Year after year, IT admins have asked for a way to stop users from installing iOS updates... and year after year, they’ve been disappointed that new versions of iOS don’t come with this feature.
On the other hand, we can agree that the last few months of ransomware attacks have reminded us—yet again, sigh—how important it is to patch, update, and upgrade our computers.
Just last week I saw an article called, “With Patch Tuesday imminent, make sure you have Automatic Update turned off.” Commentators were aghast at how irresponsible this is, and it got me thinking along the same line: We can’t stop iOS updates, but really, isn’t this saving us from ourselves?
The details on iOS updates
In case you’re curious about what we can and can’t do with iOS updates:
- You can try to block Apple’s update servers on the network.
- You can ask users to please wait to update their phones.
- Institutional devices can be locked down into single app mode.
- Users can try to put off updates themselves and avoid the nagging, as outlined in this article.
But as it turns out, there’s no API that an MDM server or any other app can use to block iOS updates. In fact, all the controls relate to pushing updates to various configurations of institution-owned devices.
Yes, this breaks apps occasionally, and updates take time, space, and bandwidth. We can even have legacy app issues on mobile, as I wrote in regards to iOS 11 dropping support for old 32-bit apps.
Why this is good
From a security standpoint, though, aren’t all these forced updates mostly a good thing? After 10 years, with some extremely rare exceptions, iPhones (and Android) still haven’t been the vector of attack in any big headline-producing data breaches.
Considering the technical skills of most consumers, you can easily argue that someone on their iPhone in 2017 is far safer than someone on their Gateway 2000 in 1997, and these easy-to-install forced updates are an important reason.
You can and should deal with this
We should also point out that in the case of iOS updates, you’re not hung out to dry. Enterprises have always had the option to join the developer program to access betas, and for a few years now Apple has also had a public beta program.
Most commercial app developers do a good job of keeping up with updates. In the enterprise, all EUC pros should consider having a spare device in the public beta program in order to make sure there are no surprises come the new iOS version every September. If you’re deploying in-house or custom apps, testing with the developer betas is probably already part of your workflow (and if not, get with the program).
Lastly, Apple has tried to ease the pain of upgrades: Starting in iOS 9, iOS updates are much smaller than they used to be; and macOS Server can be used to cache iOS updates so they don’t eat up your bandwidth.
The big picture and conclusion
We could get into a much deeper argument about ownership, subscriptions versus packaged software, cloud versus on-premises, DRM, lending, privacy, and the like... Personally, I’m not absolute about this. I swear at my phone when an update makes a change I don’t like, but I install them all anyway and I like that they just work. (I still buy full albums instead of streaming from Spotify, but I get most of my TV from Netflix; I buy most of the books that I read, but I use Lyft and Zipcar instead of having my own car.) Anyway, I digress, and that’s a wider conversation than we need to have today.
The bottom line is that for a decade, iOS has managed to avoid many of the security, management, and legacy issues of older platforms, thanks to frequent, consistent, and un-blockable updates. If very occasionally breaking stuff or making us scramble is the result (which is mostly avoidable, anyway), then I’ll take that tradeoff.