HomeBuild items › Ios ipados build
Build items · Platform builds

iOS / iPadOS build

iPhone and iPad estates fail quietly: a device that enrols but never supervises, a personal Apple ID absorbing company data. This section stages the full iPhone/iPad journey — enrol, secure, apps, configure — as an itemised, plan-approved build in your own Intune tenant.

Why this matters

In most small estates, iPhones and iPads are the least-governed devices on the books. They arrive consumer-unboxed, get signed into a personal Apple ID, and quietly become part of the company's data estate: corporate mail in the native Mail app, contacts synced to a personal iCloud, photos of whiteboards and contracts backed up to an account the organisation will never control. Nobody can prove a passcode policy exists, and because unsupervised devices cannot be compelled to update, the fleet fragments across iOS versions until the oldest handset sets your real security posture.

When a cyber-insurance questionnaire asks whether mobile devices are encrypted, passcoded and patched, "we think so" is the honest answer more often than anyone admits. The gap is rarely knowledge — most admins know what ABM, ADE and supervision are. It is the long tail of small, ordered steps that nobody has written down.

What a good build does

Decolla stages the iPhone/iPad journey in your own Intune tenant as four ordered phases: enrol, secure, apps, configure. Enrolment starts at the foundations — ADE/ABM token sync and profile assignment, so devices arrive supervised rather than limping in as quasi-BYOD. The secure phase makes protection enforced rather than requested, anchored by a supervised software-update policy. Apps and configuration bind the working stack to the mailbox, then handle the unglamorous end: scoping what syncs where, and a written re-enrolment routine for the day the device changes hands.

Every item comes from the Library and lands as a line in the written plan with its delivery method and reversibility class, irreversible steps flagged, before anything runs. Core-catalogue items are pre-built and industry-tested; a small number in this section carry an explicit client-specific flag — single-client provenance, no broader market evidence yet — so they sit in a client-SOP tier rather than the core catalogue. We would rather label that honestly than pad the list. Per-item rollback covers Decolla's own changes; the compliance policy itself lives in Compliance & enforcement.

Where it bites people

The supervision gap. The Apple Business Manager server token that feeds ADE expires annually, and the renewal notice goes to whoever set it up — often someone who has since left. Miss it and new devices stop enrolling properly; worse, a device wiped for reassignment can come back unsupervised, at which point your update policy silently stops applying to it. That is why token sync and a written re-enrolment SOP are explicit plan items rather than assumed background.

The personal-iCloud leak. Deliver mail through Outlook but leave the native Exchange account full-scope and users get duplicate mailboxes. Leave iCloud backup unscoped and company photos, contacts and calendars are backed up into a personal Apple account — and walk out with the employee. The build scopes the native account to contacts and calendar only (caller ID still works) and excludes corporate data classes from iCloud backup, each as its own reversible line in the plan.

What's in this section (21 items)

ItemTierDeliveryReversibility
iOS ADE/ABM token sync + profile assignRecommendednativeirreversible
Add user to iOS Intune enrolment groupOptionalnativeauto
iOS Company Portal registerRecommendednativereverse
Managed iCloud identity (management-only)Optionalmanualreverse
iOS standard build passcodeOptionalmanualreverse
Mobile Defender protection (iOS)Recommendedcompliancereverse
Authenticator MFA pairing (iOS)Recommendednativereverse
iOS Edge buildOptionalnativereverse
iOS Outlook configOptionalnativereverse
Zoom on iOS bound to Exchange (SSO+EWS)Optionalnativereverse
OneDrive Camera Upload as photo backendOptionalmanualreverse
iOS native Exchange: Contacts+Calendar onlyOptionalnativereverse
iCloud backup scoping (exclude Photos/mail/contacts/cal)Optionalmanualreverse
iOS home/display cleanupOptionalmanualreverse
iOS asset register + rename to userOptionalmanualreverse
iOS re-enrolment SOPOptionalmanualreverse
App Store / Apple Pay address on managed accountOptionalmanualreverse
Travel eSIM app + expense policy noteOptionalnativereverse
iOS/iPadOS software update policy (supervised)Standardnativeauto
WhatsApp iCloud encrypted daily backup — iOS (include videos)Recommendedmanualreverse
Set Exchange as default contacts + calendar account — iOSRecommendedmanualreverse

Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access