Skip to main content

 

Cisco Meraki Documentation

Blocking or Rate Limiting iOS Updates

Apple OS updates can cause extreme network strain for organizations without existing means of managing the updates. This article will cover ways to block, rate limit, or otherwise manage Apple OS updates from a network perspective. 

 

 

 

 

 

Apple caching service

Apple's caching service can be used to locally cache a variety of Apple software, including OS updates, iOS apps, Mac apps, etc. This allows a single copy of each piece of content to be downloaded to the server, and then locally distributed to any client devices. This is an Apple product and requires OS X. For more information, please refer to the Apple website.

Delay OS Updates

Using Meraki Systems Manager, or other MDM solutions, supervised iOS, supervised ipadOS, macOS, or tvOS devices may be configured to delay OS updates for a period of up to 90 days.  This restriction may be configured for Systems Manager customers via a Restrictions payload on the Systems Manager > Manage > Settings page.

how to delay OS update on system manager

For 3rd party MDM solutions, please refer to their documentation for how to configure this restriction.

Rate limiting updates

In environments where iOS updates should be allowed, but need to occur at a controlled speed, traffic shaping rules can be used to rate limit update downloads. To do this, the URL "appldnld.apple.com" must have a rule created. When determining the bandwidth limit, keep in mind how many devices may be downloading simultaneously and that a slower download will also take longer to complete.

Note: Only new flows will be impacted. This rule will not impact existing downloads.

 

Traffic shapping rule for bandwidth limit

MR Series access points

  1. Navigate to Configure > Firewall & traffic shaping.
  2. Select the desired SSID.
  3. Under Traffic shaping rules, click Add a new shaping rule (or Create a new rule if none exist).
  4. Click Add+.
  5. Select Custom expressions.
  6. Enter "appldnld.apple.com" and click Add Expression.
  7. For Per-client bandwidth limit, select "Choose a limit", then use the slider to select the desired limit. This is the maximum speed an individual device will be able to download the iOS update at.
  8. Click Save changes.

MX/Z1 Series appliances

  1. Navigate to Configure > Traffic shaping.
  2. Under Traffic shaping rules, click Add a new shaping rule (or Create a new rule if none exist).
  3. Click Add+.
  4. Select Custom expressions.
  5. Enter "appldnld.apple.com" and click Add Expression.
  6. For Per-client bandwidth limit, select "Choose a limit", then use the slider to select the desired limit. This is the maximum speed an individual device will be able to download the iOS update at.
  7. Click Save changes.

Blocking updates

In environments where completely blocking the ability to perform OS updates is desired, the following URL(s) will need to be blocked using the layer 7 firewall.

  • mesu.apple.com - Apple's Mobile Asset Software Update service. Provides an XML file with information about available iOS updates. When blocked, devices cannot determine that a new update is available.
  • appldnld.apple.com - (Optional) Apple's OS and software repository. Where devices will actually download the OS update from. However, other software and updates are also provided by this URL. Blocking may not be desirable in all environments.
  • updates-http.cdn-apple.com

Note: Only new flows will be impacted. These rules will not stop existing downloads.

Indefinitely blocking OS updates for devices of any type may potentially expose your endpoints to security vulnerabilities which would be resolved by said updates.  More information on Apple security updates can be found here.

 

Blocking IOS updates by using Layer 7 firewall rules

MR Series access points

  1. Navigate to Configure > Firewall & traffic shaping.
  2. Select the desired SSID.
  3. Under Firewall > Layer 7 firewall rules, click Add a layer 7 firewall rule.
  4. Select HTTP hostname and then enter "mesu.apple.com".
  5. (Optional) Repeat Step 4 for "appldnld.apple.com".
  6. Click Save changes.

MX/Z1 Series appliances

  1. Navigate to Configure > Firewall.
  2. Under Layer 7, click Add a layer 7 firewall rule.
  3. Select HTTP hostname and then enter "mesu.apple.com".
  4. (Optional) Repeat Step 3 for "appldnld.apple.com"/"updates-http.cdn-apple.com".
  5. Click Save changes.