Hi, my name is Xavier PIERROT and I'm a Senior Mobility Consultant at Mobinergy. Today I will introduce you to the update policies for iOS in Microsoft Endpoint Manager "aka" Intune.
In another life, I had the chance to work on other leading MDM solutions and among all of them, Intune is the only one I've seen with the following capabilities.
You probably know that Apple recommends to always update your iOS device to the lastest version for compatibility and security reasons, but in the Enterprise world it is not really often recommended depending on your activity.
I wanted to make this article because it's not always easy to find your way in the Intune console, especially for beginners and also because this Update option is really different than the devices profiles. You can easily miss it.
To create the update profile of your iOS devices, navigate to the menu Devices>iOS/iPadOS then from iOS/iPadOS Policies section select Update policies for iOS/iPadOS and create your profile.
Now let's see what we have inside the profile. You will arrive at the following stage.
Microsoft offers with Intune an interesting integration with the possibility to select the iOS version that you want to offer your devices.
But you have to be careful, because this does not prevent the user from retrieving the latest version released by Apple. It will be also mandatory to add a restriction profile that will delay the installation option from 90 days for this purpose.
And of course your device must be managed with Automated Device Enrollment (ADE) formely Device Enrollment Program (DEP). To summarize, the iOS devices must be just supervised.
Microsoft then provides the capability to schedule the update with three options.
Update at next check-in: The update installs on the device the next time it checks in with Intune. This is the simplest option and has no additional configurations.
Update during scheduled time: With this option you can configure one or more time windows during which the update will be available for automatic installation upon check-in. By default the check-in approximately occurs every 8 hours. To our knowledge there is no possibility to change this by default.
Important : If your company is present in many countries you must create several update policies with correct timezones and assign them to the correct devices.
- Update outside of scheduled time: This option is the oposite of the previous one. You can configure one or more time windows during which the updates won't install at all upon check-in. In most of the traditional tools we find this possibility to define a range of operation where no action is taken on the devices.
this is the best integration I've seen for managing updates on iOS devices. Most solutions only offer deferred installation.
In some sectors like airlines, the control of the iOS version is often a requirement.
I remember that before we used to set up a proxy PAC system that was blocking iOS update URL directly at Apple, it did the job quite well but it was clearly complicated to maintain.
Microsoft comes to offer more flexibility and ease with this.
Stay tuned for more tips!