Product Documentation

Control OS Updates device policy

The Control OS Updates device policy lets you deploy:

  • The latest OS updates to supervised iOS devices.

    For devices running iOS 10.3 and later, the Control OS Updates policy works on supervised devices. For devices running a version earlier than iOS 10.3, the Control OS Updates policy works on devices that are both supervised and DEP-enrolled.

  • The latest OS and app updates to DEP-enrolled macOS devices running macOS 10.11.5 and later.

  • The latest OS updates to supervised Samsung SAFE devices.

    For Samsung SAFE devices, XenMobile sends the Control OS Updates policy to Secure Hub, which then applies the policy to the device. The Manage > Devices page shows when XenMobile Server sends the policy and when the device receives the policy.

  • The latest OS updates to supervised Windows 10 Desktop and Tablet devices.

    You can also use the Control OS Updates policy to manage delivery optimization settings for desktops and tablets running Windows 10 version 1607. Delivery optimization is a peer-to-peer client update service provided by Microsoft for Windows 10 updates. The goal of delivery optimization is to reduce bandwidth issues during the update process. Bandwidth reduction is achieved by sharing the downloading task among multiple devices. For more information, see the Microsoft article, Configure Delivery Optimization for Windows 10 updates.

  • The latest OS updates to managed Android for Work devices (Android 7.0 and higher).
  • The latest OS updates to Chrome OS devices.
  • The specified OS update file to Citrix Ready workspace hub devices.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

Image of Device Policies configuration screen

The following settings are for supervised devices running iOS 10.3 and later.

  • OS update options: Both of the options download the latest OS updates to supervised devices according to the OS update frequency. The device prompts users to install updates. The prompt is visible after the user unlocks the device.
  • OS update frequency: Determines how frequently XenMobile checks and updates the device OS. The default is 7 days.
  • OS updates version: Specifies the version to use to update supervised iOS devices. The default is Latest version.
    • Latest version: Select to update to the latest OS version.
    • Specific version only: Select to update to a specific OS version and then type the version number.

macOS settings

Image of Device Policies configuration screen

  • OS update options: Both of the options download the latest macOS updates according to the OS update frequency. You can choose to install the updates or notify the user through the App Store that updates are available.
  • OS update frequency: Determines how frequently XenMobile checks and updates the device OS. The default is 7 days.

Get status for iOS and macOS update actions

For iOS and macOS, XenMobile doesn’t deploy the Control OS Updates policy to devices. Instead, XenMobile uses the policy to send these MDM commands to devices:

  • Schedule OS Update Scan: Requests that the device performs a background scan for OS updates. (optional for iOS)
  • Available OS Updates: Queries the device for a list of available OS updates.
  • Schedule OS Update: Requests that the device performs macOS updates, app updates, or both. Thus, the device OS determines when it should download or install the OS and app updates.

The Manage > Devices > Device details (General) page shows the status of scheduled and available OS update scans, and scheduled macOS and app updates.

Image of Device details screen

For more details about the status of update actions, go to the Manage > Devices > Device details (Delivery Groups) page.

Image of Device details screen

For details such as available OS updates and the last installation attempt, go to the Manage > Devices > Device details (Properties) page.

Image of Device details screen

Image of Device details screen

Samsung SAFE settings

Samsung Enterprise FOTA, also referred to as E-FOTA, lets you determine when devices get updated and the firmware version to use. To use E-FOTA:

  1. Create a Samsung MDM License Key device policy with the keys and license information you received from Samsung. For more information, see Samsung MDM license key device policy.
  2. Create a Control OS Updates device policy to enable Enterprise FOTA.

    Image of Device Policies configuration screen

    • Enable Enterprise FOTA: Set to On.
    • Enterprise FOTA License Key: Select the Samsung MDM License Key device policy name.

