Problem

CVE-2025-24252 dropped - an AirPlay vulnerability that lets attackers on the local network corrupt process memory. Apple patched it in iOS 18.4 and iPadOS 17.7.6.

Some environments still use old MDM-based software update policies. These are deprecated and do not provide the same control as DDM (Declarative Device Management).

Time to fix that.

Constraints

Microsoft Intune
iPads (mixed generations)
Entra ID groups

Decision

1. Organized iPads into Groups

First, I needed visibility. Created 3 dynamic groups based on iPad generation:

Group 1: Older iPads (6th-7th gen)

(device.deviceModel -contains "iPad7") or (device.deviceModel -contains "iPad6")

Group 2: Mid-range iPads (8th-9th gen)

(device.deviceModel -contains "iPad12") or (device.deviceModel -contains "iPad13")

Group 3: Newer iPads (10th gen+)

(device.deviceModel -contains "iPad14")

Go to Entra ID → Groups → New group → Dynamic device → Add your rule.

2. Found Devices That Couldn’t Update

iPad 5th generation can’t get iOS 17.7.6 or 18.4. These are stuck on iOS 16 - no patch available.

To find them:

Go to Intune → Devices → All devices
Filter by OS version and model
Export the list

Any iPad 5th gen (model A1822, A1823) needs replacement. No way around it.

3. Created DDM Update Policy

DDM gives you more control than the old MDM policies. Here’s what I configured:

Go to Intune → Devices → Manage updates → Apple updates → Create profile
Select iOS/iPadOS and Settings catalog
Add Declarative Device Management → Software Update

Settings I used:

Setting	Pilot Group	Production
Target OS Version	Latest	Latest
Install deadline	Immediate	7 days
Notifications	Show all	Show all

4. Rolled Out in Phases

Week 1: Pilot group - immediate deadline, watch for issues.

Week 2: Production - 7-day deadline so users have time to save work and charge devices.

Implementation

iPad 5th gen and older - Can’t update. Replace them.
Battery level - iPads need 50%+ battery or be plugged in to install updates.
Storage - Some updates need 2-3GB free space. Users with full devices will fail.

Outcome

After rollout, updates became more predictable, patch posture improved, and we spent less time on manual follow-up.

Trade-offs

Trade-off: this adds policy maintenance, especially across mixed iPad generations, but for me the stability and control were worth it.

Problem#

Constraints#

Decision#

1. Organized iPads into Groups#

2. Found Devices That Couldn’t Update#

3. Created DDM Update Policy#

4. Rolled Out in Phases#

Implementation#

Outcome#

Trade-offs#

Related Links#