Hi all
*** Blog updated 25th October 2023 ***
Hope you're keeping well.
A number of our customers ask to know about what we can provide in terms of the ability to manage 'patches' or updates to operating systems, such as Windows, iOS, Mac OS and Android. The situation varies per platform so here's some more detail. Just as a heads-up there is a significant amount of difference in what we can do in terms of individual platforms, depending on what each platform allows us to do. I've put in as many links to documentation and training as I could find. If you find anything else (IBM documentation only) or any corrections/modifications needed, please let me know.
** Please note this document refers to operating systems only and not patching / updating apps, which I will cover in another blog **
General observations about updates
Many platforms have pre-requisites for system updates to occur: device is powered on, with sufficient battery power and/or connected to mains, has Internet connection, sufficient disk space, disk not almost full (this may not be a specified requirement, but in practice the update won't install if the device has very little remaining space). As you may have seen some devices will say "update was not installed", if any of these criteria were not met - you can then agree reinstallation on the following day by ensuring the criteria are all met.
Regarding policy settings, where you want to switch on OS update controls in a device policy, remember to save and publish your changes so they are pushed out to devices! As always, devices need to be powered up and connected in order to receive policy changes.
Android
Policy settings: Android policy / Android Enterprise settings / System Update Settings
The approach for Android is quite fragmented - Google allows the hardware manufacturers and the network (cell) operators to decide which devices should get which updates. So each hardware manufacturer and network operator has their own approach. We have seen in practice, for the same manufacturer and model, two devices of the same make and model, where one could receive an Android update and the other couldn't. This was down to the mobile operator the device was contracted to.
Configuration below is for Android Enterprise only: if you still have devices on Device Admin mode please plan your Android Enterprise migration soon, this is urgent! Documentation on this below also. In Android Enterprise, the ability to control OS updates requires full-device level control, this will work only on Device Owner mode or WPCO-enrolled devices, and not on Profile Owner. You will further find specific policy settings are possible starting certain Android versions, meaning it will only work for devices with that version or later. You'll find this in a text box below the configuration field.
Update options in Android policy: here you have several settings which Google allows you to configure, and which we support.
You will find these settings in the Android device policy, under Android Enterprise settings / System Update Settings
- Install immediately: this means that if the OS update is available, when the device is notified, the install will begin immediately.
- Install during maintenance window: if you set this, the start time and end time mean the time of day during which you want the updates to happen, and should not happen outside of this time. For example, if devices are returned to 'base' or not used by users at night-time you could set night-time hours for the updates to happen only.
- Postpone updates: if using this setting you can set the system to prevent updates happening for 30 days maximum (was previously 90), and after this the updates will start immediately.
- Configure Freeze Period: is there a date range, during which you don't want any software updates? If so you set the start and end dates for this. After this period, the updates will begin immediately.
Android / Samsung
While most manufacturers making devices for Android don't have this (some have tried and discontinued it), Samsung do have a capability to manage updates to Android OS which is a lot more specific. Do please note that Samsung e-FOTA KNOX is a paid feature (trial possible, see Samsung link below), and requires the installation of an app. Samsung have changed the way this feature works, and now you have to configure it on their website. It's called KNOX e-FOTA.
Because you now configure this on Samsung website, the information for MaaS360 required is minimal. Samsung's new approach is to configure the integration on their side, so see the documentation below. What you do need to know is that this uses a Web Services API call which 'calls in' to the MaaS360 platform to send and receive data. To set up KNOX FOTA on MaaS360, you need a Web Services key, which you can get from Support. Once you have the admin (dedicated admin account) created, you ask Support to switch on Web Services, and create the key. Support will also provide you with the most recent documentation on Web Services (REST API).
Android / all other manufacturers
Unfortunately no other Android device manufacturer has this capability. If you would like the (non-Samsung) device manufacturer to provide this, please reach out through the company where you purchase your devices, to raise this as a new feature request directly to the manufacturer.
iOS
Policy settings: iOS policy / Supervised Settings / Restrictions & Network / Software Updates Force Delay Settings
Because Apple make both the hardware and software, the configuration is relatively simple. Your policy settings allow you to postpone OS updates for a specified period (between 1 and 90 days). As a result, the user would not get the update on the day it is released, but rather on that day plus X period you specify.
This is restricted to Supervised devices only (where you have enrolled the device via Apple Configurator or via DEP in ASM or ABM). Remember that Apple have started restricting the OS possibliities so for older device models there is less possibility to obtain recent updates - see Apple document link below.
Mac OS
MacOS policy: Restrictions / System Preferences / Configure Device Restrictions / Software Update
If you want to configure OS update settings for MacOS, you must open MacOS device policy, "Configure App Store Settings" in order for the "Install OS X updates" box to become visible. Please note there is a user-level control in the MacOS policy, in Restrictions > System Prefrences where if you don't check "Configure Device Restrictions" and then "Software update", the user will not see update settings in System preferences ( you may wish this to be the case, in which case just leave it switched off).
Windows
Policy settings: Windows policy / Device Settings / Update Management
The situation here is well managed by Microsoft using Windows Update. We have worked with Microsoft to make sure you can configure your Windows PC using a MaaS360 Windows policy. So there are a number of settings here which you should spend some time reviewing - they allow for a lot of precision.
That's all for now folks! If you have any feedback please let me know.
Documentation
Android
- (Document) System Update settings for Android: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- (Training - includes other items) System update settings for Android Enterprise: https://www.securitylearningacademy.com/enrol/index.php?id=5187
- Training (48 mins) - Android Enterprise: https://www.securitylearningacademy.com/course/view.php?id=5478
- Training (10 mins) - Android Enterprise policies: https://www.securitylearningacademy.com/course/view.php?id=4621
- Webinar series / blog on Community with links: https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars
iOS
- OS update settings for iOS: https://www.ibm.com/docs/en/maas360?topic=device-restrictions-network (please note there is only one setting and this is found at the very bottom of the page)
- Apple information about iOS updates: https://support.apple.com/en-us/HT204204
- Training (iOS policies, 1 hour 5 mins): https://www.securitylearningacademy.com/enrol/index.php?id=4646
MacOS
- MacOS update settings: https://www.ibm.com/docs/en/maas360?topic=settings-software-update
- (Training, 10 mins) MacOS policies: https://www.securitylearningacademy.com/course/view.php?id=4673
Windows
- Document on Patch Management for MaaS360: https://www.ibm.com/docs/en/maas360?topic=devices-patch-management
- Patch Management for MaaS360 with Windows (quick video) : https://www.youtube.com/watch?v=a0Wjxppeglc
- Patch Management for Windows devices (training course) : https://www.securitylearningacademy.com/course/view.php?id=4777
- (Training, 5 mins) Configuring Windows policies: https://www.securitylearningacademy.com/course/view.php?id=6627
- (Training, 10 mins) Applying a Windows 10 policy: https://www.securitylearningacademy.com/course/view.php?id=6732
OEM
Google
Our training series on Android Enterprise : https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars
Samsung
- Announcement of deprecation (sunset) of Samsung KNOX e-FOTA: https://www.ibm.com/support/pages/node/6603003
Please note this relates to the previous version of KNOX E-FOTA and not the current version, therefore it is still supported in the new setup (described above).
Other IBM features (related to items discussed above)
- Web Services API: https://www.ibm.com/docs/en/maas360?topic=services-maas360-api-reference-web
- Training course (45 mins): https://www.securitylearningacademy.com/course/view.php?id=5483