Patches

Enterprise Mobile Security Patches: The Complete Monthly Tracker

Q: How should enterprise IT teams prioritize MDM platform patches versus OS patches?

MDM platform patches (for BlackBerry UEM, Intune, Workspace ONE servers) and OS patches address different attack surfaces and should not be ranked against each other — both must be maintained on current patch levels. MDM server vulnerabilities can expose the management control plane itself, enabling an attacker to push malicious configurations to all managed devices. OS patches address the device-side attack surface. A mature enterprise patch program runs separate tracking and SLA cycles for MDM infrastructure versus managed device OS levels.

Q: What is Samsung Knox's patch cadence for enterprise deployments?

Samsung releases monthly security maintenance releases (SMRs) for Galaxy enterprise devices, synchronizing with Google's monthly Android Security Bulletins and adding Samsung-specific patches for Knox components. Enterprise IT teams managing Samsung Knox devices should verify that their device models are still receiving monthly SMRs — Samsung's security update policy lists the active patch period per model family. Devices that have exited the monthly SMR cycle should be flagged for replacement in hardware refresh planning.

Consolidated coverage of iOS, Android, BlackBerry UEM, Microsoft Intune, and VMware Workspace ONE security releases — with CVE severity ratings and patch urgency guidance for enterprise IT teams.

Enterprise mobile security patch tracking dashboard overview

Latest Patch Roundup

View June 2026 →

June 2026 enterprise mobile security patches

Critical — June 2026

June 2026 Enterprise Security Patches: iOS 17.5.2, Android & UEM 12.21.1

Apple patches two actively exploited WebKit vulnerabilities. Google's June Android Security Bulletin closes 42 CVEs including a critical Bluetooth stack flaw. BlackBerry UEM 12.21.1 addresses a privilege escalation in the Connectivity Node component.

June 2, 2026 · 10 min read

CVE Tracker

Top MDM Platform CVEs — 2026 Running Tracker

A continuously updated reference of the most significant CVEs affecting enterprise MDM platforms in 2026 — severity scores, affected versions, and vendor patch status.

View CVE tracker →

Incident Analysis

Enterprise Mobile Security Breaches: What Patch Failures Look Like

Real-world incident patterns where delayed patching of mobile OS or MDM components contributed to enterprise security breaches — with lessons for patch SLA design.

Read analysis →

Platform Patch Schedules

iOS and iPadOS Security Releases

Apple releases iOS security patches outside any fixed calendar cadence. Major releases typically arrive every four to six weeks, but Rapid Security Responses (RSRs) for actively exploited vulnerabilities can appear days after an issue is discovered. RSRs patch a targeted component — most commonly WebKit, the browser engine underlying Safari and every in-app web view — without bumping the iOS version number.

Enterprise IT teams can deploy RSRs via MDM software update commands through BlackBerry UEM, Microsoft Intune, or Jamf.

Apple's iOS patch quality for enterprise deployments has improved markedly since the introduction of the declarative device management (DDM) framework in iOS 15. DDM allows MDM servers to declare a desired OS version state; the device is responsible for reaching that state autonomously, including scheduling the update installation during overnight maintenance windows without requiring persistent MDM connectivity. This reduces the dependency on MDM server uptime during patch deployment campaigns.

Patch Timing

Apple Rapid Security Responses are delivered as delta updates and typically install in under 3 minutes without a reboot. Standard iOS updates require a reboot and should be deployed during maintenance windows declared via MDM policy.

Android Enterprise and Security Patch Levels

Google publishes the Android Security Bulletin on the first Monday of each month, disclosing CVEs fixed in that month's security patch level (SPL). The bulletin is split into two partial patch levels: YYYY-MM-01 covers the Google-owned AOSP components, while YYYY-MM-05 adds Qualcomm, MediaTek, and kernel fixes. A device carrying the YYYY-MM-05 patch level has received both sets.

Device manufacturers then integrate the bulletin into their own firmware builds, which introduces a device-specific delay of typically two to four weeks for flagship models and up to three months or longer for mid-range devices.

