Solution

  • Workspace ONE

Type

  • Document

Level

  • Intermediate

Category

  • Operational Tutorial

Product

  • Workspace ONE UEM

OS/Platform

  • iOS

Phase

  • Manage

Managing iOS Updates: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 1912

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment.

Workspace ONE UEM version 1912 introduced new functionality to manage Operating System updates on managed, supervised iOS devices. This functionality provides admins a view of all available updates and allows admins to granularly assign those updates across their device fleet. With this new functionality, admins gain the ability to maintain security updates through regular patching while minimizing the impact on customer-facing devices. 

This tutorial explains how to effectively use the iOS update framework in Workspace ONE UEM to keep iOS devices up-to-date.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Prerequisites

Before you begin, ensure you have the following components installed and configured:

  • Workspace ONE UEM 1912
  • At least one iOS device enrolled in Workspace ONE

When managing iOS updates with Workspace ONE, administrators can use the following chart as an approximation for expected behavior during an upgrade:

  iOS 9 - 10.2.1 iOS 10.3 - 11.2.6 iOS 11.3 - iOS 12.x iOS 13+
Requires Supervision Yes Yes Yes Yes
Requires Automated Enrollment (DEP) Yes No No No
Device Passcode Devices cannot have a passcode User is prompted for device passcode upon receiving update command User is not prompted for device passcode if locked.   iOS downloads update in background if locked.    User is not prompted for device passcode and iOS performs upgrade automatically
Applicable Updates Can only update device to the latest supported update Can only update device to the latest supported update Can update to any supported update that has not expired Can update to any supported update that has not expired

Important:

  • The device behavior is dependent upon iOS major/minor version; for details, see Apple documentation. The above chart provides an approximation, and there may be deviations in behavior based upon specific major/minor versions.
  • It is critical to understand the impact of the device passcode on the update process. Devices prior to iOS 13 that have a passcode cannot install the update unless there is some type of user intervention on the device.
  • Do not clear the iOS device passcode to facilitate automated iOS upgrades. Doing so removes the device's encryption and renders the device unprotected from potential data loss.

Navigating through New UI Screens

Introduction

In Workspace ONE UEM, VMware has introduced new UI screens to assist with iOS update management. This section of this tutorial aims to provide a reference for each new UI screen.

Tip: The iOS update list is queried directly from Apple by a scheduler job running every six hours (by default). For on-premises Workspace ONE installations, you must ensure connectivity to https://gdmf.apple.com/v2/pmv to obtain the updated information.

Available iOS Updates List View

The Available Device Updates view can be found by navigating to Devices > Device Updates > iOS in the Workspace ONE UEM console (version 1912 and later).    

1. Each iOS Update

Each row in the Device Updates view indicates an iOS Update as discovered by our sync process with Apple's product version lookup service.

2. iOS Update Assignments

For each iOS update version, Workspace ONE displays how many assignments have been defined for that update. Assignments consist of one or more Smart Groups configured to begin receiving an update-related command after a specific date and time.

Note: The Assignments number does not necessarily equate to the number of smart groups assigned to the update.

3. Assignment Status

For each iOS update version, Workspace ONE displays whether that update has been Assigned to devices or Not Assigned. Additionally, if an administrator has paused an update, the update displays as Paused.

Note: If an assignment is Paused, Workspace ONE discontinues bulk command operations against any current or pending assignments. Workspace ONE cannot cancel any commands which have already been delivered to assigned devices prior to pausing the update process.

4. Release and Expiration Date

For each iOS update version, Workspace ONE displays the dates Apple made the update available to the public (for example, the Release Date). Workspace ONE also display's Apple's defined Expiration Date

Note: The Expiration Date displays the date that the update's signature expires and devices will no longer trust the update to apply it. Apple can expire the update earlier than this date for security or other reasons. 

5. Update Status

The Update Status field denotes which iOS updates are Available or Not Available to deploy to devices. 

Note: If an update is marked as Not Available, it will not deploy to devices and Workspace ONE disables the ability to manage assignments for the update.   

Update Details View

The Update Details View provides Workspace ONE administrators with additional details about the specific iOS update and its deployment status across the device fleet. To access the Update Details view, select an individual iOS update in the Available Device Updates view.

1. Manage Assignments Button

This button launches the Manage Assignments view which allows administrators to create and prioritize assignments.

