Microsoft Intune “Defer software updates” and iOS Patch releases

Right now I’m trying to allow my fleet of devices to access iOS 15.0.2 but I do not want them to have access to iOS 15.1 yet (being released later today). Typically I like to allow a couple of weeks before upgrading devices to new minor releases to allow other folks to uncover any issues that might be introduced before my fleet tries to use them.

Intune has implemented, as part of their Device Configuration policies for iOS, the ability to take advantage of Apple iOS’ ability to defer a software update by up to 90 days.

This is potentially a great feature and has worked so far on Major and Minor releases. However, this is the first time I’ve attempted to use it to limit folks to a specific patch release (Major.Minor.Patch i.e. 15.0.2).

In my testing I find that just having the “Defer Software Updates” option set to Yes regardless of how many days delay specified causes iOS’ Software Update to completely ignore the patches.

If I watch closely, I sometimes see a ghost “iOS 15.0” zero byte offering that will disappear on a subsequent refresh. I find it appears immediately after I Check Status of my device in Intune Company portal. Then goes away after I refresh the Software Update page until the next time I refresh.

I cannot say for sure if the flaw is with Microsoft’s Intune implementation or in iOS’ Implementation, I can only say that I cannot take advantage of this feature for Patch versions while trying to safeguard the integrity of my iOS fleet.

One other thing – a defect in the Device Configuration policy. It seems if you EVER set and save the Defer Software Update setting, even if you subsequently set it to Not Configured, this will permanently enable the number of days parameter. This parameter defaults back to 30 when you set the Defer parameter to Not Configured and still be sent to the devices…

Intune – Send Custom Notifications – but not to too many people

I’ve been wrestling back and forth with Microsoft on this for the past few weeks. I’m able to use Intune’s “Send Custom Notifications” feature to send messages to a very small number of people.

But, recently, I wanted to notify just under a couple of hundred of my users that the version of iOS they are running will no longer be supported by my system. I thought this notification feature would be a neat way to reach out directly to them so they knew that I meant *them* specifically and not *them* generically as tends to happen with email communication of this sort.

So I sent my notification to a tiny number of people (me especially) to ensure that the message being sent looks good for the target folks on the mobile platform. Works fine.

Sent the identical message to a single group of 171 people (again, including me) and… nothing.
The next day I sent it again after confirming that, not only did none of my half dozen test mobile devices receive it, but NOBODY received it. And… again… nothing. This time I verified that the resulting Intune notification (bell at the top in Intune) confirmed “Success”.
Sent another notification to just myself and a coworker and…. works just fine.

Well… crap. So I sent off an email instead to the users to give them their warning and opened a ticket with Microsoft regarding this.

Basically Microsoft is telling me that I must have missed the dozen or so notifications across my devices, as did all of my users. They took pains to explain to me how end users sometimes don’t notice notifications when they come up and that must be the situation… on both days.

Long and short it turns out that there is no real auditing or logging of this feature so Microsoft cannot tell the notification disposition beyond the original “Success” which apparently only means Intune has acknowledged that I’ve submitted the request.

I wanted to put this warning out to you. Not only should you not be using this feature for time-sensitive information, but also there appears to be a threshold number of people – certainly in my case – to whom it can be sent before it will give up the ghost and just not do anything.

Be absolutely certain to include yourself and some sympathetic coworkers on ANY Intune Custom notification that you send out if you want to have any assurance that it actually made it to your audience.

In my opinion Microsoft needs to update this feature so it:

  1. Logs all sent messages,
  2. Provides a disposition for the message as to whether or not a device has acknowledged receiving it.

I don’t imagine there is a lot more I could ask for. The end user is welcome to ignore the message after delivery. At that point my goal has been achieved.

I would be interested to know if there are any other folks who have run up against this issue.