HomeBuild items › Macos build
Build items · Platform builds

macOS build

Macs are part of the estate whether your tooling admits it or not. Decolla stages the Mac journey the same way it stages Windows — enrol, secure, apps, configure — using Intune's native macOS mechanisms rather than Windows habits ported across.

Why this matters

Most Intune estates are Windows-first. Macs arrive as exceptions — a design team, a developer, a director who prefers one — and because they are a minority, they get managed by hand or not at all. The result is predictable: laptops with no disk encryption, encryption with no recoverable key, patching left to whenever the user feels like clicking Restart, and an endpoint-protection gap on precisely the machines holding source code and creative assets.

That gap is harder to defend than it used to be. Cyber Essentials, insurers and client due-diligence questionnaires ask about the whole fleet, not the Windows fraction of it. And macOS management genuinely is different: Intune drives Macs through configuration profiles, system extensions and Apple's declarative device management (DDM), not the Windows CSP model. Habits carried across from the Windows side translate badly — which is why so many managed Macs are only nominally so.

What a good build does

Decolla's macOS section mirrors the Windows decomposition and runs in journey order on your own Intune tenant: enrol, secure, apps, configure. Enrolment brings the Mac in through Company Portal. The security stage does the things auditors actually check — FileVault enabled with the recovery key escrowed to Intune, your chosen AV/EDR agent deployed, and DDM-based update enforcement so patching runs to a deadline the operating system itself honours. The apps stage lays down the agents and applications your estate standardises on, and configuration finishes the daily-driver details that make the machine feel set up rather than merely enrolled. Compliance policy is deliberately absent here: it lives in Compliance & enforcement, alongside its Windows counterpart.

Every item is drawn from the Library — pre-built, industry-tested policies and scripts — and lands in the written plan first, with a delivery method and reversibility class stated per item. Enabling disk encryption is exactly the kind of change that gets flagged before you approve anything. Afterwards, each of Decolla's own changes can be rolled back individually.

Where it bites people

The FileVault escrow trap. Pushing an encryption policy at a Mac that is already encrypted does not escrow the existing recovery key — the key only lands in Intune when it is generated or rotated. A fleet can show encrypted in the console for months while the service desk holds recovery keys for none of it, discovered the day someone forgets their password. A proper build handles escrow and rotation explicitly rather than assuming the policy tick means the key is safe.

Deferral is not enforcement. The older Intune approach to macOS updates could hold updates back; it could not reliably make them happen. Only DDM-based enforcement, with declared deadlines the OS itself honours, actually moves a reluctant Mac. If your Macs sit versions behind while the console insists the update policy applied successfully, this is usually why.

What's in this section (10 items)

ItemTierDeliveryReversibility
macOS Intune Company Portal enrolmentRecommendednativereverse
macOS FileVault enable + escrow recovery keyRecommendedcompliancereverse
macOS AV/EDR agentRecommendednativereverse
macOS RMM/monitoring agentsOptionalnativereverse
macOS Adobe: Creative Cloud vs ReaderOptionalnativereverse
macOS default browser + homepageOptionalnativereverse
macOS default mail client (Outlook)Optionalnativereverse
macOS Outlook config (focused off + delegation)Optionalnativereverse
macOS Dock + Teams/Zoom buildOptionalnativereverse
macOS software update enforcement (DDM)Standardnativeauto

Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access