Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL

Category filter

How do I handle devices stuck on old OS versions?

Jump To

Technical Summary:

Managing OS updates across a large, fragmented device fleet is one of the most common challenges IT administrators face. When devices are left on outdated operating systems, organizations are exposed to unpatched security vulnerabilities, compliance failures, and app compatibility issues.

This FAQ document is designed to help IT administrators efficiently identify outdated devices, force critical updates, and automate the entire OS lifecycle using Hexnode UEM.

Part 1: Identification & Auditing

Q1: I have 1000s of devices. How can I easily identify all devices in my fleet that are running an outdated OS version without manually exporting spreadsheets?

The most efficient way to track OS fragmentation is by using Hexnode’s Dynamic Device Groups. Unlike static groups where you manually add or remove devices, dynamic groups automatically update their membership in real-time based on specific criteria.

To group all outdated iOS devices automatically:

  1. Navigate to Manage > Device Groups in the Hexnode console.
  2. Click on New Dynamic Group.
  3. Provide a name for the group (e.g., “Outdated iOS Devices – Below iOS 17”).
  4. Under the conditions filter section, set the rules:
    1. Device Info > Platform > Is > iOS
    2. AND * Operating System > Version > Does not start with > [Target Version] (e.g., 17).
      Note:


      Because versions are evaluated as strings, using operators like “Does not start with” or “Does not contain” is the best way to filter out devices that haven’t reached your baseline.

  5. (Optional) Add any Geofence filters if necessary.
  6. Click Save.

Hexnode will instantly populate this group with every device that fails to meet your OS baseline. As devices are updated over time, they will automatically fall out of this group.

Part 2: Remediation & Enforcement

Q1: Once I have identified the outdated devices, how do I force them to update without disrupting my users’ daily workflows?

You can push an over-the-air update command directly to the dynamic group you created. Hexnode gives you granular control over how this update is executed to minimize user disruption.

To enforce the update:

  1. Navigate to Manage > Device Groups and select your newly created Dynamic Device Group.
  2. Click on the Actions > Device Control dropdown menu.
  3. Select Update OS.
  4. You will be prompted to choose an installation behavior:
    1. Download Only: The update downloads in the background, but the user chooses when to execute the installation. This is best for zero-disruption workflows.
    2. Download and Install: The device downloads the payload and attempts to install it immediately.
      Note:


      On iOS, if the device is passcode-locked or lacks sufficient battery, it may prompt the user to proceed.

  5. Confirm the action. Hexnode will dispatch the update command to every device currently sitting in that dynamic group.

Part 3: Automation (Putting it on Autopilot)

Q1: Can I automate this update process, so I don’t have to manually hunt down outdated devices and push updates every month?

Yes. By combining Dynamic Device Groups with Hexnode’s Automate feature, you can create a “set it and forget it” lifecycle management workflow.

To put OS updates on autopilot:

  1. Navigate to the Automate tab in your Hexnode portal and click New Automation > iOS.
  2. Give your automation a descriptive name (e.g., “Auto-Patch iOS Devices”).
  3. Under Action > Device Control, select Update OS and configure your preferred installation behavior (Download Only or Download and Install).
  4. Under Schedule, set the Execution time (e.g., run immediately upon a device entering the group, or schedule it for a specific maintenance window).
  5. Under Target, include the Dynamic Device Group you created earlier (e.g., “Outdated iOS Devices”). You can also configure exclusion groups here if necessary.
  6. Review the automation summary and click Save.

Now, anytime a device falls out of compliance (or a new unpatched device is enrolled), it enters the Dynamic Group. The Automation detects the new group member and automatically fires the OS update command without any manual IT intervention.

Part 4: Advanced Apple Management Strategies

Q1: How does Apple’s Declarative Device Management (DDM) change how we handle software updates?

Traditionally, MDM uses a reactive, server-driven model—the MDM server has to constantly check the device’s status and manually push commands to trigger an update. Apple’s Declarative Device Management (DDM) shifts this to a proactive, autonomous model where the device manages its own update cycle.

When you configure DDM software updates in Hexnode, you simply pass a specific target OS version and a strict enforcement deadline to the device. The device itself takes over from there, locally alerting the user about the impending deadline and autonomously forcing the installation the moment that deadline hits. This guarantees compliance, reduces network chatter, and removes the burden from the MDM server.

To configure this workflow in Hexnode:

  1. Go to Policies and click New Policy > Create a fully custom policy (or select an existing one). Provide a policy name.
  2. Navigate to iOS > Patches and Updates > Patch Preferences and click Configure.
  3. Define your target OS version (or build version) and set the exact enforcement date and time.
  4. Associate the policy with your target devices and click Save.

Q2: Are there situations where I should intentionally prevent devices from updating? How do I do that?

Absolutely. While staying updated is a security best practice, zero-day OS releases can sometimes break critical internal apps or introduce severe battery drain bugs. IT administrators often delay updates to allow time for application testing.

To intentionally delay iOS updates:

  1. Navigate to Policies > New Policy > Create a fully custom policy (or open an existing policy).
  2. Go to iOS > Security > OS Updates and click Configure.
  3. Check the option Force delayed software updates.
  4. Enter the number of days for the delay (you can delay up to 90 days; the default is 30 days).
  5. Associate the policy with your target devices and save.

During this delay period, end-users will not see the new OS update in their Settings app, preventing premature upgrades and ensuring your fleet remains stable until your IT team has fully validated the new software.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
FAQ