Enterprise Android patch management has a structural lag problem. Google publishes the Android Security Bulletin on the first Monday of each month. From that date, the clock to full fleet coverage runs not just on enterprise deployment schedules, but on a chain of dependencies that Google does not control: OEM firmware compilation, carrier approval, and device model support status.
The June 2026 bulletin is a useful case study. It patches CVE-2025-48595, a zero-day with confirmed active exploitation. The vulnerability has existed in production with a working exploit. The patch is now available. How long will it take for that patch to reach every Android device in your enterprise fleet?
The OEM Lag
Google Pixel devices receive Android security updates on the same day as the bulletin publication. No OEM modification, no carrier review — Pixel devices are the reference implementation and update directly from Google’s distribution infrastructure.
Every other Android device operates differently. OEMs receive the Android security patch set in advance of publication (under embargo), but must compile those patches into their specific firmware builds, test them against their customised Android variant (Samsung One UI, Xiaomi MIUI, and others have significant customisation on top of AOSP), and release through their own distribution infrastructure.
Typical OEM lag times as of mid-2026:
- Samsung Galaxy (including enterprise S-series and XCover rugged): 2–4 weeks after Google bulletin, varying by device model and region
- Motorola (enterprise-class Edge and Moto G series): 4–8 weeks, with some models receiving updates quarterly rather than monthly
- TCL/Alcatel (budget enterprise deployments): monthly updates available only for flagship models; mid-range devices may receive only quarterly or biannual security updates
Inventory-Driven Patch Management
The practical first step for enterprise Android patch management is an accurate inventory. Most organisations cannot accurately answer the question “which Android devices in our fleet are running which Android version and security patch level?” without querying their EMM platform.
Required inventory data per device:
| Field | Why It Matters |
|---|---|
| Android version | Determines whether bulletin patches apply at all (June 2026 bulletin affects Android 14+) |
| Security patch level | Current patch level — what bulletin date the device has applied |
| Device model | Determines OEM update timeline and support status |
| OEM | Determines update source (Google Play, Samsung Knox, OEM OTA) |
| Management mode | Device Owner, Work Profile, or COPE — affects update deployment methods |
Query commands by EMM platform:
Microsoft Intune: Reports → Device compliance → Filter by OS = Android, sort by “OS version.” Export to CSV for policy planning. The “Security patch level” field reflects the installed Android security update date.
VMware Workspace ONE: Navigate to Devices → List View → Android. Add columns for Android OS version and Security Patch Level. Export and sort by patch level to identify oldest-patched devices.
Google Workspace (zero-touch): Admin Console → Devices → Mobile & endpoints → Android. Filter by security patch level to identify devices behind current bulletin.
Update Deployment Policy
For EMM-managed Android Enterprise devices in Device Owner mode (fully managed devices), IT administrators have direct control over when devices apply OS updates.
Microsoft Intune — Android Enterprise OS update policy:
Navigate to: Devices → Manage devices → Configuration → Create → Android Enterprise → Fully managed, dedicated, and corporate-owned work profile → Device restrictions → System update.
Set system update type to Automatic with a maintenance window. This installs OEM updates automatically within the defined maintenance window (typically overnight, aligned with business hours in the device’s timezone).
For the June 2026 bulletin specifically, given the zero-day, consider temporarily setting a mandatory immediate update policy and overriding the normal maintenance window.
Samsung Knox — update management:
Samsung Knox E-FOTA (Enterprise Firmware Over the Air) allows direct control over Samsung security update deployment, independent of the carrier approval cycle. For enterprise Samsung Knox fleets, E-FOTA is the fastest path to fleet-wide June 2026 patch coverage.
Handling Devices That Cannot Be Updated
Some devices in enterprise fleets will not receive the June 2026 Android security update, either because:
- The device model has exceeded OEM support lifetime
- The device is running Android 13 or earlier (not affected by June 2026 critical patches, but may be affected by other bulletin content)
- The carrier has not approved the OEM firmware update
For devices that cannot be patched within a defined SLA (recommendation: 14 days for bulletins containing actively exploited vulnerabilities):
Option 1 — Remove from enterprise access: Revoke access to corporate email, VPN, and enterprise applications until the device is updated. Intune, Workspace ONE, and Google Workspace all support conditional access policies that can block enterprise access for devices below a minimum patch level.
Option 2 — Risk-accept with compensating controls: For devices where enterprise access cannot be immediately revoked (field operations, healthcare, logistics), document the exception with a defined remediation timeline and apply Mobile Threat Defence (MTD) monitoring to detect exploitation attempts.
Option 3 — Hardware refresh: Devices that have reached OEM support end-of-life and will not receive further security updates should be scheduled for hardware refresh. Running unsupported Android hardware in enterprise environments is an ongoing risk that accumulates with each monthly bulletin.
Tracking Coverage Over Time
The goal metric for enterprise Android patch management is percentage of fleet at current minus one bulletin security patch level. “Current minus one” accounts for the OEM lag — expecting 100% of the fleet at the exact current bulletin date is unrealistic given the OEM compilation and testing cycle.
Monthly tracking: export fleet patch level data from the EMM and calculate the percentage distribution. If more than 10% of the fleet is more than two bulletin cycles behind (two months), the update deployment policy needs review.
For the June 2026 bulletin specifically, flag devices that are still on February 2026 or earlier security patch levels as priority remediation targets — these devices are four months behind and have been exposed to multiple months of published vulnerabilities without patching.
Share this article