Skip to main content

 

Cisco Meraki Documentation

How to Manage Apple OS Updates

  1. Last updated
  2. Save as PDF

Overview

Apple OS updates can cause significant network strain. You can manage these updates by leveraging Apple's caching service, delaying updates via endpoint management, or using traffic shaping and Layer 7 firewall rules to control bandwidth and access. 

Apple Caching Service

Use Apple's caching service to locally cache a variety of Apple software, including OS updates, iOS apps, Mac apps, etc. This allows a single copy of each piece of content to be downloaded to the server, and then locally distributed to any client devices. This is an Apple product and requires OS X. For more information, refer to the Apple website

Prerequisites

  • Meraki Systems Manager or a third-party endpoint management solution for delaying updates. 

  • Meraki MR access points or, MX WAN appliances, or Z-Series teleworker gateways for traffic shaping and firewall configurations. 

  • Administrative access to the Meraki dashboard

Step-by-step instructions

Delaying OS updates

Use Systems Manager to delay updates for supervised iOS, iPadOS, macOS, or tvOS devices for up to 90 days. 

  1. In the Meraki dashboard, navigate to Systems Manager > Manage > Settings.

how to delay OS update on system manager

  1. Configure the delay using a Restrictions payload.

For third-party endpoint management solutions, refer to their documentation to configure restrictions.

Rate limiting update downloads

Traffic shaping rules allow you to control the speed of iOS update downloads.. 

  1. Navigate to the appropriate configuration page in the Meraki dashboard: 
        a. For MR access points: Wireless > Configure > Firewall & Traffic Shaping. Select the desired SSID.
        b.For MX/Z-Series appliances: Security & SD-WAN > Configure > SD-WAN & Traffic Shaping.

  2. Under Traffic shaping rules, click Add a new shaping rule (or Create a new rule). 

  3. Click Add+.

Traffic shapping rule for bandwidth limit

  1. Select Custom expressions

  1. Enter "appldnld.apple.com" and click Add Expression

  1. For Per-client bandwidth limit, select Choose a limit and use the slider to set the desired speed.

  2. Click Save changes

Blocking OS updates

Blocking specific URLs prevents devices from identifying or downloading OS updates using the layer 7 firewall.

  1. Navigate to the appropriate configuration page in the Meraki dashboard:  
        a. For MR access points: Wireless > Configure > Firewall & Traffic Shaping. Select the desired SSID
        b. For MX/Z-Series appliances: Security & SD-WAN > Configure > Firewall

  2. Under Layer 7 firewall rules, select Add a layer 7 firewall rule.

  3. Select HTTP hostname and enter "mesu.apple.com". 

  4. (Optional) Repeat the process to add "appldnld.apple.com" or "updates-http.cdn-apple.com".

  5. Click Save changes.

Blocking IOS updates by using Layer 7 firewall rules

Verification

  • Verify that the traffic shaping rule appears in the Traffic shaping rules list. 

  • Confirm that the Layer 7 firewall rule is active under the Layer 7 section. 

  • Monitor client behavior to ensure updates are delayed or throttled as expected.

Troubleshooting

  • Existing downloads: Once traffic shaping and firewall rules are applied, they only affect new connections. Existing downloads will continue until completion. 

  • Security risks: Indefinitely blocking OS updates may expose endpoints to security vulnerabilities. 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
    Stage
    Final
  2. Tags
    1. CS_12432
    2. ios updates
    3. rate limiting