That's a good point, thank you. But the problem of a locked iOS device still persists. Because update commands require the device to be unlocked. The question is if there is a way to bypass this and install the iOS update silently.

It's an Apple-enforced restriction that iOS devices need to be unlocked (with the display on) to receive these update commands.

Hi @beks88 ,

In expanding the answer by @sshort; Page 77 of the Apple MDM Protocol documentation states that the install later command is only available for MacOS.

MDM Protocol Documentation

If you really need to do this, I would:

 - Day 1 morning remove any lock requirements and push 'Clear Lock' on all devices (individually)

 - Day 1 midnight push iOS update

 - Day 2 Re-apply the lock profile to force a new PIN is set 

However, if you are upgrading from iOS10/11 to 12 the end-user will be required to manually press Next to get past the update screens. 

Thank you,
Peter James

Thanks to all. I had also the idea on clearing the lock, but wouldn't this be an security issue? 🙂

I would like to achieve no user interaction

Refer to this docs on AirWatch, as far as I know JAMF supports it also.

https://docs.vmware.com/en/VMware-AirWatch/9.1/vmware-airwatch-guides-91/GUID-AW91-ManagingOSUpdates...

Hi @beks88 ,

If you are going to iOS12 from a prior major build it will require user interaction.

VMAirwatch also assumes there is no device lock. And how they achieve this is by scheduling the update command to be sent to the device at a later time. This is not Apple doing this but VM AirWatch.

The Meraki feature that may achieve this would be the DoNotDisturb that I previously linked, although I have not tried iOS updates myself.

Thank you,

Peter James

@PeterJames yes you are right, airwatch needs also an unlocked device.

I'll give a try to your approaches asap. But honestly, clearing the passcode, sending/forcing updates and then forcing the user to set a password again isn't really the best way :). 

@beks88 

I completely agree - it is a horrible approach.

Here is the kicker that explains it all... Apple pride themselves on privacy and without this inbuilt protection the authorities could gain access to locked devices. This is why you see articles come up time and time again between certain US authorities and Apple over gaining access to devices. The amusing this here however is that the authorities are just giving Apple more coverage / gaining more consumer trust...

I only mention the above as this is unlikely to change going forward, unless Apple consider DEP enrolled devices company owned (who nearly always have 'right to search' data/physical clauses) enough to give companies this control. But then this goes against their current moto of 'One [great] size fits all'...

Thank you,
Peter James

I fully agree with Apple's privacy concerns. But I still think, there has to be a more admin and user friendly way to force the update on supervised devices.

A supervised device is still owned by the company and the user has the option to use it also for his private purposes.

It's different with BYOD and here I think the line should be drawn.

But never mind, I just hope Apple will rethink this, because leaving user on old iOS versions and not beeing able to force them to update is in a way also a security leak.

I tried the DND with Apple TVs.

When pushing OS updates through Devices dashboard, you can see a scheduled OS update message when viewing the device logs.

When entering the client and clicking on Install OS update, the device installs the update, doesn't matter if there is a DND policy.

Will take some time to test it in detail on iOS devices.