Landmark Information Systems

Preparing and Issuing iPhones

1. Ensure the iPad device is properly inventoried and checked into the MDM system. See the procedure for checking in a mobile device for more information.
   • In FreshService Inventory?
   • In Apple Device manager?
   • In MDM with appropriate configuration profile?
     
     
2. Ensure cellular service is activated and correct Employee Name and Cost Code are configured in cellular portal.
   • Name fields should include the employee "<First Name>" in the First Name field and "<Last Name>" in the Last Name field.  Example: "John" and "Smith"
     
     
   • The Cost Code / Department field should contain the Telecom GL Account for the employee's home department. Example: "10-XX-XX-7320"
     
     
   • Verizon (US)
     • iPhones are typically configured with the Verizon Business Unlimited 2.0 Plus (50255) plan. ($??). An equipment protection plan should be declined.
   • Rogers (Canada)
     • iPhones are typically configured with the 20GB Pooled Voice & Data plan. ($??). An equipment protection plan should be declined.
       
       
3. Ensure user's mobile phone number is configured in the Mobile Phone field for the user in Active Directory. This will replicate to Azure Active Directory. 
   
   
4. Power on and activate device.
   
   
5. Microsoft EndPoint Manager will download and automatically launch the Intune Company Portal app in kiosk mode. 
   
   
6. Enter the user's Landmark credentials to re-register the device in MDM and begin provisioning process.
   
   Note: If device is for a new employee, log on using the default credentials for a new employee. If configuring for an existing user, coordinate with the user to login and authenticate with MFA codes. You may need to clear the MFA requirement on the user if the device being issues is an iPhone replacement.
   
   
7. Add the device to the appropriate Devices Security Group in Azure Active Directory to ensure all App Configuration policies are applied.
   • LSLP Field Mobile Devices (Manual)
     
     
   • A dynamic group will auto-populate as a backup for this group as well.
     
     
8. Endpoint Manager will download the configuration profiles and all apps. Let all assigned apps and settings complete downloading / installation before proceeding.
   
   
9. Log into the apps using default credentials to establish base configuration.
   • Microsoft Apps (Outlook, Teams, Office, OneDrive, Edge)
   • Teams
     • Allow Camera, Microphone, and Bluetooth access.
     • Allow notifications.
   • Procore app
   • Sign into iCloud using the user's managed AppleID (@teamlandmark.com).
     • Disable iCloud synching of Mail, Contacts, Calendar, Notes and all items other than Photos.
   • ConnectWise Control / ScreenConnect app
     • Configure support URL:  control.teamlandmark.com
       
       
10. Prior to starting Onboarding meeting, complete the user’s MFA provisioning following the steps outlined in the Assignment of Azure Active Directory Security Groups support article.
    https://teamlandmark.freshservice.com/support/solutions/articles/2000040150
    
    Configuring these groups will result in the user being prompted to configure MFA when logging into Outlook, Teams, or other Microsoft based services. The user may manually access the MFA configuration screens by navigating to "https://aka.ms/mfasetup" in a modern web browser.
    
    
11. ALL STEPS FROM THIS POINT FORWARD SHOULD BE PERFORMED BY THE USERS UNLESS SPECIAL CIRCUMSTANCES PREVENT THIS. HAVING THE USER PERFORM THESE STEPS IMPRTS KNOWLEDGE OF HOW THE SYSTEMS WORK.
    
    
12. Update credential information
    • Configure MFA Methods.
    • Configure Authenticator app.
    • Change @teamlandmark.com password.
    • Change device PIN.
      
      
13. Have user log into all apps and services and verify they are working.
    • Microsoft Apps (Outlook, Teams, Office, OneDrive, Edge)
    • Microsoft Authenticator
    • Procore
    • HH2
      The employee's Employee is typically used for their HH2 username. An HH2 user account will typically not be ready for use until the employee is entered into the payroll system, which may not happen until Wednesday of week of hire. Testing of HH2 access may be delayed due to this. 
      • HH2 Apps (Field Reports, Remote Payroll)
      • HH2 Website (HH2 Prod Reports)
        
        
14. Sign back into iCloud using the user's managed AppleID (@teamlandmark.com).
    
    
15. Configure the native Contacts app on the iPhone 
    • Connect to Exchange and synchronize contacts to the device.
      • Settings > Contacts > Accounts > Add Account > Sign in with @teamlandmark.com credentials.
      • Disable Exchange synching of Mail, Calendar, Notes and all items other than Contacts.
    • Set the Exchange Contacts as the Default contact store for the device.
      • Settings > Contacts > Default Account > Set to the previously configured Landmark Exchange account.
        
        
16. Verify User is able to get access mail on Outlook.
    
    
17. Verify user is able to access synched items in OneDrive, Microsoft 365, Edge, and Teams.
    
    
18. Verify the user knows how to access the Global Address List in the Contacts app for Employee phone numbers.
    
    
19. Answer any questions.
    
    
20. Issue device to user with all cables / chargers needed for tablet and accessories.
    
    
21. If swap
    • Update Note in Description field with details which include date, reason for note, and the user entering the note. 
      Example: 2023.04.12 - JLANDMARK - Previously used by Fed Smith, returned damaged, repaired, ready for re-use.
      