Windows Desktop and Tablet settings

Image of Device Policies configuration screen

  • Select active hours mode: Select a mode to configure the active hours for performing OS updates. You can specify a range of hours or a start and end time. After you select a mode, more settings appear: Specify max range for active hours or Active hours start and Active hours end. Not configured allows Windows to perform OS updates at any time. Defaults to Not configured.
  • Auto update behavior: Configures the download, install, and restart behavior of the Windows update service on user devices. Defaults to Auto install and restart.
    • Notify user before downloading the update: Windows notifies users when updates are available. Windows doesn’t automatically download and install updates. Users must initiate the download and install actions.
    • Auto install and notify to schedule device restart: Windows downloads updates automatically on non-metered networks. Windows installs updates during Automatic Maintenance when the device isn’t in use and isn’t running on battery power. If Automatic Maintenance can’t install updates for two days, Windows Update installs the updates immediately. If the installation requires a restart, Windows prompts the user to schedule the restart time. The user has up to seven days to schedule the restart. After seven days, Windows forces the device to restart. Enabling the user to control the start time reduces the risk of accidental data loss caused by apps that don’t shut down properly on restart.
    • Auto install and restart: Default setting. Windows downloads updates automatically on non-metered networks. Windows installs updates during Automatic Maintenance when the device isn’t in use and isn’t running on battery power. If Automatic Maintenance can’t install updates for two days, Windows Update installs the updates immediately. If the installation requires a restart, Windows automatically restarts the device when the device is inactive.
    • Auto install and restart at a specified time: When you choose this option, more settings appear so you can specify the day and time. The default is 3 a.m. daily. Automatic installation happens at the specified time and device restart occurs after a 15-minute countdown. When Windows is ready to restart, a logged in user can interrupt the 15-minute countdown to delay the restart.
    • Auto install and restart without end-user control: Windows downloads updates automatically on non-metered networks. Windows installs updates during Automatic Maintenance when the device isn’t in use and isn’t running on battery power. If Automatic Maintenance can’t install updates for two days, Windows Update installs updates immediately. If the installation requires a restart, Windows automatically restarts the device when the device is inactive. This option also sets the user control panel to read-only.
    • Turn off automatic updates: Disables Windows automatic updates on the device.
  • Scan for app updates from Microsoft update: Specifies whether Windows accepts updates for other Microsoft apps from the Microsoft update service. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can accept or reject updates for other Microsoft apps.
    • Yes: Windows allows app updates to be installed from the Windows update service. The related setting on the user device is inactive, so the user can’t modify the setting.
    • No: Windows doesn’t allow app updates to be installed from the Windows update service. The related setting on the user device is inactive, so the user can’t modify the setting.
  • Specify updates branch: Specifies which Windows update service branch to use for updates. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can choose a Windows update service branch.
    • Current Branch: Windows receives updates from Current Branch. The related setting on the user device is inactive, so the user can’t modify the setting.
    • Current Branch for Business: Windows receives updates from Current Branch for Business. The related setting on the user device is inactive, so the user can’t modify the setting.
  • Configure number of days to defer feature updates: If On, Windows defers feature updates by the specified number of days and the user can’t change the setting. If Off, the user can change the number of days to defer feature updates. Defaults to Off.
  • Configure number of days to defer quality updates: If On, Windows defers quality updates by the specified number of days and the user can’t change the setting. If Off, the user can change the number of days to defer quality updates. Defaults to Off.
  • Pause quality updates: Specifies whether to pause quality updates for 35 days. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can choose to pause quality updates for 35 days.
    • Yes: Windows pauses the installation of quality updates from the Windows Update Service for 35 days. The related setting on the user device is inactive, so the user can’t modify the setting.
    • No: Windows doesn’t pause the installation of quality updates from the Windows Update Service. The related setting on the user device is inactive, so the user can’t modify the setting.
  • Allow updates only in approval list: Specifies whether to install only the updates that an MDM server approves. XenMobile Server currently doesn’t support configuring an approved list of updates. Defaults to Not configured.
    • Not configured: Use this setting if you don’t want to configure the behavior. Windows doesn’t change the related UI on user devices. Users can choose which updates to allow.
    • Yes, install only approved updates: Allows installation of approved updates only.
    • No, install all applicable updates: Allows installation of any applicable updates on the device.
  • Use internal update server: Specifies whether to obtain updates from the Windows update service or an internal update server through Windows Server Update Services (WSUS). If Off, devices use the Windows update service. If On, devices connect to the specified WSUS server for updates. Defaults to Off.
    • Accept updates signed by entities other than Microsoft: Specifies whether to accept updates signed by third-party entities other than Microsoft. This feature requires that the device trusts the third-party vendor certificate. Defaults to Off.
    • Allow connection to Microsoft update service: Allows Windows update on device to connect periodically to the Microsoft update service, even if the device is configured to get updates from a WSUS server. Defaults to On.
    • WSUS server: Specify the server URL for the WSUS server.
    • Alternate intranet server to host updates: Specify an alternate intranet server URL to host updates and receive reporting information.
  • Configure delivery optimization: Whether to use delivery optimization for Windows 10 Updates. Default is Off.
  • Cache size: The maximum size of the delivery optimization cache. A value of 0 means an unlimited cache. Default is 10 GB.
  • Allow VPN peer caching: Whether to allow devices to participate in peer caching when connected to the domain network through VPN. When On, the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. Default is Off.
  • Download method: The download method that delivery optimization can use for downloads of Windows Updates, app, and app updates. Default is HTTP blended with peering behind the same NAT. Options are:
    • HTTP only, no peering: Disables peer-to-peer caching but allows delivery optimization to download content from Windows Update servers or Windows Server Update Services (WSUS) servers.
    • HTTP blended with peering behind the same NAT: Enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempt to connect to other peers on the same network by using their private subnet IP.
    • HTTP blended with peering across a private group: Automatically selects a group based on the device Active Directory Domain Services (AD DS) site or the domain the device authenticates to. Selection based on AD DS is for Windows 10, version 1607. Selection based on domain is for Windows 10, version 1511. Peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices.
    • HTTP blended with Internet peering: Enable Internet peer sources for Delivery Optimization.
    • Simple download mode with no peering: Disable the use of Delivery Optimization cloud services. Delivery Optimization switches to this mode automatically during these conditions: When the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching.
    • Do not use Delivery Optimization and use BITS instead: Enables clients to use BranchCache. For more information, see the Microsoft article, BranchCache.
  • Max download bandwidth: The maximum download bandwidth in KBs/second. Default is 0, which means dynamic bandwidth adjustment.
  • Percentage of maximum download bandwidth: The maximum download bandwidth that delivery optimization can use across all concurrent download activities. The value is a percentage of the available download bandwidth. Default is 0, which means dynamic adjustment.
  • Max upload bandwidth: The maximum upload bandwidth in KBs/second. Default is 0. A value of 0 means unlimited bandwidth.
  • Monthly upload data cap: The maximum size in GBs that delivery optimization can upload to Internet peers in each calendar month. Default is 20 GB. A value of 0 means unlimited monthly uploads.

