Our BYOD policy requires us to lock down access to 365 via browser only and prevent data egress. We can do this using app protection but it only works 100% as required once the device is azure ad registered. As far as I can see this is a user driven task - this will never work as probably 50%+ of users wouldn't bother - is there a way to force a user down this route?
Or is there another option we haven't thought of?
Second issue is we have requirements around both MAM and MDM which is causing a headache but that's secondary. If I could fix issue 1 above then I can probably win the argument on the rest.
You can force them to use the Managed Apps using Conditional access then they will not be able to access the services using a non manged app. Maybe some users will not bother but then they won't have access to their mail/calender on their mobile device either..