamf Nation Community

We have used the link @tadholyfamily posted last year to blackhole our DNS. This year we have added mesu.apple.com to our internet filter as it's quicker to add/remove than updating our DNS servers. I will probably leave this in place for the remainder of the week.

I'm OK with them updating at home, the biggest issue from last year was the network congestion that is created by hundreds (if not thousands) of iPad users trying to update simultaneously.

To help with congestion, I recommend setting up Apple's Caching Server 2 in high density locations. This will help the congestion and is, for the most part, configuration free. This is part of OS X Server which is $19.99 in the app store, but can be run on anything that supports Mavericks.

Also, if you have high-stakes users (e.g Administrators doing evaluations) urge them to hold off on the update until you can verify their applications will work. Last year we run into issues with our Eval software not updating for a week or so until after iOS 7 was released. At least if you get the info out there you can say "I told you so."

Oh, backup, backup, backup. (iCloud or iTunes)

@tadholyfamily][/url & @freddie.cox- Can you tell me a little more about this process - http://enterpriseios.com/story/2013/09/17/How_to_use_DNS_to_block_iOS_7_and_other_updates_too

We added added mesu.apple.com to our block list on our filter but it blocked everything -app store, icloud - even logging into these portals it blocked - appleID.apple.com - deploy.apple.com.

Any ideas or specifics you could tell me would be greatly appreciated. Thanks!

Did you use a filtering application or DNS to block the URL?

If you used DNS, does Apple.com still work? It sounds like it's resolving subdomains to the root domain (apple.com) which could just be a misconfiguration in DNS.

I am able to use deploy.apple.com and appleid.apple.com without any issue.

We just blocked http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml
through our firewall block list policies. - we didn't try just mesu.apple.com - don't know if that would make a difference.

Thanks.

@pete_c Agreed. Worth the meager investment.

Can anyone confirm that if blocking just mesu.apple.com in your firewall only blocks the update and nothing else?

Thanks,

Our network was hit hard when iOS 7 dropped (~10,000 iPads and many more personal/BYO iOS). We have 8 caching servers in place and hope that it helps a bit this time around. Unsure how the AP's will handle the load. The registration/peering on the caching servers is working and activity is pretty constant when tailing the debug log. We'll throw some blocks up if things get out of hand. My understanding is that blocking mesu.apple.com will prevent clients from getting the update catalog downloaded/prevent checking version against global update servers/clients would not see iOS 8 available.

Regarding the caching servers, Apple indicates up to 750 concurrent connections possible on a Mac Mini. I see max concurrent clients can be set (http://support.apple.com/kb/HT5590?viewlocale=en_US), but how can one go about getting a count of concurrent clients at any given point in time?

We used to block mesu.apple.com in firewall without causing further issue. That stopped after so many users updated from home, and we put a Caching Server in place. It also caches App Store downloads, so it's a very good thing for a limited network as long as you have a Mac available to install on.

So in relation to caching servers, I just received info from an Apple contact that caching server will not support iOS 8 update. Messy.

I'd prefer to think this info isn't accurate, but it seems now all we can do is block or degrade service to the mother(ship).

Yeah we want to prevent it too, incase it breaks wifi connectivity with our enterprise wifi, which they have been known to do in the past. Oh well.

@bwiessne I can confirm that blocking mesu.apple.com only prevents the software update. I blocked it yesterday afternoon and then successfully updated apps and backed up to iCloud, but was unable to even poll the software update service. I blocked the whole mesu.apple.com domain, not the specific URL that is provided above.

Just going to second @CGundersen.

Caching server will not work as expected with the iOS 8 update and potentially not work with apps once they are updated. If you're concerned about the impact on your network then blocking the update URL or throttling the traffic will be the only way to protect agains the flood.

http://support.apple.com/kb/HT6456
I just set this up yesterday in preparation for the release of iOS 8. I'm not a happy camper.