Onboarding into Intune

All new mobile phones at PBR are bring onboarded to Intune

In order to onboard an iOS device into Intune you must first install the Apple Configurator App on your personal phone. This phone must be also connected to Wi-Fi (PBR Corporate Wi-Fi doesn't work with this process) so needs to be connected to Internet Wi-Fi. iOS version of your personal phone and the new PBR phone need to be similar, but not necessarily exactly the same (it worked for me with my personal iPhone on 18.01 and PBR iPhone on 17.7)

Apple Configurator App is available for the App Store, icon looks like

• Open Personal iPhone and log into Apple Configurator with PBR Apple Business Manager Username ([email protected]) and Password (in 1Password). This MFA's to Mitch's phone. Click on settings and ensure that 'Share Wi-Fi' is enabled 
• If the phone has been used previously then it must first be erased, once erased or if new proceed with the guided setup until you get to the screen prompting to connect to a Wi-Fi network. (DO NOT CONNECT).
• On your personal phone scan the screen of the new PBR phone and a QR code will appear and then the new phone will go through the process to add to Apple Business Manager.
• Once complete log into Apple Business Manager https://business.apple.com with same creds as above. Navigate to Devices
• If the device has been enrolled by phone supplier then you can start here

Select the device you added (best done by serial number) you now need to assign the MDM server to the device, click on 3 dots top right, select edit MDM server and select Intune as the PBR MDM ServerServer. and clcik Now the new device will be updated as per below This is all that needs to be done in Apple Business Manager.  Log into Intune, navigate to Devices | Enrolment | Apple tab | Enrolment Program Tokens | Select Intune Token | Devices. It can take some time to sync, if its not showing after a few minutes try a refresh and if still not showing try a sync (this will take 15 mins)

Once the device is visible in Intune, you need to assign a profile. Select the device and click Assign Profile. Currently there are 2 profiles configured (See below for details of configuration for each profile) - 

• PBR Default iOS Profile - This is for staff that are being assigned a personal iPhone 

• PBR Shared iOS Profile - This is for role based iPhones & iPad's
  

Select the required profile and click sync and wait the 15 minutes for the sync to complete.

Return to the iPhone you are onboarding and click Erase iPhone, the phone will then erase and restart Once restarted go through the setup prompts, language, country, appearance, quick start (select setup without another device), connect to wifi (choose internet), Remote Management, (choose enroll the iPhone), create a passcode (123456) Once you get to the home screen The device should now be visible in Intune Devices | iOS/iPadOS Devices. Its can take some time (like everything with Intune) Once visible you need to assign the device(not the user)to an AAD group, (this is where the majority of configuration gets applied) there are currently 3 groups setup  - 

• Intune_iOS_iPhones_Individual
• Intune_iOS_iPhones_Role
• Intune_iOS_iPads

If the device is assigned to Intune_iOS_iPhones_Individual then you need to assign the user to AAD Groups as well to ensure they get the correct Apps. Currently there is only a single group setup for this (more will be added in the future)- 

Intune_iOS_Default_Apps - See below for details of assigned Apps Restart the phonedevice

Ensure that device is connected to Wi-Fi

Open Company Portal App and sign in with PBR User Creds (not needed on iPad's or iPhones that are Role Based)Follow the prompts

 

Intune Profiles - These are assigned to devices once enrolled in Intune

PBR Default iOS Profile - This is for staff that are being assigned a personal iPhone 

Devices are enrolled with User Affinity
Company Portal is installed Users can log into App store with own account and download apps Setup Assistant is restricted to passcode

PBR Shared iOS Profile - This is for role based iPhones & iPad's

Devices are enrolled without User Affinity Setup Assistant is restricted to passcode

AAD Groups and resultant configurations - These are assigned by adding device (or user) to the AAD grou)

Intune_iOS_iPhones_Individual - Devices in this group are configured to  - 

Apps are deployed based on user (see below Intune_iOS_Default Apps) iOS Update Policy Applied Restricted Apps List Policy Applied (Uninstalls TikTok) Intune_iOS_iPhones_Role - Devices in this group are configured to  -

Get the following Apps automatically deployed

BOM iOS Update Policy Applied Restricted Apps List Policy Applied (Uninstalls TikTok) iPhone_Role_Based_Policy

Block App Store Disable changing passcode Disable Face ID & Touch ID Hide the following built in Apps -

iOS Native Mail App Health App Apple TV App   Podcasts App Wallet App Weather App Home App Books App iTunes store App Fitness App Watch App Freeform App Journal App GarageBand App Apple Music App Facetime App Apple News App Find My iPhone App Shortcuts App Tips App Intune_iOS_iPads - WIP

Intune_iOS_Default Apps - Members of this group get assigned the following Apps - 

Required Apps -  installed automatically on the device once the user signs into Company Portal

Outlook OneDrive BOM Duo Optional Apps - are available for download and installation by user from within Company Portal

Word Excel Teams 

 

Assigned Apps will be installed on the iPhone (apps are specified in Intune,  Apps | iOS Apps)

Select device and you can manage the device

iOS updates are specified in a policy

Configuration Profiles - Devices | iOS | Configuration
Can configure policies here to restrict device use. eg block camera, or setup wifi

iOS updates are specified in Devices | iOS/iPad |iOS Updates
Set to Latest update and update at next check-in (should possibly look to change to schedule out of hours)

 

 

 

9.