Forum Discussion

ChrisJ_NZ's avatar
ChrisJ_NZ
Copper Contributor
Jul 28, 2023

iOS updating via Intune management

Our scenario is that we have a number of iPads installed aboard aircraft for use with search and rescue operations. We want to deploy an iOS update policy that ensures they are all kept up to date but what we absolutely don't want is an iPad rebooting to install an update mid-flight! They are all managed through Intune.

 

The issue is how to prevent that as they are connected to power and they are connected to an on-board wifi - so they effectively fulfill the requirements for just installing the update as soon as they check in. Grouping them to allow it at certain times is not an option as there is no scheduled "downtime", they are on call 24-7.

 

Keen to hear your suggestions and thank you in advance

  • Ebuke_Okwese's avatar
    Ebuke_Okwese
    Brass Contributor
    Because of how varied your use case is, my suggestion is to deploy an update policy broken into 3 groups. Each group has a different time window for updates.

    Step 1: Great 3 security groups in Intune. If you have 3 aircrafts per site with iPads, put each of those iPads into different groups. Make sure the iPads are clearly labeled for you and the aircraft operator.
    Step 2: Create an update policy with different 2 hour windows for "update during scheduled time".
    Step 3: Inform your staff of the update window times for each device/aircraft.
    Step 4: Keep tabs on Apple's iOS/iPadOS update releases via AppleSeed or another notification platform.

    Otherwise, I see no way other than manually going to each device to start the update, when you know it's out.

    *iOS/iPadOS 17 will introduce more granular control for updates via MDM commands. You can set time windows, have updates download but not install until user check in.... a bunch of stuff.
    However, I don't know when Microsoft will incorporate that into Intune. It might take a few months, or it could take over a year like the situation with the much anticipated Platform SSO for Mac.
    • AndrewDawson's avatar
      AndrewDawson
      Brass Contributor
      Nice answer.

      I would add if a functional device is critical to flight operations you should consider having a backup device on all flights. Doubling your per aircraft device budget this would provide you with backup hardware and the ability to have offset update schedules.

      If having two devices is a factor of weight then you could always keep 1 device at base and colour code the cases depending on the schedule. I.e red for days 7-17 and blue for 22-2 (giving you a gap between the updates)
    • ChrisJ_NZ's avatar
      ChrisJ_NZ
      Copper Contributor
      Thanks, yes this or similar is probably how I will proceed
  • jrngsg's avatar
    jrngsg
    Iron Contributor

    since cannot make use of the force update when check-in and restart.

    i suggest using the compliance policies and notification and set grace period so users update their device manually instead. when grace period is up and device becomes non-compliant, they will definitely update the device manually.

    • ChrisJ_NZ's avatar
      ChrisJ_NZ
      Copper Contributor
      Thanks, I guessed that may be the option but it wasn't the desired outcome. End users can't be relied on to run the updates
  • Hello ChrisJ_NZ
    This is a very special case!
    How many devices are we talking about? 

    Have you look into create a profile via Apple Configurator2 (Only for supervised iOS)? 
    There are several payload where you could customize payload/settings from the device level, and after you customize the profile, then you can upload it to intune. 

    Best regards
    Shady Khorshed


    • ChrisJ_NZ's avatar
      ChrisJ_NZ
      Copper Contributor
      Hi Shady,
      Yes it is a bit unique. Currently around 55-60 devices but I do have the advantage of an on-site IT manager to micro manage the devices as well but as they are geographically dispersed that is also a challenge. I think the best option I have come up with is to create an update profile for each iOS update and then assign the devices to that. From my testing with 5 devices the update will not start to install unless the device is idle but as the on-site manager can add devices to that profile then he will at least have some control over it.

Resources