2. Refresh Button

The refresh button forces the console to refresh data from the database backend.

Note: The Refresh Button does not initiate commands to query devices. It simply refreshes the console from the data available in the database.

3. Supported Devices List

The update metadata returned from Apple contains a list of supported devices for each update. Workspace ONE converts the model identifiers (such as "iPad8,8") into human-readable model information.

4. Device Readiness Graph

The device readiness graph shows the at-a-glance device eligibility (in that organization group and all child organization groups) to take that specific iOS update. Note the four available statuses:

  • Eligible: On a lower iOS version and can install the update.
  • Not Eligible: On a lower iOS version but cannot install the update (due to hardware incompatibility, non-supervised, and so on).
  • On This Version: iOS devices currently running this particular version of iOS.
  • On Higher Version: iOS devices that have upgraded to a newer version of iOS.

5. Device Status Graph

The device status graph displays the status of assigned, eligible devices that are installing updates. Admins use this chart for at-a-glance tracking progress of the iOS update across the assignments.

6. Devices List

The devices list displays update statuses for all eligible devices based on assignment. Administrators can also select individual devices to initiate a query or download/install command directly to that device, overriding any settings from an assignment.

Note: Sending an Override command does not affect any current assignments. If you override a device to send the Download command, but the Download/Install command is assigned for later that day, Workspace ONE still sends the Download/Install command at the assigned time.

Manage Assignments View

The manage assignments view provides administrators the ability to create and prioritize update assignments within their environment.

1. New Assignment Button

Administrators use this button to assign download and install commands for this specific iOS update to one or more smart groups.

2. Save Priority Button

Administrators use this button to save modifications to the priority they have set for assignments. Workspace ONE uses assignment priority to resolve schedule conflicts for devices in multiple assignments due to their Smart Group membership.

3. Priority Drag Zone

This User Interface element provides a click-and-hold space for dragging and rearranging priority.

4. Deployment Start Date

Each Assignment's start date is displayed for quick reference.

Note: The deployment start date is the day and time when Workspace ONE begins queueing commands to devices. It does not necessarily mean all devices in the assignment will get the command at that exact point in time. Factors that affect command delivery include batching (for large device counts), devices offline or powered off, network connectivity, and so on.

5. Deployment Mode

This column shows at-a-glance which command is being delivered to the devices in that assignment.  Possible values include:

  • Download: Instruct the device to download the update locally but not install it.
  • Install: Instruct the device to install a downloaded update. If the update is not downloaded, the device starts downloading the update.
  • Download and Install: Instruct the device to both download the update and then install it upon download completion. If the device already has the update downloaded, it begins installing the update.

Device Details Updates View

Workspace ONE UEM 1912 introduced a new tab to the device details view (Devices > Details View > Updates). This tab displays any updates that the device is eligible to install. Administrators can use this tab to publish the download and install commands directly to the device (similar to the override capability on the Update Details view).

  1. Updates: Administrators access the Device Details Updates view from this tab in Device Details.
  2. Publish: This button publishes the iOS update to the device (after selecting which particular update to Download or Install).
  3. Version: This column shows all available update versions for the device.
  4. Progress Reporting: Workspace ONE displays update progress as it is given from the device, including download percentage and install status.

Understanding Assignment Conflict Resolution

Introduction

In Workspace ONE UEM, devices can have membership in many different assignment (or smart) groups. Arranging devices in multiple groups is key to flexibility when managing a fleet of devices with potentially overlapping use cases and needs. Additionally, Workspace ONE UEM's organization group structure allows configurations to be defined broadly across devices or more granularly (and potentially by delegated administrators). Because devices can exist in more than one smart group (and those smart groups existing at different levels in an organization group hierarchy), there is a possibility to assign a single device to more than one assignment for iOS Updates. This section explains how Workspace ONE resolves conflicts with respect to iOS Update assignments.

Resolving Assignment Conflicts

iOS Update Conflicts are resolved in the following order:

  1. Most Recent Version Wins: The most recent iOS Update assigned to a device takes precedence.
  2. Closest Organization Group Wins: If the same iOS Update is assigned at different levels in the Organization Group (OG) hierarchy, the assignment closest to the OG to which the device enrolled takes precedence.
  3. Highest Priority Wins: If the same iOS device exists in multiple assignments for a single iOS Update in a single OG, the assignment with the highest priority takes precedence.

