Manage iOS Updates on Supervised Devices through Intune

Microsoft Intune has built-in policies that can manage software updates on iOS/iPadOS supervised devices. It’s recommended to use these policies to manage software updates through Intune and not leave the responsibility to install software updates to the end users.

Leaving iOS update responsibility to the end user may lead to different issues. Users can apply iOS updates that your organization has not approved. This may break applications if they are not compatible with the latest iOS version. Users may also opt to simply avoid applying the required updates leaving the device vulnerable to security threats.

In this blog post, we will understand how to manage iOS updates on iPad and iPhone devices. We will also go through the end-user experience for different update scenarios.

iOS/iPadOS Updates Default Behaviors

By default, user can see the latest updates available on their devices from Settings > General > Software Updates. Users may receive a notification when the latest iOS software updates are available for iPhones / iPads. Users can choose to download and install the updates as per their preference.

End User Experience When No Update Policy Deployed

Users can go to Settings > General > Software Update on iPhone / iPad and check for the latest available software updates. If an update is available then the user can perform the below actions.

  • Users can choose to download and install updates.
  • Users can avoid installing required updates.

Manage iOS Updates |  iOS Software update intune

Defer Updates on iOS / iPadOS

The Software updates can be deferred up to 90 days on iOS/iPadOS devices. There are two settings: Defer software updates & Delay default visibility of software updates which need to be configured. These settings are available in Device Configuration / Templates / Device Restriction and can be deployed using a device restriction policy.

How to a Create Device Restriction Policy to Defer Updates on iOS/iPadOS Devices

You can follow the below steps to create a device restriction policy to defer software updates.

  • Open Microsoft Intune admin center
  • Navigate to Devices > iOS/iPadOS > Configuration profiles
  • Click on Create and select New policy
  • In the Create a Profile flyer window select the following and click on the Create button.
    • Profile type: Template
    • Template Name : Device restriction
  • In the Device Restrictions Basics page, provide policy name and description and click on Next.
  • In the Configuration settings page, expand the General

Intune device restriction policy iOS

  • Scroll down to find the below settings.

Defer software updates: Turn on the settings. It represents days before software updates are visible to end users after release. This does not impact any scheduled updates.

Delay default visibility of software updates: Specify the number of days (1-90) to delay the default visibility of all software updates. Available for devices running iOS 11.3 and later.

Defer software updates iOS

  • Go through the remaining steps of policy creation to assign the policy to Entra ID group, review the details, and create the policy.

End User Experience when Deferral Period Settings are Configured

Users will see the following message when software updates are deferred on the device using Microsoft Intune update policies for iOS.

Your iPhone is running the latest software update allowed by your administrator.

You iPhone is running the latest software update allowed by your administrator.

Deploy Updates on IOS/iPadOS Devices

The iOS updates can be deployed on iPhones / iPads by scheduling the updates deployment. When update policies are deployed, it overrides the deferral period configured through the device configuration profile. An update can be scheduled during the next check-in, during a scheduled time, or outside a scheduled time.

Schedule Updates on iOS / iPadOS

The Intune update policies for iOS can be configured from the Intune admin center. Follow the below steps to create update policies for iOS/iPadOS.

  • Open Microsoft Intune admin center
  • Navigate to Devices > iOS/iPadOS > Update policies for iOS/iPadOS
  • Click on Create profile
  • In the Create profile > Basic page, enter the Name and Description for the profile and click on Next.
  • In the Update policy settings page, provide the following details.
    • Select versions to install: Latest update
    • Schedule Type: Update during the scheduled time
    • Time Windows: A period during which updates will be made available for automatic installation. You need to provide the start day, start time, end day, and end time for each time window.

  • Click on Next to go to Assignments page. You can assign the policy to All Uses, All Devices, or an Entra ID group.
  • On the Review+create page, review the settings and click on Create button to create the policy.

End User Experience for Scheduled Updates

When checked for new updates from Settings > General > Software Updates on the devices where updates configured through update policies for iOS, the updates download started automatically.

Intune iOS Updates End User Experience

The following message appears on the lock screen.

Intune iOS Updates notification

When the device was unlocked, the software update installation prompt appeared on the screen. You can postpone the update installation by clicking on the Later button.

Software Updates : iOS 17.2.1 is ready to install.

Intune iOS Updates popup

You may receive another prompt soon to install the software update and you won’t be able to defer the installation this time.

Software Update: iOS 17.2.1 is required by your organization.

Intune force iOS update

End User Experience for Scheduled Updates on Shared iPads

The end-user experience is different on shared iPads due to the limitations or restrictions applied. Users won’t be able to see the software updates on the settings app. The software updates on Shared iPad can only be initiated by MDM solution, or when the device is connected to Mac using an Apple configurator for Mac, or when the device is physically connected to Mac using the Finder.

For iOS/iPadOS shared devices, to apply updates, all users must be signed out and the device is charging. The users can be signed out or the device can be rebooted, which automatically signs out users.

If the “Maximum seconds of inactivity until user session logs out” setting is configured in the enrollment profile then the user session logs out automatically after the defined inactivity period. Otherwise, you need to consider other options such as rebooting the device to apply software updates on shared iPads.

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top