Home > General Administration > Other Topics > Blocking or Rate Limiting iOS Updates

Blocking or Rate Limiting iOS Updates

Apple OS updates can cause extreme network strain for organizations without existing means of managing the updates. This article will cover ways to block, rate limit, or otherwise manage Apple OS updates from a network perspective. 

 

 

 

 

 

Apple caching service

Apple's caching service can be used to locally cache a variety of Apple software, including OS updates, iOS apps, Mac apps, etc. This allows a single copy of each piece of content to be downloaded to the server, and then locally distributed to any client devices. This is an Apple product and requires OS X. For more information, please refer to the Apple website.

Delay OS Updates

Using Meraki Systems Manager, or other MDM solutions, supervised iOS, supervised ipadOS, macOS, or tvOS devices may be configured to delay OS updates for a period of up to 90 days.  This restriction may be configured for Systems Manager customers via a Restrictions payload on the Systems Manager > Manage > Settings page.

clipboard_ef35c5d83d5e4d54ce00812b378983d63.png

For 3rd party MDM solutions, please refer to their documentation for how to configure this restriction.

Rate limiting updates

In environments where iOS updates should be allowed, but need to occur at a controlled speed, traffic shaping rules can be used to rate limit update downloads. To do this, the URL "appldnld.apple.com" must have a rule created. When determining the bandwidth limit, keep in mind how many devices may be downloading simultaneously and that a slower download will also take longer to complete.

Note: Only new flows will be impacted. This rule will not impact existing downloads.

 

MR Series access points

  1. Navigate to Configure > Firewall & traffic shaping.
  2. Select the desired SSID.
  3. Under Traffic shaping rules, click Add a new shaping rule (or Create a new rule if none exist).
  4. Click Add+.
  5. Select Custom expressions.
  6. Enter "appldnld.apple.com" and click Add Expression.
  7. For Per-client bandwidth limit, select "Choose a limit", then use the slider to select the desired limit. This is the maximum speed an individual device will be able to download the iOS update at.
  8. Click Save changes.

MX/Z1 Series appliances

  1. Navigate to Configure > Traffic shaping.
  2. Under Traffic shaping rules, click Add a new shaping rule (or Create a new rule if none exist).
  3. Click Add+.
  4. Select Custom expressions.
  5. Enter "appldnld.apple.com" and click Add Expression.
  6. For Per-client bandwidth limit, select "Choose a limit", then use the slider to select the desired limit. This is the maximum speed an individual device will be able to download the iOS update at.
  7. Click Save changes.

Blocking updates

In environments where completely blocking the ability to perform OS updates is desired, the following URL(s) will need to be blocked using the layer 7 firewall.

  • mesu.apple.com - Apple's Mobile Asset Software Update service. Provides an XML file with information about available iOS updates. When blocked, devices cannot determine that a new update is available.
  • appldnld.apple.com - (Optional) Apple's OS and software repository. Where devices will actually download the OS update from. However, other software and updates are also provided by this URL. Blocking may not be desirable in all environments.

Note: Only new flows will be impacted. These rules will not stop existing downloads.

Indefinitely blocking OS updates for devices of any type may potentially expose your endpoints to security vulnerabilities which would be resolved by said updates.  More information on Apple security updates can be found here.

 

38aab71e-ffe1-44f5-80ff-5ed914b7c63e

MR Series access points

  1. Navigate to Configure > Firewall & traffic shaping.
  2. Select the desired SSID.
  3. Under Firewall > Layer 7 firewall rules, click Add a layer 7 firewall rule.
  4. Select HTTP hostname and then enter "mesu.apple.com".
  5. (Optional) Repeat Step 4 for "appldnld.apple.com".
  6. Click Save changes.

MX/Z1 Series appliances

  1. Navigate to Configure > Firewall.
  2. Under Layer 7, click Add a layer 7 firewall rule.
  3. Select HTTP hostname and then enter "mesu.apple.com".
  4. (Optional) Repeat Step 3 for "appldnld.apple.com".
  5. Click Save changes.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1575

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community