Maximizing your Protection from iOS Vulnerabilities

Created: Modified: Blog

Techniques to rapidly patch fleets of iPhones and iPads

Is iOS 10 secure? Without doubt. Vulnerabilities are discovered, and Apple diligently releases patches. In the year since they released iOS 10, Apple documented a whopping 307 security vulnerabilities patched by its software updates. This isn’t to say that iOS is insecure. On the contrary, Apple’s attentiveness and quick responses make iOS arguably the most secure, widely-used operating systems in history.

screen-shot-2017-07-29-at-5-14-09-pm

Increasingly, CIOs and CISOs are acknowledging the importance of this issue. Leading companies have created business requirements for all mobile devices to receive security patches within 30 days of release. This makes a lot of sense, especially when money or personal information could be affected, since staying current mitigates operational risk. It may even be a regulatory requirement for your industry.

This aggressive patching strategy is a far cry from the legacy strategy of trying to prevent software updates, to avoid potential compatibility problems. The failure to patch is at the heart of many of the most notorious data breaches in retail and healthcare in the last few years. Don’t be like them.

So, Apple is doing its part by researching and releases patches. But are those patches getting onto your devices?

update_ios_idevicePatching by Employees

Most businesses try to rely on device users — employees, staff, teachers. But voluntary compliance is unreliable compliance. Take a quick poll around your home or office, and ask to see the Settings icon on the home screen. Does it have a “1” in a red badge? If so, someone hasn’t been keeping their device up to date.

Patching by MDM

Recent updates by Apple now allow your MDM system to push updates to devices, but ONLY under very specific conditions: Devices must have been activated using Apple’s Device Enrollment Program (DEP) and supervised. If your devices meet these criteria, then great! You are able to leverage your MDM to schedule updates. But the vast majority of iPhones and iPads in business today don’t meet these criteria. And there are other considerations.

Network Bandwidth Constrains

Unorganized patching can cause a tremendous strain on your network. Major iOS updates weigh in at 1.5GB to 2GB. (Minor updates can be a smaller.) Multiply that by hundreds of devices per building, and you could be pushing tens or hundreds of gigabytes down your WAN and over your WiFi radios. For most of us, this sort of traffic is at best annoying, and at worst extremely disruptive to critical operations.

Timing Contraints in Healthcare

Hospitals face a unique issue with MDM-initiated patching: timing. Hospitals are open 24 hours, of course. And MDM systems don’t report whether devices are idle or in use. As iPhones become more critical for clinical care, it becomes more and more risky for an IT admin to push an update command to devices, a command that could disable devices for 5 to 10 minutes.

So is there no good time to update? It turns out that one time is perfect: while devices are charging.

Patching with GroundControl

GroundControl performs devices operations, such as iOS Update, while devices are charging.

update_ios__gc 2

GroundControl downloads the correct patches you need for your corporate-liable devices once, and only once. It caches all files locally and delivers to devices via USB, sparing both your WAN and your WiFi. All your users need to do is to plug in via USB — to a hub or to a cart — and in a matter of five minutes or so the updates are safely applied, preserving all apps and user data. No screen touch is needed and no passcode unlock. One single policy is enough to manage every building in your organization.

You can monitor iOS update compliance using our web-based administration, seeing who has and hasn’t updated at a glance. And for insurance, add a compliance rule to your MDM to begin reminding users and admins to perform their updates.

iOS Update Delay

In addition, GroundControl supports iOS Update Delay, a unique feature to delay iOS updates for a few days or even weeks. This gives you time to test compatibility with critical apps. GroundControl can even downgrade devices running non-compliant versions, such as beta software. In this way, iOS Update Delay increases security by encouraging good patching practices, allowing you peace of mind that every update will be a safe one.

GroundControl has the most robust tools in the industry for managing operating system updates, which as you’ve seen is a critical aspect of mobile device security. If you’d like to speak with a GroundControl engineer to improve your patching strategy, we encourage you to reach out to us today.