Samsung Galaxy enterprise devices track Google's bulletin most closely, releasing monthly Security Maintenance Releases (SMRs) that add Knox-specific patches on top of the AOSP bulletin. Enterprise IT teams managing mixed Android fleets should configure compliance policies in the MDM platform to enforce a minimum SPL, automatically flagging or quarantining devices that fall behind by more than 30 days.

For BlackBerry UEM, the Android Security Patch Level compliance condition is available under Compliance Profile > Android > Minimum Security Patch Level.

BlackBerry UEM Platform Updates

BlackBerry releases UEM major versions quarterly and maintenance releases (point releases) as needed for critical fixes. The release numbering follows a major.minor.patch scheme — for example, UEM 12.21.0 is the initial Q1 2026 major release, while UEM 12.21.1 is a maintenance release addressing specific CVEs or compatibility issues discovered after general availability. BlackBerry publishes release notes for each UEM version through the BlackBerry documentation portal (docs.blackberry.com).

Upgrading the UEM server is a planned maintenance activity that typically requires 30 to 90 minutes of downtime for the management console, depending on the size of the deployment and whether the database schema requires migration. Devices remain connected to the BlackBerry Infrastructure during UEM upgrades and continue to receive email and app pushes.

The UEM Management Console is unavailable during the upgrade window, which means new device enrollments, policy changes, and remote lock/wipe commands cannot be executed. Enterprises should schedule UEM upgrades during periods when device management demand is lowest and pre-stage critical remote wipe commands in advance if operational requirements demand them.

Microsoft Intune and Windows Mobile Security

Microsoft Intune receives continuous updates as a cloud-hosted service, with feature changes rolling out weekly through Microsoft's standard cloud deployment process. Security-relevant Intune changes are disclosed in the monthly Patch Tuesday bundle (second Tuesday of each month) for the Intune service and through the Microsoft 365 Message Center for advance notice of breaking changes to MDM policies or compliance configurations.

For Windows devices managed by Intune, Windows Update for Business (WUfB) provides the primary patch deployment mechanism, with Intune compliance policies enforcing minimum build version requirements. Organizations managing mobile devices alongside Windows endpoints in Intune should track both the Intune service updates and the Windows cumulative update cadence as separate patch domains with different deployment workflows and SLAs.

VMware Workspace ONE and Third-Party MDM Platforms

VMware Workspace ONE (now part of Broadcom's acquisition portfolio, marketed as VMware by Broadcom Workspace ONE) releases security patches through its standard product update cycle. Security bulletins for Workspace ONE are published through the VMware Security Advisories portal and assigned VMSA identifiers. On-premises Workspace ONE UEM deployments require manual upgrade installation by the customer; cloud-hosted (SaaS) deployments receive patches automatically.

Third-party MDM vendors — including JAMF Pro (macOS and iOS focus), Cisco Meraki Systems Manager, and Sophos Mobile — publish their own security advisories through their respective support portals. Enterprise IT teams running non-BlackBerry MDM platforms should subscribe to their vendor's security notification channels and maintain a current patch level for all MDM infrastructure components, treating the MDM control plane with the same security priority as the managed devices themselves.

Frequently Asked Questions

How often does Apple release enterprise mobile security patches?

Apple releases iOS security patches on an irregular schedule, typically every four to six weeks for major releases and more frequently for Rapid Security Responses (RSRs) targeting actively exploited zero-days. Enterprise IT teams should monitor Apple's security releases page and subscribe to the Apple Product Security mailing list. RSRs can be deployed via MDM software update commands without requiring a full iOS version update, and they install significantly faster than full version upgrades.

What is the difference between a security patch and a feature update on Android Enterprise?

Android separates security patch level (SPL) from OS feature updates. The SPL — displayed as a date string in Settings > About Phone — reflects which Google security bulletin items have been applied. Feature updates (new Android versions) include both security fixes and new APIs. MDM platforms like BlackBerry UEM and Microsoft Intune can enforce a minimum SPL via compliance policies, blocking devices below the required patch level from accessing corporate resources, independently of whether the device has upgraded to a new Android version.

