How to block iOS upgrade over your network?
When Apple introduces new iOS versions, customers are worried about client devices going for upgrade and choking network.
This article will look at options available with AppRF and without AppRF.
AppRF2.0 (Deep packet Inspection) was introduced in AOS in 6.4 and 4.1 in Instant OS.
Controller based solution where Network Administrator would like to block any iOS update through the corporate network.
Network Topology :
Internet ======== Controller ----------- AP ))))) End user
Configuration Steps :
Option 1: 6.4 and above
With AppRF 2.0 we have an easier known option of blocking apple update.
With DPI it would be possible to block ios ota updates. Adding the below ACL to the user role would ensure that iOS update is not allowed.
(Master) (config) #ip access-list session ios-upgrade-block
(Master) (config-sess-ios-upgrade-block)#any any app apple-update deny
(Master) (config-sess-ios-upgrade-block)#any any app ios-ota-update deny
AppRF based bandwidth contract can also be used if desired.
Option 2: Pre 6.4
Challenge is when customers don’t have DPI.
Since Apple could changes the host servers for ios updates, most likely it would be working with DPI because of the URI check.
Without DPI it’s not possible to block based on the content of URI.
So the only solution to block ios ota updates is to detect the target servers.
To achieve the same create a netdestination with relevant host names and deny traffic destined to these servers:
On doing a packet capture during checking for updates, it was found that the iOS devices use mesu.apple.com. appldnld.apple.com was also recommended to be blocked. So below action is recommended to positively block ios clients from upgrading. This is on best effort and may change in the future.
(Aruba7210) (config) #netdestination ios_ota
(Aruba7210) (config-dest) #name appldnld.apple.com
(Aruba7210) (config-dest) #name Mesu.apple.com
(Aruba7210) (config-dest) #exit
Create ACL to block above netdestination and apply it to required roles.
(Aruba7210) (config) #ip access-list session ios_ota_update
(Aruba7210) (config-sess-ios_ota_update)#any alias ios_ota any deny
To verify, check if the user is falling in to the right role with the above denied access and try updating iOS image.
Please check the same if the client traffic to the above mentioned servers are seen and "show datapath session" shows that the traffic is denied.
While troubleshooting you can use the below commands.
a) Show acl hits <- to see if the corresponding ACLs are getting hit during attempt for iOS upgrade
b ) To enable logging
(Master) #show log security all