Posted on 01-24-2017 08:16 AM
Hey all,
Here's the scoop:
In our K-12 environment, we are required to participate in regulated state-wide testing. Unfortunately, the developer of the testing app is some 3rd party company which releases updates once, maybe twice a year, on a different schedule than Apple of course. They have finally stated that the testing app is compatible with 10.2, however, upon arriving on campus today- we found an update pending to 10.2.1
Testing is to begin very soon and I need to BLOCK THESE UPDATES!! We currently have appldnld.com and mesu.apple.com blocked in our filter, however, it isn't stopping access. What else can be done? Are there other servers that need to be blocked?
Please keep in mind this is NOT a discussion about Apple's practices or method of updating. In our specific environment we need to prevent updates until after testing season. (3-4 months/yr)
Is anyone else having success in stopping updates? I can only seem to find info about blocking the aforementioned servers...
Thanks in advance!!
Posted on 01-24-2017 08:30 AM
Have you checked this section in Mobile Apps?
Posted on 01-24-2017 08:41 AM
@CapU I think you misunderstood the original post. I need to prevent iOS updates, not keep an app updated.. This is not applicable, unless I am totally missing your point, in which case- please explain how to implement....
Posted on 01-24-2017 08:47 AM
We used to block via URL, but that stoppped working in the last few months (probably because we have apple's IPs whitelisted elsewhere). will be following along to see if you get any better suggestions. If you have an apple support contract, I highly suggest putting this in as a ticket to be able to disable iOS updates via MDM. There are cases (like this) where it makes sense.
Posted on 01-24-2017 08:50 AM
The Apple iOS Management framework does not support this functionality. It only supports updating to the latest and greatest version of iOS on supervised devices iOS 9 or later. Outside of that the iOS updating is left to the individual device.
The work around some schools have used is to block the wide range of Apple IP addresses associated with updates. It goes without saying this will have repercussions on other systems as well.
Posted on 01-24-2017 08:51 AM
Unfortunately, I've still got a lot of iPads that aren't up to 10.2 yet, so I can't block all updates. I think we're just going to need to rely on the testing companies to validate the iOS update quickly on their end.
This dance between Apple, the testing companies, and us is really tiresome.
Posted on 01-24-2017 08:58 AM
@Emmert Ya, I wish this wasn't the case. Sadly, the update frequency from Apple is much much higher than the AIRAST app we are forced to rely on. Last year- all 480 student iPads updated the day before testing and were sitting on the "Welcome" screen. Even after we got to the home screen, the then updated iPads weren't compatible with the testing app and all students had to move to the computer lab.
Posted on 01-24-2017 09:30 AM
Adding a firewall rule and block.
mesu.apple.com
appldnld.apple.com
Posted on 01-24-2017 09:41 AM
@kuypers Already done, as stated in the OP. It no longer functions to stop the updates...
Posted on 01-24-2017 09:43 AM
We added here this morning to one of are sites and it stopping.
Posted on 01-24-2017 09:47 AM
These two servers are blocked in our top level filter. I have also deployed a policy to all iPads via JAMF to block them. I have verified that the policy was pushed out and installed.
The update is still available.
We do have a Mac Mini running Server on it with cache service enabled. This device is located behind the filter, however, could it have some backdoor/other method of downloading/serving updates?
Update: I shut the caching service off & cleared the cache. The iPads can still update...
Posted on 01-24-2017 10:11 AM
Are you sure 10.2.1 is going to cause a problem? My understanding with most of these testing app vendors is that once they support iOS 10.X, they will also support 10.X.X. Regardless, there is no supported way to hold back updates. You can block mesu.apple.com, but you may find that it causes other issues.
Posted on 01-24-2017 10:15 AM
@cbrewer They should be fine with such a minor update. The problem is that if there is a major update during the testing window- we currently have no way to stop it...
