Managing iOS update with Workspace ONE UEM

This post is released on Thursday which is also known as Throwback Thursday #TBT!

As I mentioned in my previous posts, it is possible to block and schedule iOS update from the VMware AirWatch / Workspace ONE console.

While no one can tell when the next iOS release will cause yet another headache for MDM administrator, it is possible to delay iOS update from a minimum of 1 day up to a maximum of 90 days easily without manipulating the Global HTTP Proxy starting with console version 9.3. From a security standpoint, 90 days should be more than sufficient for an administrator to test application compatibility and any other potential issues. This, of course, requires a supervised device and iOS 11.3 and above.

It’s also important to understand what this setting really means in a real-world scenario. I started a thread titled Delay Updates (Days) for OS in the VMware AirWatch community forum and sure enough, I’m not the only one who might get confused. I question whether delay up to 90 days starts:

A) after the latest release is available for download REGARDLESS when the device is initially enrolled, or,

B) after the device is initially enrolled in AirWatch.

Based on my discussion with VMware support, choice A is the correct answer.

Say iOS 12.3 is available for download as of 01/01/19 and we have the 90 days update delay in effect. If I open a brand new iPad pre-installed with say iOS 10.3 and enroll such device into AirWatch. The user will not be able to upgrade to iOS 12.3 or whatever the latest version available at the time until 90 days after iOS 12.3 is first released (i.e. 03/31/19.) They can, however, upgrade up to iOS 12.2 during that interval.

The same goes for devices already enrolled in AirWatch. They won’t be able to update to the latest iOS for up to 90 days after it is released regardless when they were initially enrolled.

In other words, the restriction simply doesn’t let the device upgrade to the newest version for up to 90 days since it is released to the public. 

If Apple releases iOS 12.4 on the 90th day, the device is still only allowed to upgrade to iOS 12.3.

delayiOSupdate1.jpg

In addition to the setting above, I highly recommend skipping Software Update during the initial device set up within the DEP profile as well.

delayiOSupdate2.jpg

Before enabling Delay Update (Days) within the restriction payload:

WithoutDelayiOSUpdate.png

After enabling Delay Update (Days) within the restriction payload:

DelayiOSUpdate.png

As of web console version 9.7, we still cannot push the iOS update to more than 3 devices at a time. Notice the option to REBOOT DEVICE and SHUT DOWN are also missing if more than 3 devices are selected. Why is that?

At first, VMware support suspected it was due to having custom values configured in the specific fields under GROUPS & SETTINGS -> All Settings -> Devices & Users -> Advanced -> Bulk Management. However, as you see from my screenshot below it doesn’t seem to be the case.

As of this writing, technical support explained this is by design due to console security reason. However, no KB has been published on this just yet. Do you agree?

delayiOSupdate5.jpg

With up to 3 devices selected:

delayiOSupdate3.jpg

With 4 or more devices selected:

delayiOSupdate4.jpg

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.