Onboarding iOS Devices into Intune
All new mobile phones at PBR are bring onboarded to Intune
In order to onboard an iOS device into Intune you must first install the Apple Configurator App on your personal phone. This phone must be also connected to Wi-Fi (PBR Corporate Wi-Fi doesn't work with this process) so needs to be connected to Internet Wi-Fi. iOS version of your personal phone and the new PBR phone need to be similar, but not necessarily exactly the same (it worked for me with my personal iPhone on 18.01 and PBR iPhone on 17.7)
Apple Configurator App is available for the App Store, icon looks like 
If the device has been reimaged or is new and not enrolled by phone supplier then you can start here
- Open Personal iPhone and log into Apple Configurator with PBR Apple Business Manager Username ([email protected]) and Password (in 1Password). This MFA's to Mitch's phone. Click on settings and ensure that 'Share Wi-Fi' is enabled
- If the phone has been used previously then it must first be erased, once erased or if new proceed with the guided setup until you get to the screen prompting to connect to a Wi-Fi network. (DO NOT CONNECT).
- On your personal phone scan the screen of the new PBR phone and a QR code will appear and then the new phone will go through the process to add to Apple Business Manager.
- Once complete log into Apple Business Manager https://business.apple.com with same creds as above. Navigate to Devices
If the device has been enrolled by phone supplier then you can start here
- Select the device you added (best done by serial number) you now need to assign the MDM server to the device, click on 3 dots top right, select edit MDM server and select Intune as the PBR MDM Server.  
- Now the new device will be updated as per below  This is all that needs to be done in Apple Business Manager. This is all that needs to be done in Apple Business Manager.
- Log into Intune, navigate to Devices | Enrolment | Apple tab | Enrolment Program Tokens | Select Intune Token | Devices. It can take some time to sync, if its not showing after a few minutes try a refresh and if still not showing try a sync (this will take 15 mins) 
- 
Once the device is visible in Intune, you need to assign a profile. Select the device and click Assign Profile. Currently there are 23 profiles configured (See below for details of configuration for each profile) -- 
PBR Default iOS Profile - This is for staff that are being assigned a personal iPhone 
- 
PBR Shared iOS Profile - This is for role based iPhones & iPad's 
- PBR iPad Profile - This is for iPads running Survey Legend, Better Impact or Employment Hero
 
- 
- 
Select the required profile and click sync and wait the 15 minutes for the sync to complete. 
- Return to the iPhone you are onboarding and click Erase iPhone, the phone will then erase and restart
- Once restarted go through the setup prompts, language, country, appearance, quick start (select setup without another device), connect to wifi (choose internet), Remote Management, (choose enroll the iPhone), create a passcode (111111)
- Once you get to the home screen The device should now be visible in Intune Devices | iOS/iPadOS Devices. Its can take some time (like everything with Intune) 
- Once visible you need to assign the device(not the user)to an AAD group, (this is where the majority of configuration gets applied) there are currently 3 groups setup  - 
- Intune_iOS_iPhones_Individual
- Intune_iOS_iPhones_Role
 
- If the device is assigned to Intune_iOS_iPhones_Individual then you need to assign the user to AAD Groups as well to ensure they get the correct Apps. Currently there is only a single group setup for this (more will be added in the future)- 
- Intune_iOS_Default_Apps - See below for details of assigned Apps
 
- Restart the device
- 
Ensure that device is connected to Wi-Fi 
- 
Open Company Portal App and sign in with PBR User Creds (not needed on iPad's or iPhones that are Role Based)Follow the prompts 
Intune Profiles - These are assigned to devices onceas enrolleda inpart Intuneof the enrollment process above
- 
PBR Default iOS Profile - This is for staff that are being assigned a personal iPhone - Devices are enrolled with User Affinity
- Company Portal is installed
- Users can log into App store with own account and download apps
- Setup Assistant is restricted to passcode
 
- Devices are enrolled with User Affinity
- 
PBR Shared iOS Profile - This is for role based iPhones & iPad's - Devices are enrolled without User Affinity
- Setup Assistant is restricted to passcode
 
- PBR iPad Profile
- Devices are enrolled without User Affinity
- Setup Assistant doesn't prompt for passcode
 
AAD Groups and resultant configurations - These are assigned by adding device (or user) to the AAD grou)
- Intune_iOS_iPhones_Individual - Devices in this group are configured to  - 
 - Apps are deployed based on user (see below Intune_iOS_Default Apps)
- iOS Update Policy Applied - Set to Latest update and update at next check-in
- Restricted Apps List Policy Applied (Uninstalls TikTok)
- PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
 
- Intune_iOS_iPhones_Role - Devices in this group are configured to  -
 - Get the following Apps automatically deployed
- BOM
- Vic Emergency
 
- iOS Update Policy Applied - Set to Latest update and update at next check-in
- Restricted Apps List Policy Applied (Uninstalls TikTok)
- PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
- iPhone_Role_Based_Policy
- Block App Store
- Disable Face ID & Touch ID
- Hide the following built in Apps -
- iOS Native Mail App
- Health App
- Apple TV App
- Podcasts App
- Wallet App
- Weather App
- Home App
- Books App
- iTunes store App
- Fitness App
- Watch App
- Freeform App
- Journal App
- GarageBand App
- Apple Music App
- Facetime App
- Apple News App
- Find My iPhone App
- Shortcuts App
- Tips App
 
 
- Block App Store
 
- Get the following Apps automatically deployed
- Intune_iPads_EH - WIP 
 - PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically (disabled for testing)
- Clock Me In Time & Attendance app is installed
- Employment Hero Policy
- Opens Clock Me In Time & Attendance app in Kiosk mode
- Block autolock
- Block screen sleep
- Disable Face ID & Touch ID
- Block passcode modification
 
 
- Intune_iPads_BI - WIP
 - PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
- Better Impact Kiosk Policy
- Better Impact URL Policy
 
- Intune_iPads_SL - WIP
- PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
- Survey Legend Kiosk Policy
- Survey Legend URL Policy
 
- Intune_iOS-Wifi
- PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
 
- PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
- Intune_iOS_Default Apps - Members of this group get assigned the following Apps - 
- Required Apps -  installed automatically on the device once the user signs into Company Portal
 - Outlook
- OneDrive
- BOM
- Duo
 
- Optional Apps - are available for download and installation by user from within Company Portal
- Word
- Excel
- Teams
 
 
- Required Apps -  installed automatically on the device once the user signs into Company Portal
Make a group for wifi policy and add individual devices to it
- Assigned Apps will be installed on the iPhone (apps are specified in Intune,  Apps | iOS Apps)
Select device and you can manage the device 
Wifi policy is attached to a seperate AAD group, to avoid issues with devices in Kiosk mode losing network connectivity when changing policy's.. thiis way a device cabn be removed from its Kiosk Mode group, whislt enabling it to stay connected. I have expereinced issue where you can get locked out of a device if in kiosk mode that gets disconnected from wifi