1. Most Recent Version Wins

Scenario 1:

  • Device Enrolled at Grandchild OG
  • Option A: Assigned iOS 13.2 at Grandchild OG
  • Option B: Assigned iOS 13.3 at Parent OG
  • Option C: Assigned iOS 13.2 at Parent OG

In this scenario, Workspace ONE chooses Option B's assignment settings because Option B contains the most recent iOS Version to which the device can update.

2. Closest Organization Group Wins

Scenario 2:

  • Device Enrolled at Grandchild OG
  • Option A:   Assigned iOS 13.2 at Child OG
  • Option B:   Assigned iOS 13.1 at Grandchild OG
  • Option C:   Assigned iOS 13.2 at Parent OG

In this Scenario, Workspace ONE chooses Option A's Assignment Settings because Option A contains the most recent iOS Version to which the device can update, and the assignment is made at the Organization Group closest in hierarchy  (Child vs Parent) to where the device enrolled (Grandchild).

3. Highest Priority Wins

Scenario 3:

  • Device Enrolled at Grandchild OG
  • Option A: Assigned iOS 13.2 at Child OG (Priority 1 - Download Only)
  • Option B: Assigned iOS 13.1 at Grandchild OG
  • Option C: Assigned iOS 13.2 at Child OG (Priority 2 - Download and Install)

In this Scenario, there are two options (Options A and C) with the same most recent iOS Update version and both in the same Organization Group. Workspace ONE chooses Option A because Option A has the highest priority and therefore only sends the command to Download the update.    

Assigning iOS Updates to Devices

Introduction

This section outlines how administrators can assign iOS updates to one or more groups of supervised iOS devices.

Assigning Updates from iOS Updates List View

In this exercise, you create and configure a new assignment from the iOS Updates list view.

1. Access Device Updates List View

In the Workspace ONE UEM Console:

  1. Click Devices.
  2. Click Device Updates.
  3. Select iOS.

2. Manage iOS Update Assignments

  1. Select the radio button (or select the row) for the iOS update you want to deploy.
  2. Click Manage Assignments.

3. Create New Assignment

Click New Assignment.

4. Define Assignment & Smart Groups

  1. Enter a name for the Assignment. For example, Alpha Testing.
  2. Click the Down Arrow to display a list of your smart groups.
  3. Choose one or more smart groups.
  4. Click Next.

5. Define Deployment Date/Time and Method

  1. Enter a date (or use the calendar picker) for the deployment to begin.
  2. Enter a time and choose AM/PM.
  3. Select the command you want to deploy to the device:
    1. Download and Install (for example, do both actions to automate the process)
    2. Download Only (for example, stage the update locally on the device)
    3. Install Only (attempts to trigger the install)
  4. Click Next.

Note: If you send an Install command but the update has not been downloaded locally on the device, the command will initiate the download. You must send a second command to initiate the install via MDM after the update has finished downloading.  

6. Select Notifications

  1. Enable the Notification for Download Success.
  2. Enter a message for Push Notification.
  3. Enable the Notification for Install Success.
  4. Enter a message for Push Notification.
  5. Click Next.

7. Add Additional Assignments and Prioritize

  1. Add additional assignments by clicking New Assignment and repeating steps four (4) through six (6).
  2. Click and hold the grab area - drag the assignments to rearrange their order.
  3. Click Save Priority to set the updated priority when you finish rearranging the assignments.
  4. Click Close when the assignments are set.

Assigning Updates From Update Details View

In this exercise, you learn how to assign iOS updates from the Update Details view.

1. Access Device Updates List View

In the Workspace ONE UEM Console:

  1. Click Devices.
  2. Click Device Updates.
  3. Click iOS.

2. Select iOS Update to Manage

Select the iOS link next to the update version you want to manage.

3. Manage iOS Update Assignments

Click Manage Assignments.

4. Create New Assignment

Click New Assignment.

5. Define Assignment & Smart Groups

  1. Enter a name for the Assignment. For example, Alpha Testing.
  2. Click the Down Arrow to display a list of your smart groups.
  3. Select one or more smart groups.
  4. Click Next.

6. Define Deployment Date/Time and Method

  1. Enter a date (or use the calendar picker) for the deployment to begin.
  2. Enter a time and choose AM/PM.
  3. Select the command you want to deploy to the device:
    1. Download and Install (for example, do both actions to automate the process)
    2. Download Only (for example, stage the update locally on the device)
    3. Install Only (attempts to trigger the install)
  4. Click Next.

