How to block iOS upgrade over your network?

Aruba Employee
Aruba Employee

Introduction :


When Apple introduces new iOS versions, customers are worried about client devices going for upgrade and choking network.

This article will look at options available with AppRF and without AppRF.


Feature Notes:


AppRF2.0 (Deep packet Inspection) was introduced in AOS in 6.4 and 4.1 in Instant OS.


Environment :


Controller based solution where  Network Administrator would like to block any iOS update through the corporate network.


Network Topology :


Internet ========  Controller ----------- AP ))))) End user


Configuration Steps :


Option 1: 6.4 and above
With AppRF 2.0 we have an easier known option of blocking apple update.

With DPI it would be possible to block ios ota updates. Adding the below ACL to the user role would ensure that iOS update is not allowed.

(Master) (config) #ip access-list session ios-upgrade-block
(Master) (config-sess-ios-upgrade-block)#any any app apple-update deny
(Master) (config-sess-ios-upgrade-block)#any any app ios-ota-update deny
AppRF based bandwidth contract can also be used if desired.

Option 2: Pre 6.4
Challenge is when customers don’t have DPI.
Since Apple could changes the host servers for ios updates, most likely it would be working with DPI because of the URI check.
Without DPI it’s not possible to block based on the content of URI.
So the only solution to block ios ota updates is to detect the target servers.
To achieve the same create a netdestination with relevant host names and deny traffic destined to these servers:
On doing a packet capture during checking for updates, it was found that the iOS devices use was also recommended to be blocked. So below action is recommended to positively block ios clients from upgrading. This is on best effort and may change in the future.
(Aruba7210) (config) #netdestination ios_ota
(Aruba7210) (config-dest) #name
(Aruba7210) (config-dest) #name
(Aruba7210) (config-dest) #exit
Create ACL to block above netdestination and apply it to required roles.
(Aruba7210) (config) #ip access-list session ios_ota_update
(Aruba7210) (config-sess-ios_ota_update)#any alias ios_ota any deny


Verification :


To verify, check if the user is falling in to the right role with the above denied access and try updating iOS image.

Please check the same if the client traffic to the above mentioned servers are seen and "show datapath session" shows that the traffic is denied.


Troubleshooting :


While troubleshooting you can use the below commands.

a) Show acl hits  <- to see if the corresponding ACLs are getting hit during attempt for iOS upgrade
b ) To enable logging               

(Master) (config) #logging level debugging security process fw_visibility
(Master) #show log security all
Version history
Revision #:
1 of 1
Last update:
‎11-10-2014 03:38 AM
Updated by: