HomeBuild items › Compliance enforcement
Build items · Secure

Compliance & enforcement

Device compliance is the trust signal Conditional Access actually reads. Decolla builds it as a full domain in your own Intune tenant — per-platform rules, hardened defaults, and a deliberate enforcement ladder — not a checkbox ticked once during setup.

Why this matters

Compliance status is the device-trust signal Conditional Access relies on. Every require compliant device rule in your tenant is only as good as the compliance policies behind it — and in most tenants those policies are thin: one Windows policy written during initial setup, nothing for macOS, Android rules that predate the current enrolment model. Meanwhile Intune ships with a default that surprises almost everyone the first time they meet it: a device with no compliance policy assigned is treated as compliant. That means Conditional Access can be granting access on a signal that was never actually evaluated. Compliance is not a checkbox inside "set up Intune"; it is its own domain, with per-platform rules, a device-risk signal, and an enforcement ladder that decides what happens — and how quickly — when a device fails.

What a good build does

Decolla's catalogue treats compliance as a full section of the plan, not a line item. Cross-platform device-trust rules cover Windows, iOS, macOS and corporate Android — each with the checks that matter on that platform, from jailbreak detection to disk encryption and firewall state — so Conditional Access is reading a signal that exists on every device type you manage. The tenant defaults are hardened so a device with no policy assigned is marked noncompliant rather than silently trusted, with a sensible validity period on the status itself. Where the Defender for Endpoint connector is in place, a machine risk-score gate folds device risk into the same compliance signal. And enforcement is deliberate rather than instant: the noncompliance action ladder defines a grace period, branded notifications to the user, and the escalation path beyond that.

Every item appears in the written, itemised plan — delivery method and reversibility class stated per item — and is approved before anything runs in your tenant. If a rule proves too aggressive for your estate, Decolla can roll back its own changes item by item.

Where it bites people

Two failure modes recur. First, the default-compliant trap: an enrolled device with no compliance policy assigned reports as compliant, so Conditional Access happily admits it. But hardening that default without first assigning policies to every platform in scope flips the failure the other way — healthy devices are marked noncompliant and users are locked out. Order matters: policies first, defaults second.

Second, zero-grace enforcement: mark devices noncompliant the instant a check fails — say, disk encryption that has not yet finished reporting on a newly built machine — and Conditional Access cuts access before the user has any chance to remediate. A grace period with clear, branded notifications is the difference between an enforcement ladder and a helpdesk queue.

What's in this section (9 items)

ItemTierDeliveryReversibility
Compliance policyRecommendedcomplianceauto
Corporate Android compliance policyRecommendedcomplianceauto
iOS compliance policy (jailbreak + min OS + passcode)Standardnativeauto
macOS compliance policy (FileVault + SIP + Gatekeeper + firewall)Recommendednativeauto
Defender for Endpoint machine risk-score compliance gateRecommended · Defender for Endpointlicensedauto
Custom compliance (PowerShell discovery script + JSON rules)Advancedscriptauto
Compliance defaults hardening (no policy = noncompliant + validity period)Standardnativereverse
Actions for noncompliance (grace period + branded notifications + retire list)Standardnativeauto
Require ConfigMgr compliance (co-managed devices)Advancednativeauto

Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access