Hope you're keeping well.
A number of our customers ask to know about what we can provide in terms of the ability to manage 'patches' or updates to operating systems, such as Windows, iOS, Mac OS and Android. The situation varies per platform so here's some more detail. Just as a heads-up there is a significant amount of difference in what we can do in terms of individual platforms, depending on what each platform allows us to do. I've put in as many links to documentation and training as I could find, if you find anything else (IBM documentation only) or any corrections/modifications needed, please let me know.
** Please note this document refers to operating systems only and not patching / updating apps, which I will cover in another blog **General observations about updates
Many platforms have pre-requisites for system updates to occur: device is powered on, with sufficient battery power and/or connected to mains, has Internet connection, sufficient disk space, disk not almost full (this may not be a specified requirement, but in practice the update won't install if the device has very little remaining space). As you may have seen some devices will say "update was not installed", if any of these criteria were not met - you can then agree reinstallation on the following day by ensuring the criteria are all met.
Regarding policy settings, where you want to switch on OS update controls in a device policy, remember to save and publish your changes so they are pushed out to devices! As always, devices need to be powered up and connected in order to receive policy changes. Android
What you need to remember here is that while Google makes the Android platform, there are many hardware manufacturers, each with their own approach. At a general Android level you can postpone update for a period of up to 90 days, and decide a time frame during which updates could be installed (for example at night time or a time when your production devices are not being used). The documentation below is referring to Android Enterprise only, if you're still on Device Admin mode please plan your Android Enterprise migration soon, this is urgent! Documentation on this below also. Please note that the ability to control OS updates requires full-device level control, this will work only on Device Owner mode enrolled devices and not on Profile Owner. In addition, different settings were released with different OS versions (meaning it will only work starting with that version), so please verify this beside the individual setting in the policy. Android / Samsung
While most manufacturers making devices for Android don't have this (some have tried and discontinued it), Samsung do have a capability to manage updates to Android OS which is a lot more specific and follows along some of the lines of Windows patch management. Please note that Samsung e-FOTA KNOX ONE is a paid feature (trial possible, see Samsung link below), and requires the installation of an app.
This has recently been rebranded (KNOX e-FOTA has been deprecated by us, same as Samsung), in favour of the new KNOX e-FOTA ONE. While you used to be able to configure this directly in MaaS360, Samsung's new approach is to configure the integration on their side, so see the documentation below. What you do need to know is that this uses a Web Services API call which 'calls in' to the MaaS360 platform to send and receive data. The Web Services key needs to be set up, you can do this by requesting this through Support, who will also provide you with the most recent document to explain how to configure the web 'calls' you need to make. See documentation links below. If you think this needs its own blog to help with setup, let me know below.
Although Apple make both the hardware and software, there is not a huge amount of configuration you can use. Our iOS security policy allows you to postpone OS updates for a specified period (up to 90 days), which means the user would not get the update on the day it is released, but rather on that day plus X period you specify. This is restricted to Supervised devices only (where you have enrolled the device via Apple Configurator or via DEP in ASM or ABM).
In the case of the MacOS policy settings you must check the box "Configure App Store Settings" in order for the "Install OS X updates" box to become visible. Please note there is a user-level control in the MacOS policy, in Restrictions > System Prefrences where if you don't check "Configure Device Restrictions" and then "Software update", the user will not see update settings in System preferences ( you may wish this to be the case, in which case just leave it switched off).
The situation here is well managed by Microsoft using Windows Update., We have used this to advantage, where you can manage updates to Windows computers and tablets, in quite a granular and specific way. ,So if you want to be specific about which patches to push out, or not, depending on app compatibility or other known issues, it helps you to manage this. for some or all devices.
That's all for now folks! If you have any feedback please let me know. Documentation
- (Document) System Update settings for Android: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- (Training - includes other items) System update settings for Android Enterprise: https://www.securitylearningacademy.com/enrol/index.php?id=5187
- Training (48 mins) - Android Enterprise: https://www.securitylearningacademy.com/course/view.php?id=5478
- Training (10 mins) - Android Enterprise policies: https://www.securitylearningacademy.com/course/view.php?id=4621
- Webinar series / blog on Community with links: https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars
- OS update settings for iOS: https://www.ibm.com/docs/en/maas360?topic=device-restrictions-network (please note there is only one setting and this is found at the very bottom of the page)
- Training (iOS policies, 1 hour 5 mins): https://www.securitylearningacademy.com/enrol/index.php?id=4646
- MacOS update settings: https://www.ibm.com/docs/en/maas360?topic=settings-software-update
- (Training, 10 mins) MacOS policies: https://www.securitylearningacademy.com/course/view.php?id=4673
- Document on Patch Management for MaaS360: https://www.ibm.com/docs/en/maas360?topic=devices-patch-management
- Patch Management for MaaS360 with Windows (quick video) : https://www.youtube.com/watch?v=a0Wjxppeglc
- Patch Management for Windows devices (training course) : https://www.securitylearningacademy.com/course/view.php?id=4777
- (Training, 5 mins) Configuring Windows policies: https://www.securitylearningacademy.com/course/view.php?id=6627
- (Training, 10 mins) Applying a Windows 10 policy: https://www.securitylearningacademy.com/course/view.php?id=6732
- Announcement of deprecation (sunset) of Samsung KNOX e-FOTA: https://www.ibm.com/support/pages/node/6603003
- Link to all Android Enterprise webinars: https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars
Other IBM features
- Samsung documentation on the new KNOX e-FOTA ONE: https://docs.samsungknox.com/admin/efota-one/welcome.htm
- Connecting e-FOTA ONE to MaaS360: https://docs.samsungknox.com/admin/efota-one/emm-connect-ibm.htm#
(related to items discussed above)
- Web Services API: https://www.ibm.com/docs/en/maas360?topic=services-maas360-api-reference-web
- Training course (45 mins): https://www.securitylearningacademy.com/course/view.php?id=5483