iOS Update Delay: FAQ

Created: Modified: Knowledge Base

The iOS Update Delay page allows you to keep your iOS devices up to date, while removing the “surprise” factor of new iOS updates. Once set, no action is required by the administrator. There are limitations to this feature, so it is important to understand how it works, and why you may — or may not — want to use it.

How does iOS Update Delay work?

Mobile Access Management’s iOS Update Delay takes advantage of the signing overlap during iOS transitions. For a period of a few days, Apple allows both the old and the new iOS versions to be installed. Mobile Access Management’s feature simply exposes that choice, allowing you to set a preference to use the old or new version.

What is iOS signing?

No matter how you update your devices — iTunes, Configurator, Mobile Access Management, or over-the-air — Apple must validate that update is approved. This validation — known as “signing” —  allows Apple to have tight control over which versions of iOS are valid for particular devices. This control is one of the best security defenses Apple has against known vulnerabilities, and contributes to making iOS an incredibly secure mobile platform.

When Apple releases a new version of iOS, they begin signing that version. Eventually, they will stop signing the old version. When they stop signing an older version, you will no longer be able to install it.

However, Apple doesn’t immediately stop signing the older version. There’s an overlap when both versions are being signed. And if you know how, you have a choice over which version can be installed.

How long does the signing overlap last?

Typically 7 – 14 days. Minor updates often have a shorter window. Rarely, Apple immediately stops signing an iOS release once a bug fix comes out.

Does Mobile Access Management allow Recovery Mode to use the older iOS version?

Yes. If the setting is enable in Admin, it will apply to your recovery mode workflow.

Can I set some workflows to use the latest iOS update for testing, but have others prefer the older update?

Yes. You can set this preference in individual workflows as well.

Will iOS Update Delay downgrade devices?

Only if the device is in recovery mode.

What happens to the Workflow when Apple stops signing the older release?

The Mobile Access Management Workflow will begin installing the most recent version. Most days of the year, Apple is signing only a single iOS version. And during those days, the two “iOS Update” options behave exactly the same.

There is also an option to “Skip the update if the device is at…” Which has priority?

The Skip checkbox has priority. That is, if the device is already at or above the minimum version you specify, Mobile Access Management will not update the device.

But I don’t want to update my devices! How do I turn off updates?

Simply do not include the Update iOS action in your Workflow. But note that your devices may be vulnerable to attackers.

Can you prevent my users from updating their devices using Settings?

No. Single App Mode is the only way Apple allows you to prevent iOS updates on the device. We’ve heard of techniques for blocking update checking using DNS or proxy PAC files, but we have not tested these techniques.

Can Mobile Access Management install any version of the OS I specify?

No. Apple signs iOS versions cryptographically, and Mobile Access Management cannot install unsigned firmware. (Also, it would be a bad idea to install old software with known vulnerabilities.)