Intune for BYOD mobile and Cross tenant compliance

You're correct that Intune MAM for multi-tenant access is currently limited, and full support for iOS is expected later this year, while Android timelines are unclear.

Regarding your questions:

Web-Based / JIT for BYOD on iOS with Cross-Tenant Access:

If you configure Cross-Tenant Access and enable "Trust compliant devices", it should allow access for compliant devices from other tenants only if they are fully enrolled in MDM and meet compliance requirements.

However, for BYOD scenarios without full MDM enrollment, this will not work as expected since compliance policies are enforced at the tenant level, and app protection policies (MAM) do not support cross-tenant access yet.

Do You Need Full Device-Based MDM Enrollment?

Yes, for the CA policy requiring compliance, the https://remtopxonline.com must be enrolled in one of the tenants and marked as compliant.

Without MDM enrollment, compliance policies won’t apply across tenants, meaning employees would be blocked unless Microsoft releases multi-tenant MAM support.

Alternative Workarounds:

Conditional Access Exception: You could create an exception for specific apps (like Outlook) to allow access via App Protection Policies until MAM supports multi-tenancy.

Use Different Profiles: Some organizations opt for separate profiles or containers for each tenant, but this isn’t always user-friendly.