If the devices have a specific site they need for updates, I will usually allow the traffic to that site (or set of URLs/IPs) restricted to the ports/protocol needed (in the case of an ACL on a router/switch) or the application/port (in the case of a next gen firewall). But if there are a lot of potential destinations, I don’t allow the traffic and instead download the needed files from a workstation and transfer them over.
If the devices have a specific site they need for updates, I will usually allow the traffic to that site (or set of URLs/IPs) restricted to the ports/protocol needed (in the case of an ACL on a router/switch) or the application/port (in the case of a next gen firewall). But if there are a lot of potential destinations, I don’t allow the traffic and instead download the needed files from a workstation and transfer them over.