Microsoft Intune “Defer software updates” and iOS Patch releases

Right now I’m trying to allow my fleet of devices to access iOS 15.0.2 but I do not want them to have access to iOS 15.1 yet (being released later today). Typically I like to allow a couple of weeks before upgrading devices to new minor releases to allow other folks to uncover any issues that might be introduced before my fleet tries to use them.

Intune has implemented, as part of their Device Configuration policies for iOS, the ability to take advantage of Apple iOS’ ability to defer a software update by up to 90 days.

This is potentially a great feature and has worked so far on Major and Minor releases. However, this is the first time I’ve attempted to use it to limit folks to a specific patch release (Major.Minor.Patch i.e. 15.0.2).

In my testing I find that just having the “Defer Software Updates” option set to Yes regardless of how many days delay specified causes iOS’ Software Update to completely ignore the patches.

If I watch closely, I sometimes see a ghost “iOS 15.0” zero byte offering that will disappear on a subsequent refresh. I find it appears immediately after I Check Status of my device in Intune Company portal. Then goes away after I refresh the Software Update page until the next time I refresh.

I cannot say for sure if the flaw is with Microsoft’s Intune implementation or in iOS’ Implementation, I can only say that I cannot take advantage of this feature for Patch versions while trying to safeguard the integrity of my iOS fleet.

One other thing – a defect in the Device Configuration policy. It seems if you EVER set and save the Defer Software Update setting, even if you subsequently set it to Not Configured, this will permanently enable the number of days parameter. This parameter defaults back to 30 when you set the Defer parameter to Not Configured and still be sent to the devices…

Leave a Reply

Your email address will not be published.