How does BlackBerry UEM handle OS update enforcement?

BlackBerry UEM enforces OS updates via Software Updates policies (iOS) and Android Enterprise system update policies. For iOS, administrators can schedule update windows, defer updates for up to 90 days, or restrict users from installing OS updates manually — useful for testing compatibility before broad deployment. For Android Enterprise fully managed devices, UEM can push system updates automatically, defer them, or block them entirely pending IT validation of new firmware.

What CVSS score threshold should trigger an emergency enterprise patch cycle?

Industry practice generally treats CVSS scores of 9.0 and above (Critical) as requiring an emergency patch cycle — particularly when the vulnerability has a known exploit in the wild or appears on CISA's Known Exploited Vulnerabilities (KEV) catalog. CVSS scores of 7.0 to 8.9 (High) should be addressed within the next scheduled maintenance window, typically within 14 days. Scores below 7.0 can follow the standard monthly patch cycle unless the vulnerability affects a component with direct access to corporate data or authentication infrastructure.

What is a Rapid Security Response on iOS?

Apple introduced Rapid Security Responses in iOS 16.4.1 as a mechanism for deploying targeted security fixes outside the standard iOS release cycle. An RSR patches a specific component — typically WebKit or the kernel — without updating the full iOS version number. The update is small and installs quickly, often without a reboot. Enterprise MDM servers can push RSR deployment via the InstallOSUpdate MDM command. Devices display the RSR as a minor version suffix, such as iOS 17.4.1 (a).

How should enterprise IT teams prioritize MDM platform patches versus OS patches?

MDM platform patches and OS patches address different attack surfaces and should not be ranked against each other — both must be maintained on current patch levels. MDM server vulnerabilities can expose the management control plane, enabling an attacker to push malicious configurations to all managed devices. OS patches address the device-side attack surface. A mature enterprise patch program runs separate tracking and SLA cycles for MDM infrastructure versus managed device OS levels.

What is Samsung Knox's patch cadence for enterprise deployments?

Samsung releases monthly Security Maintenance Releases (SMRs) for Galaxy enterprise devices, synchronizing with Google's monthly Android Security Bulletins and adding Samsung-specific patches for Knox components. Enterprise IT teams managing Samsung Knox devices should verify that their device models are still receiving monthly SMRs — Samsung's security update policy lists the active patch period per model family. Devices that have exited the monthly SMR cycle should be flagged for replacement in hardware refresh planning.

Can MDM platforms enforce third-party app patching on managed devices?

MDM platforms can enforce updates for apps distributed through the managed app catalog. On iOS, apps distributed via Apple Business Manager Volume Purchase Program (VPP) can be force-updated via the InstallApplication MDM command without user interaction on supervised devices. On Android Enterprise fully managed devices, Play Store auto-update policies can be set to High Priority. Third-party apps installed outside the managed catalog cannot be force-updated via MDM.

What are the key enterprise patch sources to monitor each month?

Essential monthly sources: Apple Security Releases (support.apple.com), Android Security Bulletin (source.android.com/security/bulletin), Microsoft Patch Tuesday (second Tuesday of each month), BlackBerry UEM release notes (docs.blackberry.com), VMware Workspace ONE security advisories, and CISA's Known Exploited Vulnerabilities catalog. Setting up RSS feeds or email subscriptions for each source creates a reliable early-warning system without requiring manual monitoring of each portal.

Latest Patch Roundup

June 2026 Enterprise Security Patches: iOS 17.5.2, Android & UEM 12.21.1

Top MDM Platform CVEs — 2026 Running Tracker

Enterprise Mobile Security Breaches: What Patch Failures Look Like

Platform Patch Schedules

iOS and iPadOS Security Releases

Android Enterprise and Security Patch Levels

BlackBerry UEM Platform Updates

Microsoft Intune and Windows Mobile Security

VMware Workspace ONE and Third-Party MDM Platforms

Frequently Asked Questions

Enterprise Patch Alerts