Stop iOS update on its track with VMware AirWatch

Post created based on AirWatch console version 9.1.1.

Apple may hate me for this, VMware AirWatch doesn’t support this, and some of us in the mobile community may not agree with this practice either.  I think due to mounting pressure, Apple has finally given admins the ability to block iOS update for a minimum of 30 days or up to 90 days starting with iOS 11.3.

However, sometimes installing the latest iOS update can cause more headache than good such as the two issues below:

 

By default, iOS update will be downloaded in the background if the device is connected to WiFi. To block the iOS update from being downloaded altogether, we will modify the Global HTTP Proxy for the network connection on the device.

To take advantage of this feature, here are the prerequisites:

  • Your device must be supervised.
  • You need a web server that is accessible by iOS devices to host a PAC file or use the link provided via this post.

The idea of using a PAC file is to re-direct iOS update to a dummy/inaccessible site.

Here is the content of the current PAC file:

function FindProxyForURL(url, host) 

if (host ==”mesu.apple.com”) 

return “PROXY 127.0.0.2:8080”;

if (host ==”appldnld.apple.com”) 

return “PROXY 127.0.0.2:8080”;

else  return “DIRECT”; 

}

Here is further explanation of the existing PAC file used:

  • mesu.apple.com – Apple’s Mobile Asset Software Update service. Provides an XML file with information about available iOS updates. When blocked, devices cannot determine that a new update is available.
  • appldnld.apple.com – (Optional) Apple’s iOS and software repository. Where devices will actually download the iOS update from. However, other software and updates are also provided by this URL. Blocking may not be desirable in all environments.
  • Source: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Blocking_or_rate_limiting_iOS_updates

Let’s take a look at the steps required.

  1. Log onto AirWatch consolewifi1
  2. Under DEVICES -> Profiles & Resources -> Profiles, click ADD -> Add Profilewifi1
  3. Select the applicable platform. For this example, we select iOS.wifi2
  4. Fill out both the General section accordingly.
  5. Scroll down to Global HTTP Proxy and click on the Configure button
  6. In here, configure as follow. Then click Save & Publish

globalhttpproxy1.jpg

With this setup, users assigned to this profile are blocked from being able to check for newest iOS release.

  • If the iOS update is already downloaded prior to this setup, the user can still install accordingly.
  • AirWatch admin will not be able to schedule iOS update either from the web console.

On the device itself, the section “HTTP PROXY” is not available as it is now configured by the profile above.

Before the profile is assigned to the device:

globalhttpproxy2

After the profile is assigned to the device:

globalhttpproxy3.jpg

When the user attempts to check for iOS update, it will fail and display the error prompt below.

globalhttpproxy4.jpg

I am often asked if this blocks app update as well. Here’s my answer:

  • No, as the entries to block app (.ipa) is not present in the PAC file
  • The entry is phobos.apple.com
  • An app can still be pushed/re-pushed from AirWatch console via VPP

Hope you find this post helpful!

3 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.