This practical entry briefly outlines how to force or defer OS Update for Apple iOS devices (iPhones, iPads). There are two completely opposite use cases for this:
- Critical 0-day vulnerability – must force push OS Update to patch the devices
- Business critical apps not tested with the latest iOS update – must delay/disallow update before testing. This is a better known challenge to Apple device managers, since typically user is allowed to update manually.
Checking updates (single device)
This is useful when troubleshooting / managing a single device. In the Device Details choose More Actions -> OS Updates. This will poll the device for updates and report them in the Available OS Updates section. (click to enlarge)

Forcing Updates (single / multiple devices)
To force an update choose a single device (Details View) or Multiple Devices (List View) and choose More Actions -> iOS Update. This will bring up a dialog that will allow you to choose how you want to update (Download and Install, Download only, Install only).
Note that the device(s) must be iOS 10.3+ and Supervised, or iOS 9+ Supervised + DEP-enrolled for this to work!

For multi-device selection, you may choose any iOS devices, but the update will only start for the devices listed above (Supervised etc). If you choose any non-iOS devices – the option will disappear.

The resulting dialog is the same for single/multiple devices

Deferring OS Updates
Finally, to defer iOS Updates, simply configure the Defer Updates setting in your Restrictions profile payload. You may defer for up to 90 days (per Apple’s decision), device must be iOS 11.3+ and Supervised.

Summary
This is it! You now know how to both force and defer iOS OS updates for single and multiple devices. The key thing to remember is that device must be Supervised in all cases. DEP (Device Enrollment Program) rules!