[Survey] OS & App Version Pinning - Part 1

Hey, did it now and in general you can always say:

• every update (no matter if app or OS related) can break the system
• this means: every update can break business critical operations
• this results in: business needs full version control on OS and app side
• For OS i see the need to be able to define:
  • minimum major version (security reason) → forcing to search for an update available until reaching this state
  • minimum Security Patch Level (security reason) → forcing to search for an update available until reaching this state
  • target major version (stability reason) → stopping at the latest version matching it or as close as possible without going above it
  • target Security Patch Level (stability reason) → stopping at the latest version matching it or as close as possible without going above it
  • or ideally but i guess impossible: define the exact oem version (per model)
• For Apps i see the need to be able to define:
  • The exact version to be used, including if devices are freshly installed, not installing latest but the defined version
  • Also be able to define the version of the MDM agent in ZTP to be used instead of the latest one.

Nearly no developer is providing the apk files but even free apps can be getting critical. We just had an issue with Microsoft for example. They provided the Microsoft 365 app which had all functionalities included you need (Excel, Word, Powerpoint, Lens, OneDrive,...), then they renamed it to Copilot and added the AI and now they phgased out all of the apps except the AI (so you can only ask the AI to do relevanbt changes to the files, so stupid). This caused us to deploy 3 additional apps instantly to all devices to provide the functionalities the users need and one is still in discussion also causing a huge network load in one go.
What i want to highlight here: Even if the app doesn’t break with an update, functionalities can change without being notified by the developers. That’s why we need full control about it.

I guess, i don’t need to provide similar exampüle for the OS updates as Google is still focussing on end user side thigthening the access instead of splitting the scope between enduser device (incl. BYOD) and company devices (COPE/fully managed).

We are especially cautious with major OS releases due to past major bugs (e.g., Android 13, Android 14) which took a while to resolve and want to block and test major releases intensively without blocking older security patches. We have to juggle between compliance and update policies, which is by no means a good solution and comes with significant limitations. This is especially problematic when critical CVEs need to be addressed at the same time for outdated devices.

For apps, ideally you can pin versions that were once published in the Store Track. It doesn’t have to be just any version from the Track, but at least versions from a specific time period or the last x versions. Depending on the developer and the app, the update cycle (and time to fix a bug) can vary greatly.

Thanks so much ​@Moombas and ​@Alex_Muc - it’s always fantastic to have your input and use cases to bring this alive. 

Your comments around version pinning are really interesting and as mentioned it’s tricky to know how long to have these for especially when balancing out ensuring that versions are too old that they are missing out on vital updates, along with the need to potentially wait for fixes (and as you mention Alex this can differ depending on the issue). 

If others have thoughts on this, please do join the conversation and any other points you might have on the survey. 

Massive thanks again. 

Just @ mentioning in a few folks, thought this might be of interest (and happy Friday). 😀 

​@mattdermody, ​@Michel, ​@Kris, ​@Benjamin, ​@Rakib, ​@Frebel, ​@Flo, ​@jarmo_akkanen, ​@Yann_ROLAND, ​@turquet, ​@goviemail, ​@jeremy, ​@FabienMagras, ​@MDauffenbach, ​@MelkonTorosyan, ​@Magcho, ​@MobileDude, ​@FXE, ​@GreggH, ​@DobromirPetrov 

+1 for app version pinning, as issue we have faced here : AD / Exchange GAL access broken.

I honestly never thought the day would come! This is incredibly exciting to see Google taking this problem seriously. The lack of proper version control is the #1 detractor from our potential adoption of AMAPI today and leaves us currently fully committed to Custom DPC base EMMs. I currently enjoy signficantly more control over app installation (Version, scheduling, rollback, test groups, etc) with direct APK installs through Custom DPC than I have when leveraging Google Play. Being able to “Pin” a given version of an app would be a major leap forward in capability.
 

I am specifically interested in being able to pin/ lock system components like the System WebView that are currently frequently upgraded in the background and can cause major instability in dedicated device environments. So many mobile applications rely on the System WebView or Chrome now. Even if they are not hybrid webapps, which rely on it completely, they may spin up an in app WebView or Chrome Custom Tab (CCT) for a 3rd party idp auth flow. We’ve very much found that these can break as a result of an unexpected (and currently uncontrolled) update to one of these components is pushed through Google Play. I have grown tired of having to tell CIOs sorry Google pushed out an update that took out your production environment and there was nothing we could have done about it other than block Google Play completely. No IT leadership wants to hear that there are automatic updates happening on their endpoints that they don’t have control over.  

I’ve always found it ironic that in Google’s never ending quest to dispel rumors of Android not being secure or the F word (Fragmentation) that they ended up creating more instability in a lot of environments than what the potential security threats themselves were likely to cause. That is to say updates pushed automatically from Google Play have caused more environment instability and outages than actual security related events that I’ve experience on Android. Perhaps that is survivorship bias (the security protocols are working?), but many of the customers that I support consider Google to be their biggest threat to environment instability based on the known issues they’ve experienced from automatic updates in the past.  

 

Hey everyone,

​@Moombas, ​@Alex_Muc, ​@mattdermody, ​@FXE, ​@SF4,

A massive thank you to those of you who have contributed to this survey, we are getting some great input - thank you. I’m looking forward to sharing a recap of this. 

In the meantime, part 2 of the survey on OS & App rollback 🏀, is now live. Here is the post. 

Thanks again. 

Lizzie

Thank you.its me