Apparently, Apple thought that we will be delighted to get fullscreen update prompts on Apple TV like this one from time time but mostly when you expect them the least:

They just show up randomly on system start or simply on top of an application, if you leave it unattended for some time. And there is no setting in system preferences which would allow you to disable those.

You can, however, blacklist Apple update servers with firewall or DNS, and that will stop these prompts from showing up.

Why would you want to block Apple TV updates

Because with any next update you can get a bumped requirement for Xcode version, which in turn might require the next Mac OS version, which you might not want or be ready to update to.

That happened to me twice(!) before. At some point I got a new tvOS version installed, and all of the sudden it started to require the next Xcode version, which was available only on Catalina, while I was on Mojave with no intention to update my Mac OS. What a nice surprise that was.

After that I disabled automatic updates on my Apple TV, but what would you know, some time later my Apple TV somehow installed a new version again! Motherfucking piece of shit. And this time it started to require Xcode version that was only available in Big Sur, which I had even less desire to update to.

So I very much would like to avoid any “unexpected” Apple TV updates in future. When I’d want to install one, I will do that explicitly myself.

Can’t you just disable automatic updates

Yeah, like I said, I did disable automatic updates:

But still I get these wretched update prompts. And it is rather easy to accidentally click on the pre-selected option, which will also enable automatic updates.

What the hell, Apple, can you fucking not?

Apple update domains

I’ve discovered these ones:

• mesu.apple.com
• appldnld.apple.com
• swscan.apple.com
• xp.apple.com
• gdmf.apple.com

Initially there were only 2 domains in this list, but then some time ago Apple added 3 more. And it is quite possible that more domains will be added in future, so I’ll try to keep updating the list. Hopefully, Apple won’t reuse some of actually useful ones like icloud.com for this purpose.

Now the question is how to block those for Apple TV.

If you have a proper router, it likely has some firewall in it, so you’ll be able to blacklist these domains for your Apple TV. I have quite a non-advanced specific router from my ISP, and it doesn’t have this functionality, unfortunately. But fortunately enough recently I’ve installed a Pi-hole in my home network, and so I just blacklisted these domains there.

Blocking domains with Pi-hole

Installation

I run Pi-hole on a Raspberry Pi Zero W with Raspberry Pi OS Lite. Don’t forget to change the default password, enable SSH, generate and add your key and disable password authentication.

You can of course install it on a regular desktop/server too, but due to the changes it does do the network settings I decided that it would be better to run it on a dedicated host such as Raspberry device.

Installation procedure is just one script that does a bunch of things, and that is another reason for not installing it into a “normal” system - god knows what is happening in that script (although its ~3000 lines are available for your inspection). The script is trustworthy enough to not contain malicious things, but I certainly don’t trust it not to mess with my system settings, so dedicated Raspberry it is.

Static IP and DNS

You need to reserve static IP address for your Pi-hole host. Most of the routers support that functionality (based on the MAC address of the network interface), even my silly ISP box has it. I chose 192.168.1.77, but that of course doesn’t matter, any other available address is fine.

Now, go to Apple TV settings and set the DNS value to 192.168.1.77 (or whichever you reserved for Pi-hole):

Adding domains to blacklist

Simply adding Apple update domains to the global blacklist would be enough, but that way all your iDevices that are using Pi-hole will stop getting updates. To block updates only for Apple TV, you need to create a new group and add those domains to that group only.

Open your Pi-hole web admin interface and go to Group management (/admin/groups.php). Add a new group there, for example apple-updates:

Now go to Client group management (/admin/groups-clients.php), add your Apple TV client and assign this new apple-updates group to it (in addition to Default group):

This way Apple update domains will be blacklisted only for the Apple TV client.

Finally, add the domains to blacklist on Domain management page (/admin/groups-domains.php) and don’t forget to choose the apple-updates group for each:

This is it. If you now try to manually check for updates on your Apple TV, it should fail, so you’ll only get this endless spinning indicator:

And here’s how it looks in Pi-hole log:

Fuck yeah! And I never had those nagging fullscreen update prompts since then.

It might be worth mentioning that some of those blacklisted domains could be used by Apple for something else other than just updates (as having more than one domain for such purpose is a bit of an overkill, don’t you think), so there is a non-zero probability that something else on your Apple TV will stop working too. But you didn’t buy Apple TV for using Apple services, did you?

Updates

05.07.2022 | Using NextDNS

Instead of running (and maintaining) your own Pi-hole instance, you can use NextDNS service (here’s instruction for tvOS). If anything, these links are referral.

The service is meant for blocking trackers and advertisement, but you can also manually add certain domains to the denylist:

They have a free tier of 300 000 requests per month, which should be enough for one Apple TV box (but soon enough I’ve purchased a subscription, because I’m now using this service on all my devices).

For example, here’s statistics of requests sent from my Apple TV for the past month:

As you can see, all the requests to update domains are nicely blocked (and somehow I’ve managed to exceed the 300 000 requests quota on the Apple TV alone).