Some of my customers have reported problems while testing the imminent release of iOS 11…. They need to buy more time to fix the issues.
Since iOS doesn't give admins the means to block the update on managed devices, one customer suggested workaround is to block the apple update URL via a Proxy Pac file… And Intune can do that!
This solution contains the details on how to configure and publish a proxy pac file and use Intune to deploy the device settings via MDM. (Note: PROXYPACURL configuration only works on supervised iOS devices, so if your devices are not supervised stop reading here)
Short Version
- Create a Proxy Pac file that blocks connection to apple update services
- Deploy it to Azure storage location so that it can be reached from anywhere on the internet
- Create a custom configuration profile in Apple Configurator containing PROXYPACURL (or use one I prepared earlier)
- Deploy with Intune
Long Version
Step 1 – Create PAC File
- Create a simple Proxy Pac file in notepad and save it with a .pac extension
function FindProxyForURL(url, host) {
if (host =="mesu.apple.com") return "PROXY 127.0.0.2:8080";
else return "DIRECT"; }
Step 2 – Deploy to externally reachable location (Azure Blob)
1. Create New Storage Account
2. Choose relocation and redundancy options
3. Create a container
4. Choose Public Access Level Container (Anonymous read access for containers and blobs)
5. Select the container you created
6. Upload the .Pac file you created earlier
7. Select the uploaded file and copy the URL.
8. Be sure to test you can download the .pac file by copying that URL into a browser.
Step 3 – Create iOS configuration profile.
- On a Mac, use apple configurator to add the URL. (Create a new profile, go to Global HTTP Proxy , choose Auto and populate the Proxy PAC URL field with the URL from above.
2. Save the profile as a .mobileconfig file. (If you don't have a mac to do this, just edit the XML below)<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Global HTTP Proxy</string>
<key>PayloadDisplayName</key>
<string>Global HTTP Proxy</string>
<key>PayloadIdentifier</key>
<string>com.apple.proxy.http.global.831C4B26-60D4-4439-9782-8592CF4D72E0</string>
<key>PayloadType</key>
<string>com.apple.proxy.http.global</string>
<key>PayloadUUID</key>
<string>831C4B26-60D4-4439-9782-8592CF4D72E0</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ProxyCaptiveLoginAllowed</key>
<false/>
<key>ProxyPACFallbackAllowed</key>
<false/>
<key>ProxyPACURL</key>
<string>***add your URL here***</string>
<key>ProxyType</key>
<string>Auto</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Untitled</string>
<key>PayloadIdentifier</key>
<string>MACBOOK-AIR.C09CB472-D91F-465A-958A-36DD4D0C5748</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8556FACD-146D-4DD7-97CE-F4F23F465992</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Step 4 – Deploy with Intune
1. Go to the Intune Portal (Portal.azure.com), Select Configuration Profiles, create a new Configuration Profile, Select iOS, custom, give the profile any name and select the .mobileconfig file that you exported from configurator (or created using the snippet above).
2. After the profile is created, assign it to a deployment group of your choice
Test it Out on the Device:
On the next MDM Sync, your supervised iOS devices should have the configuration profile that blocks access to apple update endpoint (mesu.apple.com).
Test it out by putting mesu.apple.com in a broswer. (It should time out)
Props to guys that helped put this solution together (Nick L, Mat D and Tim L)