JAMF Nation, hosted by JAMF Software, is a dynamic and knowledgeable community of Apple-focused IT admins and Casper Suite users. Join us in person, in October, for the annual JAMF Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

CCA Badge CMA Badge
15

Blocking iOS 8 Update

Posted: 9/15/14 at 4:45 PM by bwiessner

How have you blocked iOS updates in the past and what do we need to look out for?

15

Posted: 9/15/14 at 6:32 PM by tadholyfamily

It can be done by DNS http://enterpriseios.com/story/2013/09/17/How_to_use_DNS_to_block_iOS_7_and_other_updates_too
However that doesn't stop the user from doing it at home. There is no capability in MDM to block updating, so I've taken the attitude of Just Roll with It. The iOS 7 upgrade dramatically screwed up this school's deployment by making all the iPads unsupervised, and some of your users will be confused by features they now have (or that others have). We're essentially consigned here to the fate of running around helping panicked users on release day and for some weeks after.

CJA Badge CMA Badge

Posted: 9/15/14 at 8:36 PM by freddie.cox

We have used the link @tadholyfamily posted last year to blackhole our DNS. This year we have added mesu.apple.com to our internet filter as it's quicker to add/remove than updating our DNS servers. I will probably leave this in place for the remainder of the week.

I'm OK with them updating at home, the biggest issue from last year was the network congestion that is created by hundreds (if not thousands) of iPad users trying to update simultaneously.

To help with congestion, I recommend setting up Apple's Caching Server 2 in high density locations. This will help the congestion and is, for the most part, configuration free. This is part of OS X Server which is $19.99 in the app store, but can be run on anything that supports Mavericks.

Also, if you have high-stakes users (e.g Administrators doing evaluations) urge them to hold off on the update until you can verify their applications will work. Last year we run into issues with our Eval software not updating for a week or so until after iOS 7 was released. At least if you get the info out there you can say "I told you so."

Oh, backup, backup, backup. (iCloud or iTunes)

CCA Badge CMA Badge

Posted: 9/16/14 at 8:28 AM by bwiessner

@tadholyfamily][/url & @freddie.cox- Can you tell me a little more about this process \- http://enterpriseios.com/story/2013/09/17/How_to_use_DNS_to_block_iOS_7_and_other_updates_too

We added added mesu.apple.com to our block list on our filter but it blocked everything -app store, icloud \- even logging into these portals it blocked \- appleID.apple.com \- deploy.apple.com.

Any ideas or specifics you could tell me would be greatly appreciated. Thanks!

CJA Badge CMA Badge

Posted: 9/16/14 at 9:01 AM by freddie.cox

Did you use a filtering application or DNS to block the URL?

If you used DNS, does Apple.com still work? It sounds like it's resolving subdomains to the root domain (apple.com) which could just be a misconfiguration in DNS.

I am able to use deploy.apple.com and appleid.apple.com without any issue.

CCA Badge CMA Badge

Posted: 9/16/14 at 9:21 AM by bwiessner

We just blocked http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/com_apple_MobileAsset_SoftwareUpdate.xml
through our firewall block list policies. \- we didn't try just mesu.apple.com \- don't know if that would make a difference.

Thanks.

Posted: 9/16/14 at 9:42 AM by Account deleted

@freddie.cox running the Caching service on the latest (10.9) Server.app can make a huge difference in terms of bandwidth as it will cache and distribute iTMS content, including iOS and apps, rather than just OS X software updates via SUS.

CJA Badge CMA Badge

Posted: 9/16/14 at 10:11 AM by freddie.cox

@pete_c Agreed. Worth the meager investment.

CCA Badge CMA Badge

Posted: 9/16/14 at 10:37 AM by bwiessner

Can anyone confirm that if blocking just mesu.apple.com in your firewall only blocks the update and nothing else?

Thanks,

CCA Badge CCE Badge CJA Badge CMA Badge

Posted: 9/16/14 at 10:39 AM by CGundersen

Our network was hit hard when iOS 7 dropped (~10,000 iPads and many more personal/BYO iOS). We have 8 caching servers in place and hope that it helps a bit this time around. Unsure how the AP's will handle the load. The registration/peering on the caching servers is working and activity is pretty constant when tailing the debug log. We'll throw some blocks up if things get out of hand. My understanding is that blocking mesu.apple.com will prevent clients from getting the update catalog downloaded/prevent checking version against global update servers/clients would not see iOS 8 available.

Regarding the caching servers, Apple indicates up to 750 concurrent connections possible on a Mac Mini. I see max concurrent clients can be set (http://support.apple.com/kb/HT5590?viewlocale=en_US), but how can one go about getting a count of concurrent clients at any given point in time?

Posted: 9/16/14 at 1:07 PM by tadholyfamily

We used to block mesu.apple.com in firewall without causing further issue. That stopped after so many users updated from home, and we put a Caching Server in place. It also caches App Store downloads, so it's a very good thing for a limited network as long as you have a Mac available to install on.

CCA Badge CCE Badge CJA Badge CMA Badge

Posted: 9/16/14 at 5:48 PM by CGundersen

So in relation to caching servers, I just received info from an Apple contact that caching server will not support iOS 8 update. Messy.

I'd prefer to think this info isn't accurate, but it seems now all we can do is block or degrade service to the mother(ship).

Posted: 9/17/14 at 12:42 AM by Malcolm

Yeah we want to prevent it too, incase it breaks wifi connectivity with our enterprise wifi, which they have been known to do in the past. Oh well.

Posted: 9/17/14 at 7:25 AM by steelopus

@bwiessne I can confirm that blocking mesu.apple.com only prevents the software update. I blocked it yesterday afternoon and then successfully updated apps and backed up to iCloud, but was unable to even poll the software update service. I blocked the whole mesu.apple.com domain, not the specific URL that is provided above.

CJA Badge CMA Badge

Posted: 9/17/14 at 7:30 AM by freddie.cox

Just going to second @CGundersen.

Caching server will not work as expected with the iOS 8 update and potentially not work with apps once they are updated. If you're concerned about the impact on your network then blocking the update URL or throttling the traffic will be the only way to protect agains the flood.

CCA Badge CMA Badge

Posted: 9/17/14 at 1:48 PM by jmccartney

http://support.apple.com/kb/HT6456
I just set this up yesterday in preparation for the release of iOS 8. I'm not a happy camper.

Could you give us some feedback on our Casper Suite releases?  This will be quick - we promise!