Help

Blocking iOS 9 Update

cpdecker
Contributor III

Posted on ‎09-08-2015 08:19 AM

Hey everyone,

We successfully blocked iOS 8 downloads on site last year by using a NetXplorer appliance to drop packets with mesu.apple.com in the HTTP Host field. I am hoping and expecting that this will work for iOS 9 this year.

However, what's different about this year is that we have a large number of iPads already going home with students. I think I know the answer to this question, but--has anyone discovered a way to block iOS updates for iPads off site--at home, at the library, at McDonald's?

Thanks for any input and believe me, you won't be letting me down too far when you probably tell me no!

0 Kudos
3 REPLIES 3

NowAllTheTime
Contributor III

Posted on ‎09-08-2015 11:02 AM

iOS 8 and earlier can only avoid update via on-site DNS restrictions - similar to what you are doing already. There's nothing you can do once devices connect to off-site networks. If you have an AppleCare OS Support agreement you can check in with your TAM just in case they know about any other clever options.

With that said, there is a new payload for managing software updates in iOS 9 and later if they are supervised with DEP. So that should cover you for post-iOS 9.0 updates, but for now there is not much you can do except for strongly recommend your users avoid tapping install for the update if there are known issues in your environment. From a manual perspective on iOS 8 devices that you have physical access to you can go into Settings > General > Usage > Storage and delete any cached iOS 9 updates.

0 Kudos

Malcolm
Contributor II

Posted on ‎09-08-2015 06:34 PM

There might be a way....

We use global proxy in our environment... which allows us to also have a public global proxy at home...

if you had something like this set in global proxy that was publicly accessible... it might work:
e.g. http://wpad.publicwebsitehost/wpad.dat

function FindProxyForURL(url, host) {

// If the requested website is hosted within the internal network, send direct. if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") || isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") || isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") || isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) return "DIRECT";

if (dnsDomainIs(host, "mesu.apple.com")) return "PROXY 1.2.3.4:8080";

if (dnsDomainIs(host, ".mesu.apple.com")) return "PROXY 1.2.3.4:8080";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order. return "DIRECT";

}

0 Kudos

Malcolm
Contributor II

Posted on ‎09-08-2015 06:36 PM

Assuming it is using https to initiate the request... wouldn't stop them from using iTunes to update it though.

0 Kudos