Prevent iOS 11 Install

bvondeylen
Contributor II

Is there anyway of preventing iOS 11 install on iPads beginning tomorrow? I don't want individual students installing iOS 11 without the classroom updating to iOS 11 with teacher's permission.

What are my options?

1 ACCEPTED SOLUTION

joelande
Contributor

I believe if you block mesu.apple.com, it will prevent a device from being able to determine that there is an update available.

View solution in original post

16 REPLIES 16

joelande
Contributor

I believe if you block mesu.apple.com, it will prevent a device from being able to determine that there is an update available.

blackholemac
Valued Contributor III

I would beware of that method. For one, it only would only works on your network internally, and for two, sometimes I've seen updates make it through anyway. To @joelande 's credit though, its the only way I know of at the moment.

amoussy
New Contributor II

You can use this I wrote for iOS 9 and still working I guess :
"If you want to not update iOS to iOS 9 the first day, to save internet bandwidth for example, and if you want to block apps updates (and installation), you can block the Apple servers with a Global Proxy :
- first, open your favorite Text Editor and copy this code : function FindProxyForURL(url, host){ if ( dnsDomainIs(host, ".phobos.apple.com") || localHostOrDomainIs(host, "phobos.apple.com") || localHostOrDomainIs(host, "mesu.apple.com") || localHostOrDomainIs(host, "appldnld.apple.com")) { return "PROXY noproxy.acme.com:7801"; } else { return "DIRECT"; }}
- name this file no_update.dat
- put it on internet. You will access to it with an URL like http://my.URL.com/no_update.dat
- create a profile and fill GLOBAL HTTP PROXY with your URL
- push the profile

phobos and *.phobos are the repositories of .ipa
mesu is the URL to access .xml with update links of iOS new firmware
appldnld is the repository of .ipsw

When iPad ask one of this URL, it is a fake proxy which tries to answer... and it cannot ! :)
EDIT : if you have got a cache server in your LAN, apps updates and installations are not blocked. iOS update is."
It will prevent update, whatever the network used.
Hope it helps.

damienbarrett
Valued Contributor

Can you believe that I've been asking Apple for this feature since 2012?

Currently, we block the update URL at our firewall. Since our classroom and cart iPads never leave our school network, this works. For the iPads in our teacher's hands (each teacher has an iPad assigned to them), we ask them NOT to upgrade to iOS 11 until we've completed testing, documentation, and professional development for it (which often is at least 3-6 months after its release).

iOS 11 will be particularly problematic because of the interface functionality changes significantly (split windows, multitasking, Dock, etc.).

To make matters worse, Apple has been invalidating the signing of older OSes about 2-3 weeks after a new version drops, and is is no simple chore to back grade an iPad to an older OS.

I continue to find it almost unbelievable that Apple hasn't implemented the ability to control an OS update on a set of managed/supervised iOS devices. It is completely unfriendly to schools and other organizations where device parity is paramount. I simply can't have sets of iPads in use by 6-year-olds where some are running iOS 10 and some are running iOS 11.

Android tablets are calling our name, Apple. I can't believe I have to write this (again). My pleas to Apple have fallen on deaf ears.

Please correct me if there's some other way to control this of which I'm unaware. I know Ground Control has implemented something, but we're a JAMF shop. And I won't route all our iPad traffic through a single point of failure like the fake proxy. While that's a clever and interesting solution, it's not something I'm ever going to use.

jeandelgadoc
New Contributor

@joelande Where do you add mesu.apple.com? Under Blacklisted URLs in Configuration Profiles?

H3144-IT
Contributor II

If you run your own Software Update Server, you can choose which Updates are being installed.

At least that works well for me via Policy !

I had no Challenge with that in the Past - Macs & iOS Devices will check with your SUS rather than those from Apple, and then you can disable the IOS Update

stevensmith
New Contributor
New Contributor

Will blocking mesu.apple.com block all software (Mac, iOS, 3rd Party App Store Apps) updates from being seen? or just iOS updates?

I'm sure this has been asked before. Apologies.

damienbarrett
Valued Contributor

It appears to block just the iOS updates. All my supervised (via DEP --> JSS) get their App updates without any issues. The iOS update prompt never appears because the automatic check built into iOS just can never communicate with the update server.

If you manually attempt to check for updates (General --> Software Update) you get an error that it can't communicate with the server, as described above.

CasperSally
Valued Contributor II

Fair warning, we whitelist the whole 17.x.x.x apple range, so we've had mixed success with blocking mesu.apple.com.

cbrewer
Valued Contributor II

A second fair warning, as soon as you block mesu.apple.com every time you have an Apple issue you'll be wondering whether or not its related to that.

rcorbin
Contributor II

We tried to do as much testing with iOS 11 before it was released. We picked a bunch of need functions and tested them under the 9.101 release and all seemed to be fine. We were considering blocking but it is a pain as it can block other Apple related things even on the Mac side. So after figuring out everything that we needed was working we just decided to let it go. iOS 11 and JSS 9.101.0 seem pretty solid thus far. Unless Apple or Jamf adds a feature to block an iOS release all of the other methods are not reliable or cause other issues.

almonte32
New Contributor III

If you were to block the two URLs, mesu.apple.com and appldnld.apple.com both via http and https, the profile will automatically turn on the AutoFilterEnabled string which is Apple's implementation or try at being a adult content filter, which fails horrendously. But, if you simply open the created mobileconfig file with text editor, you can find the key AutoFilterEnabled and change <true/> to <false/> and that's it.
You have just made your own little URL blacklist "host file" sort of.

----Update----

As others have noted, a global proxy running a simple .pac file will do this because the Web Filter only filters Safari browsing and not at the DNS level, which the .pac file can do.

I just host the .pac file internally in one of our servers using IIS Manager and making the .pac MIME type and text/plain as Content-Type in HTTP response headers.

you dont need to block appldnld.apple.com because other files come from there, just mesu.apple.com

in the example pac file below, 1.1.1.1 is an example, you should point it to a server ip address that will not respond with a proper response, so that it gives the error when ipad tries to check the apple server. (1.1.1.1 is a real DNS server currently owned by cloudflare so dont use that)

basically, the .pac file should contain:

function FindProxyForURL(url, host) {
if(dnsDomainIs(host, "mesu.apple.com")) {
return "PROXY 1.1.1.1:80";}

return "DIRECT";
}

Nick_Gooch
Contributor III

@almonte32 Does that work for you to block iOS updates from being seen and downloaded? I just tried it and the updates still show up and are able to be downloaded. The only way I've been able to block it on and off network is with global proxy.

blackholemac
Valued Contributor III

It’s been reported by some that if you install the tvOS beta software update profile on iOS devices that you effectively cut off access to iOS updates of any sort. The theory works functionally like a block on software updates via profile because only tvOS betas would be published to the beta server that the profile points would point to.

If one magically would want to allow updates, you would simply lift the tvOS beta profile and the iOS device returns to the iOS production software update server. Reinstall it, it would look again to the tvOS beta server.

miregan
Contributor II

The problem with that is you need to restart the device after its installed. It does work however. I find the proxy to be the better solution of the two since it doesnt require a reboot or anything of that nature.