Keep your Apple-devices up to date with MEM

Posted in : Intune, Microsoft By Sebastian Stegrin Translate with Google ⟶

2 years ago

Some days ago, information was released that Apple-devices that didn’t use the latest version of their respective OS was vulnerable. In this article I will describe one way to keep your Apple-devices up to date.

I will start of by list some links to the exploits that is the real reason why I write this article.

• https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
• https://us-cert.cisa.gov/ncas/current-activity/2021/09/13/apple-releases-security-updates-address-cve-2021-30858-and-cve
• https://support.apple.com/en-us/HT212807

I will combine the use of both Compliance Policies and iOS – Update Policy, unfortunately there is no built-in policy to update macOS yet without scripts.

If we start by looking at the iOS – Update Policy, here’s what I did. Note that this only work for Apple Business Managed-devices, for further actions against non Apple Managed-devices, see next step.

Update policies for iOS/iPadOS

1. Go to Microsoft Endpoint Manager, Devices and Update policies for iOS/iPadOS.
2. Create a new profile. In this example we will name it: iOS – Lastest update
3. At the option Select version to install we will choose Latest update to always keep our devices up to date with the latest.
4. Schedule type will be Update outside of schedule time, so we can schedule when we normally work and let the device update outside work hours.
5. Assign the policy to a group that include all your devices.

Compliance Policy

The Compliance Policy will basically tell you as an administrator and user that the device is not compatible with the organizations policies if it isn’t up to date. By marking a device as Not Compliant you could configure limitations to the device, like turn off all access to company resources. This will help you to keep devices that aren’t managed by the Apple Business Manager-program updated with the help from the users themselves.

1. To configure a Compliance Policy go to Microsoft Endpoint Manager, Devices, iOS/iPadOS devices and Compliance policies.
2. Create a new policy, in my example I will name it to: iOS – Baseline
3. In the Compliance Settings, go to Device Properties, Operating System Version and choose what Minimum OS version you would like to use, in this example we will type in 8 because that is the solution to the exploit listed above.
4. We will then choose what actions to proceed with when the device is noncompliant. In my example we will mark the device as noncompliant after 2 days, this will give the user a 2-day opportunity to update the device before it’s marked as noncompliant. We will also send an email with instructions immediately to the user with some instructions on how to update the device. After 1 day we will send a push notification to the end user to remind them to upgrade.

You can now configure basically a copy of the compliance policy for your macOS devices.

I hope that this will help you in keeping your organization safe and up to date.

If there is any questions, feel free to leave a comment or contact me on LinkedIn. 🙂

Tags : Apple, Exploit, Intune, iOS, iPad, iPhone, Mac, macos, MEM