Creating a Conditional Access Policy To Exclude Mobile Devices.

Currently, our organization has Windows and Mac devices enrolled in Intune and all Devices enrolled are Corporate devices using their Azure ID. We use Azure AD as our IdP for various services via SSO Azure Apps. (Google, Github, etc.. We enforce access to service ONLY via Azure AD joined devices. This was simple as a CA policy was created to Block access to Apps if a login attempt is from a non-Azure AD Joind Device "device.trustType -ne "AzureAD" . Today I was told users need to skip this rule altogether if they are on a mobile device and be granted access. The issue is the company has no control over user mobile devices and I'm not sure how to skip our current CA rule based on device type. My initial thought was to use a device platform identifier and get this done! But no idea if this would even be possible!

Any suggestion would be appreciated!