Note: If you send an Install command but the update has not been downloaded locally on the device, the command will initiate the download. You must send a second command to initiate the install via MDM after the update has finished downloading.  

7. Select Notifications

  1. Enable the Notification for Download Success.
  2. Enter a message for Push Notification.
  3. Enable the Notification for Install Success.
  4. Enter a message for Push Notification.
  5. Click Next.

8. Add Additional Assignments and Prioritize

  1. Add additional assignments by clicking New Assignment and repeating steps five (5) through seven (7).
  2. Click and hold the grab area - drag the assignments to rearrange their order.
  3. Click Save Priority to set the updated priority when you finish rearranging the assignments.
  4. Click Close when the assignments are set.

Pausing and Resuming Assignments

Within the iOS update framework in Workspace ONE UEM, administrators can pause and resume updates without having to modify the assignments. This allows administrators to maintain visibility as to the deployments to-date while having the ability to halt further deployments for troubleshooting purposes.

In this exercise, you learn how to pause and resume an update assignment.

1. Access Device Updates

In the Workspace ONE UEM Console:

  1. Click Devices.
  2. Click Device Updates.
  3. Click iOS.

2. Pause iOS Update Assignments

  1. Click the radio button (or select the row) for the iOS update you want to pause.
  2. Click Pause.

3. Confirm Pause

Click Pause.

4. Validate Pause

Refresh the browser and confirm the update shows the Assignment Status of Paused.

Note:
After an assignment is paused, Workspace ONE UEM no longer queues download or install commands for devices that are members of an assignment but which have not yet received update-related commands.

If a device is assigned to more than one update and the most recent version of the update is paused, the device will not upgrade until the update is resumed. Workspace ONE will not deliver a lower, older iOS update command in lieu of the most recent command paused.

5. Access Device Updates

  1. Click Devices.
  2. Click Device Updates.
  3. Click iOS.

6. Resume iOS Update Assignments

  1. Click the radio button (or select the row) for the iOS update you want to resume.
  2. Click Resume.

7. Confirm Resume

Click Resume.

8. Validate Resume

Refresh the page and validate the Assignment Status has changed to Assigned.

Managing Updates

Introduction

This section covers how to manage updates individually.

Managing Updates from Device List View

In this exercise, you learn how to publish an update from the device list view and how to check the status of that update.

1. Browse to Device List View

  1. Click Devices.
  2. Click List View.
  3. Select the device that you want to manage updates for.

2. Publish Update

  1. Click the Updates tab.
  2. Select an iOS Update.
  3. Click Publish.

3. Select Installation Method

  1. Select a Device Installation Method.
  2. Click Send.

4. Review Install Progress

Review the Progress Status to see if the command has been sent.

5. Optional: Query Update Progress

Optionally, you can query the update progress:

  1. Click Query Update Process.
  2. Click OK.
  3. Review the Download % and Progress Status in the Updates tab.

Manage Updates from Device Updates View

In this exercise, you learn how to manage updates from the device update view and override assignments.

1. Browse to Device Updates

  1. Click Devices.
  2. Click Device Updates.
  3. Click iOS.

2. Access iOS Update Details

Click the iOS link on the row containing the update where you want to manage devices.

3. Override Assignments

  1. Select a device from the list of devices.
  2. Select Override.
  3. Select the command you want to send to the device.

4. Confirm Override

  1. Review the Override choice to ensure it is correct.
  2. Click Yes to perform the override.

Summary and Additional Resources

Conclusion

 With Workspace ONE UEM version 1912, administrators can manage operating system updates to iOS devices. Administrators can automate the download and install actions, or granularly control those two steps independently. With these features, Workspace ONE UEM enables automated update cycles convenient to an organization's needs.

This operational tutorial provided steps to help you understand the new UI screens, assign iOS updates to devices and how to manage those updates. It also discussed how to resolve assignment conflicts.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information, explore the following Activity Paths on Digital Workspace Tech Zone. Activity paths provide step-by-step guidance to help you level-up in your product knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

See the following for additional resources related to iOS update management with Workspace ONE UEM:

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

About the Author

This tutorial was written by:

  • Robert Terakedis, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

  • Workspace ONE
  • Intermediate
  • Operational Tutorial
  • Document
  • Workspace ONE UEM
  • iOS
  • Manage