In trying to plan for a OD4B deployment, I have done a lot of testing with MAM and WIP, both enrolled and not enrolled, and now Conditional Access ... ...despite searching high and low, I still cannot find a solution to what appears to be a gap in Microsoft's protection coverage - with all these technologies in place, I can still simply go to a fresh WIn 10 device, log in to it, and because it's not enrolled, I can simply connect with OD4B and download all the data which is otherwise protected on an enrolled/unenrolled device! If I have a contractor resource that will resist enrollment, how do I prevent that contractor from doing what I've just described? There doesn't appear to be an ability to simply block OD4B Sync on an unenrolled device by user or group. Or have I missed something in my search?
