HomeBuild items › Tenant foundation connectors
Build items · Prepare

Tenant foundation & connectors

One-time tenant prerequisites — platform connectors, enrolment tokens, certificate infrastructure — that everything else in the build depends on. Decolla sequences them first, plans them in writing, and tracks the renewals.

Why this matters

Everything downstream of device provisioning rests on a small set of one-time tenant prerequisites, and they fail in expensive ways. Let the Apple APNs MDM push certificate lapse and every enrolled iPhone, iPad and Mac stops responding to management; renew it under a different Apple ID and the entire Apple estate needs wiping and re-enrolling. Leave the MDM auto-enrolment user scope unset and Windows devices join Entra but never actually enrol into Intune — a gap that tends to surface only when the first policy fails to arrive. And with no certificate issuing backend in place, certificate-based Wi-Fi and VPN profiles are undeployable no matter how carefully they were authored. None of this is glamorous work. It is, however, exactly where experienced admins look first, because it is where builds that looked finished quietly break months later.

What a good build does

Decolla puts tenant foundation at the front of the journey: it is the prep phase of the catalogue, sequenced before anything that depends on it. The guided wizard works through the platform connectors and tokens across Apple, Google and Samsung, the auto-enrolment scope, and the config-as-code plumbing — each captured in the written, itemised plan you approve before anything runs, with delivery method and reversibility class stated per item and anything irreversible explicitly flagged. The permission scopes Decolla requests are published before you connect your tenant.

The plan is also honest about boundaries. Apple connectors involve Apple Business Manager and your own Apple ID, so those steps are guided rather than silently automated. The certificate backend is licence-aware: Intune Cloud PKI is an Intune Suite add-on, and the plan tags it as such so nobody discovers a licensing dependency mid-deployment. Token expiry dates feed a renewal-reminder engine at T-45/30/14/7/1 days, because an annual certificate is only safe if someone is reminded well before day zero.

Where it bites people

Two failures recur often enough to be predictable.

What's in this section (11 items)

ItemTierDeliveryReversibility
Apple APNs MDM push cert (annual, same Apple ID - BLOCKING for Apple)Recommendedmanualirreversible
Apple ADE/DEP enrolment token (do NOT re-download unless renewing)Optionalmanualirreversible
Apple VPP / content token (Apps & Books)Optionalmanualirreversible
Apple D-U-N-S + Apple Business accountOptionalmanualreverse
Managed Google Play bind (no D-U-N-S, no renewal)Recommendedmanualirreversible
Android zero-touch / Samsung KMEOptionalmanualirreversible
Token renewal-reminder engine (T-45/30/14/7/1)Recommendedautomationauto
Automatic enrolment (MDM user scope)Standardmanualauto
Certificate issuing backend — Cloud PKI / NDES connectorAdvanced · Cloud PKIlicensedreverse
Tenant config-as-code baseline (export/import)Advancedscriptreverse
Third-party ADMX template importRecommendednativereverse

Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access