Onboarding iOS Devices into Intune
All new iOS devices (iPhones & iPads) at PBR are bring onboarded to Intune
Onboarding Device to Apple Business Manager
If the device has been enrolled by the phone supplier you can skip to ??? Otherwise you
In order to onboard an iOS device into Apple Business Manager you must first install the Apple Configurator App on your personal phone. This phone must be also connected to Wi-Fi (PBR Corporate Wi-Fi doesn't work with this process) so needs to be connected to Internet Wi-Fi. iOS version of your personal phone and the new PBR phone need to be similar, but not necessarily exactly the same (it worked for me with my personal iPhone on 18.01 and PBR iPhone on 17.7)
Apple Configurator App is available for the App Store, icon looks like 
** If the device has been reimaged or is new and not enrolled by phone supplier then you can start here
- Open Personal iPhone and log into Apple Configurator with PBR Apple Business Manager Username ([email protected]) and Password (in 1Password). This MFA's to Mitch's phone. Click on settings and ensure that 'Share Wi-Fi' is enabled
- If the phone has been used previously then it must first be erased, once erased or if new proceed with the guided setup until you get to the screen prompting to connect to a Wi-Fi network. (DO NOT CONNECT).
- On your personal phone scan the screen of the new PBR phone and a QR code will appear and then the new phone will go through the process to add to Apple Business Manager.
- Once complete log into Apple Business Manager https://business.apple.com with same creds as above. Navigate to Devices
**If the device has been enrolled by phone supplier then you can start here
- Select the device you added (best done by serial number) you now need to assign the MDM server to the device, click on 3 dots top right, select edit MDM server and select Intune as the PBR MDM Server.  
- Now the new device will be updated as per below  This is all that needs to be done in Apple Business Manager. This is all that needs to be done in Apple Business Manager.
- Once visible you need to assign the device (not the user) to an AAD group, (this is where the majority of configuration gets applied) there are currently 3 groups setup  - 
- Intune_iOS_iPhones_Individual
- Intune_iOS_iPhones_Role
 
- If the device is assigned to Intune_iOS_iPhones_Individual then you need to assign the user to AAD Groups as well to ensure they get the correct Apps. Currently there is only a single group setup for this (more will be added in the future)- 
- Intune_iOS_Default_Apps - See below for details of assigned Apps
 
- Restart the device
- 
Ensure that device is connected to Wi-Fi 
- 
Open Company Portal App and sign in with PBR User Creds (not needed on iPad's or iPhones that are Role Based)Follow the prompts 
Intune Profiles - These are assigned to devices as a part of the enrollment process above
- 
PBR Default iOS Profile - This is for staff that are being assigned a personal iPhone - Devices are enrolled with User Affinity
- Company Portal is installed
- Users can log into App store with own account and download apps
- Setup Assistant is restricted to passcode
 
- Devices are enrolled with User Affinity
- 
PBR Shared iOS Profile - This is for role based iPhones & iPad's - Devices are enrolled without User Affinity
- Setup Assistant is restricted to passcode
 
- PBR iPad Profile
- Devices are enrolled without User Affinity
- Setup Assistant doesn't prompt for passcode
 
AAD Groups and resultant configurations - These are assigned by adding device (or user) to the AAD grou)
- Intune_iOS_iPhones_Individual - Devices in this group are configured to  - 
 - Apps are deployed based on user (see below Intune_iOS_Default Apps)
- iOS Update Policy Applied - Set to Latest update and update at next check-in
- Restricted Apps List Policy Applied (Uninstalls TikTok)
- PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
 
- Intune_iOS_iPhones_Role - Devices in this group are configured to  -
 - Get the following Apps automatically deployed
- BOM
- Vic Emergency
 
- iOS Update Policy Applied - Set to Latest update and update at next check-in
- Restricted Apps List Policy Applied (Uninstalls TikTok)
- PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
- iPhone_Role_Based_Policy
- Block App Store
- Disable Face ID & Touch ID
- Hide the following built in Apps -
- iOS Native Mail App
- Health App
- Apple TV App
- Podcasts App
- Wallet App
- Weather App
- Home App
- Books App
- iTunes store App
- Fitness App
- Watch App
- Freeform App
- Journal App
- GarageBand App
- Apple Music App
- Apple News App
- Find My iPhone App
- Shortcuts App
- Tips App
 
 
- Block App Store
 
- Get the following Apps automatically deployed
- Intune_iPads_EH - WIP 
 - Clock Me In Time & Attendance app is installed
- Employment Hero Policy
- Opens Clock Me In Time & Attendance app in Kiosk mode
- Block autolock
- Block screen sleep
- Disable Face ID & Touch ID
- Block passcode modification
 
 
- Intune_iPads_BI - WIP
 - Better Impact Kiosk Policy
- Better Impact URL Policy
 
- Intune_iPads_SL - WIP
 - Survey Legend Kiosk Policy
 
- Intune_iOS-Wifi
- PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
 
- PBR Wi-Fi Policy - connects device to 'internet' Wi-Fi automatically
- Intune_iOS_Default Apps - Members of this group get assigned the following Apps - 
- Required Apps -  installed automatically on the device once the user signs into Company Portal
 - Outlook
- OneDrive
- BOM
- Duo
 
- Optional Apps - are available for download and installation by user from within Company Portal
- Word
- Excel
- Teams
 
 
- Required Apps -  installed automatically on the device once the user signs into Company Portal
Make a group for wifi policy and add individual devices to it
- Assigned Apps will be installed on the iPhone (apps are specified in Intune,  Apps | iOS Apps)
Select device and you can manage the device 
Wifi policy is attached to a seperate AAD group, to avoid issues with devices in Kiosk mode losing network connectivity when changing policy's.. thiis way a device cabn be removed from its Kiosk Mode group, whislt enabling it to stay connected. I have expereinced issue where you can get locked out of a device if in kiosk mode that gets disconnected from wifi
 
                
