Blocking iOS Software Updates

  • 1
  • Question
  • Updated 4 months ago
Hello,

I m looking for a way to block software updates for all iOS devices connected through the Wi-Fi network..
Can this be done using application denial policy?
Photo of Hisham Matni

Hisham Matni

  • 22 Posts
  • 3 Reply Likes

Posted 5 months ago

  • 1
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 343 Posts
  • 87 Reply Likes
Not in a simple tickbox way.

The iOS update packages must come from a range of webservers and if you could find those specific addresses and mask them into a deny policy and test...it might just work.
But almost certainly going to be unexpected gotchas such as other app updates being blocked.

Haven't tried it so cannot give definitive.

Ruckus will give you basic traffic throttling but not much more unless you can find some really creative way to achieve what you are asking.That's filter/firewall/traffic management stuff.

=============
Just googled ios update servers...

Software Update must communicate with Apple's update servers in order to download and install updates. Ask your network administrator to allow the following server addresses on your DNS and proxy servers.

  • swcdn.apple.com
  • swdownload.apple.com
  • swquery.apple.com
  • swscan.apple.com
=============

Hmm?
Maybe blocking swscan.apple.com might be enough.

Test, test and test, then expect the unexpected!
(Edited)
Photo of Hisham Matni

Hisham Matni

  • 22 Posts
  • 3 Reply Likes
Thanks for the reply.
i tried adding those servers into an ACL and applied it on the WLAN.. but still iOS devices were able to check the update server.

i tried
- mesu.apple.com
- appldnld.apple.com

Also didnt work..
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 343 Posts
  • 87 Reply Likes
might be worth blocking something specific first to check the denial rules gets applied
www.bmw.com

then see if you can access that site from an ipad.
Sometimes things don't always do what you expect.
(Edited)
Photo of Hisham Matni

Hisham Matni

  • 22 Posts
  • 3 Reply Likes
It is worth noting that some rules require sometime to be applied.. my access list looks like this and iOS devices are not able to communicate with update server

mesu.apple.com

appldnld.apple.com

swscan.apple.com

swquery.apple.com

swdownload.apple.com

swcdn.apple.com

Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 343 Posts
  • 87 Reply Likes
Great, think that counts as a result.
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 343 Posts
  • 87 Reply Likes
This is an apple list of ports used (quite long)

https://support.apple.com/en-gb/HT202944

Might be able to find one that interrupts update communication but doesn't mess up anything else - it's a long shot.


Also, just in case you haven't seen this info...

From the Zone Director online help guide:
=================
Configure Application Denial Policies

This option allows the administrator to deny application access by blocking any HTTP host name or L4 port. Using application denial policies, administrators can block specific applications if they are seen to be consuming excessive network resources, or enforce network usage policies such as blocking social media sites.

The following usage guidelines need to be taken into consideration when defining Application Denial Policies:

  • www.corporate.com” – This will block access to the host web server at the organization “corporate.com” i.e. the FQDN. It will not block access to any other hosts such as ftp, ntp, smtp, etc. at the organization “corporate.com”.

  • “corporate.com” – this will block access to all hosts at the domain “corpo­rate.com” i.e. it will block access to www.corporate.com, ftp.corporate.com, smtp.corporate.com, etc.

  • “corporate” – This will block access to any FQDN containing the text “corporate” in any part of the FQDN. Care should be taken to use as long as possible string for matching to prevent inadvertently blocking sites that may contain a shorter string match i.e. if the rule is “net” then this will block access to any sites that have the text “net” in any part of the FQDN or “.net” as the FQDN suffix.

  • *.corporate.com – This is an invalid rule. Wildcard “*” and other regular expres­sions cannot be used in any part of the FQDN.

  • www.corporate.com/games” - This is an invalid rule. The filter cannot parse and block access on text after the FQDN, i.e., in this example it cannot filter the micro-site “/games”.

Notes:
  • Many global organizations have both a “.com” suffix and country specific suffix such as “.co.uk”, “.fr”, “.au”.etc. To block access to, for example, the host web server in all regional specific web sites for an organization, a rule like “www.corpo­rate” could be used.

  • Many global organizations use distributed content delivery networks such as Akamai. In such cases creating a rule such as “www.corporate.com” may not prevent access to the entire site. Further investigation of the content network behavior may need to be undertaken to fully prevent access.

When using Port based rules:

There is no distinction between the TCP and UDP protocols, so care should be taken if wishing to block a specific application port as that will apply to both IP protocols and may inadvertently block another application using the other protocol.

To create an Application Denial Policy:

  1. Go to Configure > Access Control.

  2. Expand the Application Recognition and Filtering section.

  3. In Application Denial Policy, click Create New to create a new policy.

  4. Enter a Name and optionally a Description for the policy.

  5. In Rules, click Create New to create a new rule for this policy.

  6. In Application, Select HTTP Domain Name or Port.

  7. In Description, enter the domain name or port number for the application you want to block.

  8. Click Save to save the rule, and click OK to save the policy.

 

Applying an Application Denial Policy to a WLAN

Once an Application Denial Policy is created, use the following procedure to apply it to one or more WLANs:

  1. Go to Configure > WLANs, and click Edit next to the WLAN you want to configure.

  2. Expand the Advanced Options section, and locate the Application Visibility section.

  3. Ensure that the Enable check box is enabled.

  4. Select the policy you created from the Apply Policy Group list.

  5. Click OK to save your changes.

    =========================================