Platform Security Briefing — January 28, 2020
Apple’s iOS and iPadOS 13.3.1 updates fix location privacy enforcement gaps and multiple CVEs in CoreFoundation, UIKit, and WebKit; enterprises must expedite deployment and verify MDM posture.
Executive briefing: Apple released iOS and iPadOS 13.3.1 on , closing location services enforcement issues tied to the U1 Ultra Wideband chip and patching vulnerabilities across FaceTime, Foundation, Kernel, and WebKit. The release also adds Mail privacy controls and bug fixes that impact managed devices.
Validated sources
- Apple security content for iOS 13.3.1 listing CVEs and affected device models.
- About privacy and Location Services confirming how U1-related location queries are handled after the update.
Control mappings
- CIS Controls v8 4.7 & 10.6: Manage mobile device configurations and apply vendor patches promptly to reduce exploitable surface area.
- NIST SP 800-53 Rev.5 CM-6 & SI-2: Enforce configuration baselines for mobile fleets and validate timely remediation of known CVEs.
- ISO/IEC 27001:2022 Annex A.8.9: Cover mobile device management and required security updates for organization-owned devices.
Implementation checklist
- Push 13.3.1 to supervised devices via MDM; require encryption and passcode policies to be revalidated after the update.
- Confirm location services prompts now respect user settings for U1 chip usage and test geofencing-dependent applications.
- Review WebKit CVE coverage and ensure managed browsers inherit the patched engine; block outdated browser builds in conditional access policies.
- Audit mail and FaceTime configurations for enterprise accounts to verify crashes or exposure paths cited in the release notes are resolved.
Fleet validation and telemetry
- Capture MDM compliance reports by business unit, highlighting devices that deferred updates or are stuck on beta profiles; open tickets to clear blockers.
- Monitor crash and battery telemetry for 48 hours after rollout to catch regressions, then widen deployment to high-sensitivity users.
- Check that certificates, VPN profiles, and Wi-Fi payloads remain trusted post-update; re-push configurations where trust stores were reset.
- Validate EDR/MDM agent health to ensure mobile detections and remote lock/wipe still function after the patch.
Assurance notes
- Capture MDM compliance reports that show device counts on 13.3.1 and track holdouts by business unit.
- Retest privacy impact assessments for apps that rely on precise location or microphone access to ensure consent flows still operate as designed.
- Document patch timelines and any exceptions for devices awaiting warranty service to demonstrate due diligence.
Business impact review
- Coordinate with app owners to retest push notification flows, CarPlay restrictions, and enterprise signing profiles that could be sensitive to OS updates.
- Validate data loss prevention controls (managed open-in, pasteboard restrictions, screenshot controls) on high-sensitivity apps after upgrading.
- Document any user experience regressions (Wi-Fi drops, Bluetooth accessories, battery drain) and provide mitigations or timelines so business stakeholders can plan.
Risk and exception handling
- Log any devices that cannot upgrade because of hardware constraints or app dependencies; apply stricter EDR monitoring and cellular data caps until replacements arrive.
- Coordinate with legal and privacy teams if location-setting changes affect consent language or previously approved privacy impact assessments.