How XenMobile handles approved updates to Windows Desktop and Tablet devices

You can specify whether to install only approved updates. XenMobile handles the updates as follows:

  • For a security update, such as for Windows Defender definitions, XenMobile automatically approves the update and sends an install command to the device during next sync.
  • For all other update types, XenMobile waits for your approval before sending the install command to the device.

Prerequisites

To install only approved updates

  1. Go to Configure > Device Policies and open the Control OS Updates device policy.
  2. Change the Allow updates only in approval list setting to Yes, install only approved updates.

To approve an update

  1. In the Control OS Updates device policy, scroll down to the Pending updates table. XenMobile obtains the updates listed in the table from devices.

  2. Search for updates with an Approval status of Pending.

  3. Click the row for the update you want to approve and then click the edit icon for that row (in the Add column).

    Image of Device Policies configuration screen

  4. To approve the update, click Approved and then click Save.

    Image of Device Policies configuration screen

Note: Although the Pending updates table includes add and delete commands, those commands don’t result in any changes to the XenMobile database. Editing approval status is the only action available for pending updates.

To view the Windows update status for a device, go to Manage > Devices > Properties.

Image of Devices configuration screen

When an update publishes, the Update ID appears in the first column with a status (Success or Failure). You can create a report or an automated action for devices with failed updates. The date and time of the publication also appears.