Also, our vendor in particular has issues with random minor patch numbers, i.e. 10.0 & 10.1
So once they say they support 10.2 specifically- we need to freeze the iPads there until the testing window closes...
Posted on 01-24-2017 10:18 AM
We've come to accept that we just don't have control over it. It's a good reason to have some computers or iPad 2's as a backup for testing.
Last year iOS 9.3 wasn't supported when it first came out, but even though it wasn't supported it still worked for our testing.
Posted on 01-24-2017 10:36 AM
@cbrewer This seems to be the general consensus around this topic, but to me- it isn't good enough. Last year we looked ridiculous in front of the entire junior class because they got 10 minutes into the test, then the app crashed. We then had to relocate all Juniors to computer labs / libraries, plus had to restart the test session, blah blah blah. Needless to say, it was awful & embarrassing.
I can't imagine this is acceptable in larger districts. Our neighboring district has 56 schools alone...
There's gotta be a way to avoid this in the future...
Posted on 01-24-2017 10:40 AM
@cruess, have you had a conversation with the vendor? All parties need to understand that a minor OS update should not keep an application from working.
As of today (1/24/2017), Apple hasn't stopped signing 10.2 yet so you could downgrade those devices back to 10.2 if you needed to.
Another solution mentioned on several blogs is to install the "tvOS beta profile." It is claimed that this will stop the update notifications. I haven't tested this, so use at your own risk.
http://www.idownloadblog.com/2016/08/18/how-to-stop-iphone-asking-to-install-ios-updates/
Posted on 01-24-2017 10:47 AM
@bradtchapman Yes, we have an open ticket/discussion going with the vendor. About an hour ago they replied and said it would be fine. Then 5 minutes ago they replied again and said that it requires further testing and that it is not approved.
The method you referred to appears interesting, however, it also looks like a nightmare to replicate on every ipad across the district...
I feel like between JAMF and web filtering there should be an easier avenue to accomplish the goal..
Posted on 01-25-2017 05:13 AM
:
Posted on 01-25-2017 05:45 AM
@cruess Have you thought about uploading that profile after signing it and testing it out on pushing and functionality to a small group of iPads? We push a custom built VPN profile here through the JSS.
Posted on 10-27-2017 05:55 AM
Hey all,
Has anyone come up with a solution for this? We have a teacher using a Project Lead the Way app that is not compatible with iOS 11. She has asked me to make it so that the iPads do not update. Sorry if I missed the solution somewhere.
Posted on 10-27-2017 06:02 AM
Blocking mesu.apple.com at the network level does block iOS updates so not sure where the issue was as stated above. If you dont want to update to iOS 11 I would suggest blocking mesu.apple.com on the firewall. Blocking mesu.apple.com will present other issues in iOS 11 but since you are looking to stop the update to iOS 11 then that is the route I would suggest.
Posted on 10-27-2017 09:31 AM
Have you thought of blocking the whole Apple 17.0.0.0/8 network. Its very drastic but if you have to get through a testing period shortly then it might not be a huge inconvenience.
Posted on 10-30-2017 06:36 AM
We have scoped a config profile to all devices - it's a Global HTTP Proxy payload, set to automatic, and it points them to a URL where a Proxy PAC file is located. We allow direct connection if PAC is unreachable, and our JSS is externally facing so they can't access the update offsite. The file states:
function FindProxyForURL(url, host) {
if (dnsDomainIs(host, "appchina.com")
||dnsDomainIs(host, "iemulators.com")
||dnsDomainIs(host, "mesu.apple.com")
||dnsDomainIs(host, "vshare.com")) {
return "PROXY 8.8.8.8:53";
}
else {
return "DIRECT";
}
}s
This has been extremely helpful for us; we only exclude devices we're testing, otherwise users get an error message when searching for the update. An engineer at JAMF helped us set this up and it's saved us so many headaches - we haven't had a single student update to iOS 11, which (thanks to the recent notification that it's not compatible with TestNav) we're very grateful for.