kidtrebor , It depends on how you are configured. We enforce conditional access for all company access, so if the phone is not enrolled and compliant it doesn't get any access or company apps. In our case, until they authenticate and enroll via Company Portal (which is now a user-driven process) they can't get anything. After Company Portal is installed, logged in, and device enrollment takes place, the company configuration profiles begin to apply and company-issued apps install. After this, they need to authenticate to Authenticator, and log into at least one other Office app (sharepoint, onedrive, etc) for the setup to be stable. Further in our case, becasue the contacts sync through ActiveSync because Outlook for iOS is so unstable, we use an ActiveSync configuration profile to push contacts and calendar items to the native apps that use them. That requires additional authentication for a grand total of 5 to configure a phone.
- initial remote management profile during ios setup
- company portal
- authenticator
- office apps
- active sync profile