How updates work for first-time and subsequent deployments

The effect of the Control OS Updates device policy on devices differs for a first-time deployment versus a deployment after devices get updates.

  • For XenMobile to query a device for updates, you must configure and assign to a delivery group at least one Control OS Updates device policy.

    XenMobile queries a device for installable updates during a device MDM sync.

  • After the first Control OS Updates device policy deploys, the list of Windows updates is empty because no device has reported yet.
  • When the devices in the assigned delivery group report updates, XenMobile saves those updates in its database. To approve any reported updates, edit the policy again.

    Update approval applies only to the policy you are editing. Updates approved in one policy don’t show as approved in another policy. The next time that a device syncs, XenMobile sends a command to the device to indicate that the update is approved.

  • For a second Control OS Updates device policy, the update list contains the updates stored in the XenMobile database. You must approve updates for each policy.

    During each device sync, XenMobile queries the device for the approved update state until the deice reports an update as installed. For updates that require device restart after installing the update, XenMobile queries the state of the update until the device reports it as installed.

  • XenMobile doesn’t restrict the updates shown in the policy configuration page by delivery group or device. All updates reported by devices appear in the list.

Android for Work settings

Image of Device Policies configuration screen

  • System update policy: Determines when system updates occur. Automatic installs an update when it is available. Windowed installs an update automatically within the daily maintenance window specified in the Start time and End time. Postpone allows a user to postpone an update for up to 30 days.
    • Start time: The start of the maintenance window, measured as the number of minutes (0 - 1440) from midnight in the device local time. Default is 0.
    • End time: The end of the maintenance window, measured as the number of minutes (0 - 1440) from midnight in the device local time. Default is 120.

Chrome OS settings

Image of Device Policies configuration screen

  • Update enabled: Specifies whether to update Chrome OS devices automatically to a newly released version of Chrome OS. Default is Off.
  • Reboot after update: Specifies whether to reboot a Chrome OS device the next time that the user signs out after a successful automatic update. Default is Off.
  • Target platform version prefix: If a device is on an older version, this setting specifies the prefix of the target version to update to. For Chrome platform versions, see https://chromereleases.googleblog.com/. If a device is already on a version with the given prefix, no update occurs. If the device is on a higher version, it remains on the higher version. Rollback isn’t supported. Default is empty.

    Use one of the following version formats:

    • ”“ or unset: Update to latest version available.
    • 10323.: Update to any minor version of 10323 (for example, 10323.58.0).
    • 10323.58.: Update to any minor version of 10323.58 (for example, 10323.58.0).
    • 10323.58.0: Update to this specific version only.
    • Delay update period: Specifies how long a device can wait before downloading an update. The delay is counted from the time the update first deploys to the server. The device might wait a portion of this time in terms of clock time and the remaining portion in terms of the number of update checks. The maximum duration value is 14 days. Default is 0.

Workspace Hub settings

You can use the Control OS Updates device policy to specify an update file for Citrix Ready workspace hub devices. When a workspace hub device checks in with XenMobile Server, the device downloads the update file and installs it automatically.

Image of Device Policies configuration screen

  • URL: The URL where you uploaded the OS update file. First, download the OS update file from the OS vendor and upload it to a share accessible by http or https. Do not protect the share with any credentials. The update file for a CLASS only applies to devices of the same CLASS.

    The URL also must end with the naming used in the OS update file in the format VERSION-CLASS-KERNEL-ARCHITECTURE-BUILDNUM.lfi.

    When Citrix Ready workspace hub device checks in with XenMobile Server, the device downloads the update file and installs it automatically. The installation happens whether or not the device has a lower or higher OS version that the one being installed.

    The policy applies only on devices of the same CLASS as the update file configured in the policy. For example, if the policy has an update file for an NComputing device (NC class), then only the NComputing devices checking in receive the update. If a ViewSonic device (VS class) checks in, XenMobile doesn’t apply the update.

  • OS Version: The OS version in the format VERSION-CLASS-KERNEL-ARCHITECTURE-BUILDNUM or VERSION-CLASS-KERNEL-BUILDNUM.