iOS / iPadOS build
iPhone and iPad estates fail quietly: a device that enrols but never supervises, a personal Apple ID absorbing company data. This section stages the full iPhone/iPad journey — enrol, secure, apps, configure — as an itemised, plan-approved build in your own Intune tenant.
Why this matters
In most small estates, iPhones and iPads are the least-governed devices on the books. They arrive consumer-unboxed, get signed into a personal Apple ID, and quietly become part of the company's data estate: corporate mail in the native Mail app, contacts synced to a personal iCloud, photos of whiteboards and contracts backed up to an account the organisation will never control. Nobody can prove a passcode policy exists, and because unsupervised devices cannot be compelled to update, the fleet fragments across iOS versions until the oldest handset sets your real security posture.
When a cyber-insurance questionnaire asks whether mobile devices are encrypted, passcoded and patched, "we think so" is the honest answer more often than anyone admits. The gap is rarely knowledge — most admins know what ABM, ADE and supervision are. It is the long tail of small, ordered steps that nobody has written down.
What a good build does
Decolla stages the iPhone/iPad journey in your own Intune tenant as four ordered phases: enrol, secure, apps, configure. Enrolment starts at the foundations — ADE/ABM token sync and profile assignment, so devices arrive supervised rather than limping in as quasi-BYOD. The secure phase makes protection enforced rather than requested, anchored by a supervised software-update policy. Apps and configuration bind the working stack to the mailbox, then handle the unglamorous end: scoping what syncs where, and a written re-enrolment routine for the day the device changes hands.
Every item comes from the Library and lands as a line in the written plan with its delivery method and reversibility class, irreversible steps flagged, before anything runs. Core-catalogue items are pre-built and industry-tested; a small number in this section carry an explicit client-specific flag — single-client provenance, no broader market evidence yet — so they sit in a client-SOP tier rather than the core catalogue. We would rather label that honestly than pad the list. Per-item rollback covers Decolla's own changes; the compliance policy itself lives in Compliance & enforcement.
Where it bites people
The supervision gap. The Apple Business Manager server token that feeds ADE expires annually, and the renewal notice goes to whoever set it up — often someone who has since left. Miss it and new devices stop enrolling properly; worse, a device wiped for reassignment can come back unsupervised, at which point your update policy silently stops applying to it. That is why token sync and a written re-enrolment SOP are explicit plan items rather than assumed background.
The personal-iCloud leak. Deliver mail through Outlook but leave the native Exchange account full-scope and users get duplicate mailboxes. Leave iCloud backup unscoped and company photos, contacts and calendars are backed up into a personal Apple account — and walk out with the employee. The build scopes the native account to contacts and calendar only (caller ID still works) and excludes corporate data classes from iCloud backup, each as its own reversible line in the plan.
What's in this section (21 items)
| Item | Tier | Delivery | Reversibility |
|---|---|---|---|
| iOS ADE/ABM token sync + profile assign | Recommended | native | irreversible |
| Add user to iOS Intune enrolment group | Optional | native | auto |
| iOS Company Portal register | Recommended | native | reverse |
| Managed iCloud identity (management-only) | Optional | manual | reverse |
| iOS standard build passcode | Optional | manual | reverse |
| Mobile Defender protection (iOS) | Recommended | compliance | reverse |
| Authenticator MFA pairing (iOS) | Recommended | native | reverse |
| iOS Edge build | Optional | native | reverse |
| iOS Outlook config | Optional | native | reverse |
| Zoom on iOS bound to Exchange (SSO+EWS) | Optional | native | reverse |
| OneDrive Camera Upload as photo backend | Optional | manual | reverse |
| iOS native Exchange: Contacts+Calendar only | Optional | native | reverse |
| iCloud backup scoping (exclude Photos/mail/contacts/cal) | Optional | manual | reverse |
| iOS home/display cleanup | Optional | manual | reverse |
| iOS asset register + rename to user | Optional | manual | reverse |
| iOS re-enrolment SOP | Optional | manual | reverse |
| App Store / Apple Pay address on managed account | Optional | manual | reverse |
| Travel eSIM app + expense policy note | Optional | native | reverse |
| iOS/iPadOS software update policy (supervised) | Standard | native | auto |
| WhatsApp iCloud encrypted daily backup — iOS (include videos) | Recommended | manual | reverse |
| Set Exchange as default contacts + calendar account — iOS | Recommended | manual | reverse |
Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.
See it on a real device.
Decolla is in private build — early-access members see a build defined, deployed and rolled back first.
Get early access