Microsoftpholdridge79 Since you are using Apple DEP (ADE), then all of those devices should be forced into MDM enrollment. Therefore for your BYOD devices, you should consider using MAM (Mobile application management) policies to enforce the compliance on those devices for accessing Microsoft resources. By doing this, you can then use a conditional access policy with Grant access controls with the following options selected:
Require device to be marked as compliant
Require app protection policy (or Require approved client app).
Require one of the selected controls
This tells the Conditional Access system to check if the device is compliant (MDM enrolled and compliant) OR if the device has an app that is MAM protected with a policy.
Note: The require app protection policy should meet your requirement for the BYOD devices to be compliant but unfortunately the list of support clients apps is limited (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy). The "require approved client app" should also work but you have to be very diligent about making sure all the applications that are MAM capable have policies applied.
