Paul,
I have a similar challenge and haven't quite resolved this fully yet. Firstly let me start by stating that MS has made life really difficult here. They have talken an approach that is more identity based and less about the device being used. They suggest we layer controls like IRM/DRM on top of certain services for further device level control.
At this stage options as I see it are:
- Enforce certificate based AuthN when the device authenticates to ADFS. You'd need to be able to generate certs for each authorised device and provision those certs, probably using your MDM (for mobile) or SCCM/Group policy (for PCs). This will give all authorised devices course grained access to O365 (i.e. anything that user holds a license for). You can still layer conditional access policies on top of this approach (in AzureAD/InTune) to get more fine grained if you want (but that gets complicated).
- Domain joined only (Windows) policy (this has only been out to market for a month or two): This will allow devices that are joined to your corporate AD domain to have access (to whatever resource you're enabling the policy for), and those that are not will be blocked. You also need to think about preventing users from doing a "workplace join" for their personal Windows devices (such as their home PC). This approach is supported for Win OS's >=8.1. If you want to enforce this policy for <Win8.1 you'll need to deploy an InTune agent to them. (I believe there may also be a Mac agent but don't quote me on that!).
- Compliant devices only (Conditional access): This approach requires InTune enrollment so you can't be using another MDM unless they support conditional access compliance testing/reporting. This approach allows you to define config policies for lots of different devices and OS versions and blocks them if they aren't compliant with the policy. However, this approach doesn't allow you to allow/block devices based on who owns them (i.e. corporate owned vs BYOD).
Hope this helps. Let me know how you go.
Regards
Ben