The “Update policies for iOS” blade in Intune allows admins to force iOS devices in supervised mode to automatically install the latest OS update, as outlined in our documentation here: Configure iOS update policies in Intune.
One of the settings- “Delay visibility of software updates”- allows admins to defer software update visibility to end user supervised iOS devices. We’re seeing an interpretation of this setting, where admins use it with the intent of blocking users from receiving updates on their iOS device. However, the original intent of the “Update policies for iOS” blade, which is to force updates, overrides this and an update is pushed to the device from the Intune service while not being visible to the end user.
For example, an admin goes to Software Updates > Update policies for iOS and creates a policy for iOS 12. “Delay visibility of software update (days)” is set to the default 30 days and they configure other settings as shown in the screenshot below, thinking that iOS 12 will not be pushed to devices for 30 days. However, due to the way these settings are configured, as soon as this policy is targeted to devices, the iOS 12 update will immediately be pushed out to those devices. Note that Intune does not currently support completely blocking devices from receiving an update.
Here are two scenarios you may come across and what you’d need to do in each case: 1. If you do not wish your end users to update to the latest version of iOS for a certain number of days, you should configure the “Days” setting to include all days of the week in addition to having your desired value in the “Delay visibility of software updates” field (see screenshot below). Also set both your "Start time" and "End time" as 12 am to ensure that there is no time allowed for update installation.
If you wish to delay visibility of updates to end users, do not create an update policy. Instead, upload a Custom Device Configuration with the following key-value pairs set:
Let us know if you have any questions!
9/19/18: Post revised for clarity. Additional step added in scenario #1.
9/25/18: Post revised to state only one scenario to clarify that Intune currently does not support blocking updates completely.