Microsoft Intune -- now rebranded with System Center Configuration Manager as Microsoft Endpoint Manager -- provides multiple options to control mobile OS updates, which involves rolling out platform updates on mobile devices.
When mobile administrators manage mobile OS updates via Intune on iOS, iPadOS and Android devices, they can use one of two main options that Intune provides to manage and control the platform updates.
Option 1: Control the installation of platform updates on mobile devices
The mobile OS update features within Intune provide different options to force the installation of platform updates on iOS, iPadOS and Android devices. For iOS and iPadOS devices, there are controls to deploy and install the different software updates, but it's more challenging for Android devices.
The complexity with Android is due to two factors: Android devices rely on the OEM to provide a new platform or system update, and the update process differs from vendor to vendor -- apart from generic settings. Due to the added complexity that Android presents, it might be worthwhile to look at management platforms beyond Intune. For Samsung devices, that platform could be the vendor's own Knox E-FOTA, which can also integrate with Intune. However, that approach requires additional licensing via Samsung.
The main Intune mobile OS update options for administrators to control the mobile device platforms are described below.
Device restrictions for Android devices
For Android devices, Intune provides a mobile OS management option for corporate-owned devices: fully managed, dedicated and corporate-owned work profile devices. This option is a device restriction policy, which controls the installation of over-the-air updates that are available for the mobile device fleet. This is a single setting named System update in Intune, within the General section of a device restrictions policy, and it enables mobile administrators to configure when the Intune should push out the system updates.
Administrators must choose among the Device Default, Automatic, Postponed and Maintenance window depending on their mobile updating needs. The availability of the system updates still depends on the mobile device OEM.
Update policies and device restrictions for iOS/iPadOS devices
For iOS and iPadOS devices, Intune provides a management option for supervised devices that IT has enrolled through an Apple enrollment program. Intune can create an update policy that controls the automatic installation of platform updates. This enables an Intune admin to configure the software update the device will install and the time that the device should install it. The user, however, can still manually install a software update earlier than this preset window.
Administrators can stop users from installing updates on their own with a device restriction policy that controls the deferral of software updates. They may want to do this to maintain a single version of the OS or software across the entire mobile fleet.
This Intune mobile update policy requires a combination of two settings named Defer software updates and Delay visibility of software updates within the General section of a device restrictions policy. The two settings in tandem enable the administrator to configure when a new software update will be available for the user by providing a deferral period of up to 90 days.
Option 2: Subtly force a user to install the latest platform update
Microsoft Intune provides multiple options to subtly force a user to install the latest platform update on iOS, iPadOS and Android devices. These more subtle Intune OS update options focus on closing the doors to an organization's data when a device is not running a specific minimum version of a platform or software product.
As platforms grow and evolve, mobile administrators must keep the minimal platform version recent to ensure there aren't untested platforms on their mobile devices. Untested platforms and software could cause compatibility issues or a security vulnerability.
Mobile administrators can use enrollment restrictions to ensure the mobile devices that a user enrolls with Intune meet certain conditions. This is essentially a verification at the front door.
One of the restrictions that IT can use is a minimum platform version of mobile devices. When a mobile device is running an older version of a platform, the user will not be allowed to enroll it.
Device compliance policies
IT administrators can use device compliance policies to report about the compliance status of a mobile device. IT can even use the device compliance setting in combination with conditional access to block access to an organization's apps and data.
One of the compliance settings that IT can use is to enforce the minimum version of the platform on the mobile device. This enables the administrator to control the platform version of the devices that are enrolled in Intune. When a mobile device is running an older version of a platform, the user will not be allowed to access any of the organization's apps and data.
Mobile app protection
IT can also use mobile app protection to control access to the organizations' data. IT can protect a mobile business application with several different Intune patching controls, including the conditional launch settings the app verifies when it launches. Once again, IT can enforce a minimum platform version, but this time it determines whether the devices can access the business application. That enables IT to control which devices, enrolled or unenrolled, can access the specific application.