Today (9/17/14) brings iOS 8 which many of us saw cripple our networks during the rollout of iOS 7.
Since that time, there are new features that can help you handle this traffic.
With AOS 6.4+ and any 7 series controller with DPI enabled (under global firewall settings), you can block or throttle iOS update traffic at the global level or by user-role.
Here are some examples:
BLOCK - USER-ROLE
Create a new ACL (like below) and apply it to a user-role(s). Also, make sure DPI is enabled for the user-role.
BLOCK - GLOBALLY
Under Security > Firewall Policies, find the "global-sacl" ACL.
THROTTLE - USER-ROLE
(Make sure you have a bandwidth contract defined - Advanced Services > Stateful Firewall > Bandwidth Contracts. You can also create one from the drop down.)
THROTTLE - GLOBALLY
This must be done at the CLI level
(config) # dpi global-bandwidth-contract app ios-ota-update downstream mbits 1
(config) # dpi global-bandwidth-contract app ios-ota-update upstream mbits 1
(config) # dpi global-bandwidth-contract app apple-update downstream mbits 1
(config) # dpi global-bandwidth-contract app apple-update upstream mbits 1