I had this issue before and now I know how to configure. Here's the solution:
On ePO 5.9.x or 5.10:
1. Go to Policy Catalog > Data Loss Prevetion 11 > Default Windows Cliente Configuration > Plug and Play
You can see the iPhone Protection Mode. Select Block but allow charge.
2. Go to DLP Policy Manager
2.1 Actions > New Rule Set
2.2 Put a name and description
2.3 Open the rule and click Device Control
2.4 Actions >Plug and Play Device Rule
End-user: is any user (ALL)
and Plug and Play is one of (OR): All apple devices (default)
Enable Excluded Users: End-User belongs to one of end-user groups(OR): put the group from AD allowed to access iPhone storage.
User Notification: Put anything that you want to show information
Report Incident: mark the checkbox
Computer disconnected from the corporate network: React the same way as connected system
Computer connected to corporate network using VPN: React the same way as connected system
2.6 Remember to Change State of the Rule to Enable
2.7 Go back to DLP Policy Manager > Policy Assignment
2.8 Actions > Apply Selected Policies
This will block iPhones for ALL users except people from the group you select, but anyone will be able to charge iPhone on the USB.
I'm going to test this out in my enviroenement on a select few and see wat happens.