      
    • Change device status to "In Stock", "Repairs Required", etc.
      
      
      

Preparing and Issuing iPads

1. If user is swapping from Laptop to iPad, configured OneDrive backup on laptop to synch Documents, Desktop, Images to cloud.
   
   
2. Ensure the iPad device is properly inventoried and checked into the MDM system. See the procedure for checking in a mobile device for more information.
   • In FreshService Inventory?
   • In Apple Device manager?
   • In MDM with appropriate configuration profile?
     
     
3. If device is cellular model, ensure service is activated and correct Employee Name and Cost code are configured in cellular portal.
   • Name fields should include the employee "<First Name>" in the First Name field and "<Last Name> - iPad" in the Last Name field.  Example: "John" and "Smith - iPad"
     
     
   • The Cost Code / Department field should contain the Telecom GL Account for the employee's home department. Example: "10-XX-XX-7320".
     
     
   • Verizon (US)
     • iPads are typically configured with the Verizon Business Unlimited Tablet Start (44024) tablet data plan. ($10). An equipment protection plan should be declined.
       
       
   • Rogers (Canada)
     • iPads are typically configured with the Pooled Data Plan tablet data plan. ($10). An equipment protection plan should be declined.
        
4. Perform a hard reset / system wipe to revert the device to factory state if needed.
   
   
5. Install protective screen protector, and rugged case onto device.
   
   
6. Prior to starting Onboarding meeting, complete the user’s MFA provisioning following the steps outlined in the Assignment of Azure Active Directory Security Groups support article.
   https://teamlandmark.freshservice.com/support/solutions/articles/2000040150
   
   Configuring these groups will result in the user being prompted to configure MFA when logging into Outlook, Teams, or other Microsoft based services. The user may manually access the MFA configuration screens by navigating to "https://aka.ms/mfasetup" in a modern web browser.
   
   
7. Power on and activate device.
   
   
8. Microsoft EndPoint Manager will download and automatically launch the Intune Company Portal app in kiosk mode.
   
   
9. Enter the user's Landmark credentials to re-register the device in MDM and begin provisioning process.
   
   Note: If device is for a new employee, log on using the default credentials for a new employee. If configuring for an existing user, coordinate with the user to login and authenticate with MFA codes. You may need to clear the MFA requirement on the user if the device being issues is an iPhone replacement.
   
   
10. Add the device to the appropriate Devices Security Group in Azure Active Directory to ensure all App Configuration policies are applied.
    • LSLP Field Mobile Devices (Manual)
      
      
    • A dynamic group will auto-populate as a backup for this group as well.
      
      
11. Pair optional Bluetooth KB to the iPad and verify all keys work.
    
    
12. Log into the apps using default credentials to establish base configuration.
    • Microsoft Apps (Outlook, Teams, Office, OneDrive, Edge)
    • Teams
      • Allow Camera, Microphone, and Bluetooth access.
      • Allow notifications.
    • Procore app
    • Sign into iCloud using the user's managed AppleID (@teamlandmark.com).
      • Disable iCloud synching of Mail, Contacts, Calendar, Notes and all items other than Photos.
    • ConnectWise Control / ScreenConnect app
      • Configure support URL:  control.teamlandmark.com
    
    
13. ALL STEPS FROM THIS POINT FORWARD SHOULD BE PERFORMED BY THE USERS UNLESS SPECIAL CIRCUMSTANCES PREVENT THIS. HAVING THE USER PERFORM THESE STEPS IMPRTS KNOWLEDGE OF HOW THE SYSTEMS WORK.
14. Prior to starting Onboarding meeting, complete the user’s MFA provisioning following the steps outlined in the Assignment of Azure Active Directory Security Groups support article.
    https://teamlandmark.freshservice.com/support/solutions/articles/2000040150
    
    Configuring these groups will result in the user being prompted to configure MFA when logging into Outlook, Teams, or other Microsoft based services. The user may manually access the MFA configuration screens by navigating to "https://aka.ms/mfasetup" in a modern web browser.
15. Update credential information
    • Configure MFA Methods (if needed).
    • Change @teamlandmark.com password (if needed).
    • Change device PIN.
      
      
16. Have user log into all apps and services and verify they are working.
    • Microsoft Apps (Outlook, Teams, Office, OneDrive, Edge)
    • Procore
    • Cisco AnyConnect
    • Apple iCloud
    • HH2The employee's Employee is typically used for their HH2 username. An HH2 user account will typically not be ready for use until the employee is entered into the payroll system, which may not happen until Wednesday of week of hire. Testing of HH2 access may be delayed due to this.
      • HH2 Apps (Field Reports, Remote Payroll)
      • HH2 Website (HH2 Prod Reports)
        
        
17. Verify user is able to access Livelink and Reports while connected to VPN.
    
    
18. Answer any questions.
    
    
19. Issue device to user with all cables / chargers needed for tablet and accessories.
    
    
20. If swap
    • Update Note in Description field with details which include date, reason for note, and the user entering the note. 
      Example: 2023.04.12 - JLANDMARK - Previously used by Fed Smith, returned damaged, repaired, ready for re-use.
      
      
    • Change device status to "In Stock", "Repairs Required", etc.