I had this issue before and now I know how to configure. Here's the solution:

On ePO 5.9.x or 5.10:

1. Go to Policy Catalog > Data Loss Prevetion 11 > Default Windows Cliente Configuration > Plug and Play

You can see the iPhone Protection Mode. Select Block but allow charge. 

2. Go to DLP Policy Manager

2.1 Actions > New Rule Set

2.2 Put a name and description

2.3 Open the rule and click Device Control

2.4 Actions >Plug and Play Device Rule

Condition tab: 

End-user: is any user (ALL)

and Plug and Play is one of (OR): All apple devices (default)

Exceptions tab:

Enable Excluded Users: End-User belongs to one of end-user groups(OR): put the group from AD allowed to access iPhone storage.

Reaction tab:

Action: Block

User Notification: Put anything that you want to show information

Report Incident: mark the checkbox

Computer disconnected from the corporate network: React the same way as connected system

Computer connected to corporate network using VPN: React the same way as connected system

2.5 Save

2.6 Remember to Change State of the Rule to Enable

2.7 Go back to DLP Policy Manager > Policy Assignment

2.8 Actions > Apply Selected Policies

This will block iPhones for ALL users except people from the group you select, but anyone will be able to charge iPhone on the USB.