Well, you have come to the right place. Your answer is by leveraging Application Protection Policies on iPhones and Android devices within your Microsoft 365 tenant.
This is basically a way to ensure your company data remains safe and in a controlled space by controlling how your data is accessed, but without having to enroll the device which would grant full access to the entire device. These policies only apply to your data being consumed from your businesses Microsoft 365 tenant.
In a nutshell it makes a special container for your work data that is not comingled with the user's personal data. This allows the business, if need be due to a lost device or a terminated employee, to issue a wipe command which would safely removes the data tied to your business's. This is all done by the business identity that is being used. You can make the policies as stringent as you want via the many options available during the initial configuration. For instance, if you don't want to allow people to copy or paste data from within a business email to their personal email on their phone you can do so. If you would like to learn more about Applicaiton Protection Profiles, see Microsoft's explanation here.
To aid in this undertaking Microsoft created three different levels (baselines) based on how restrictive you want to be as a business. We recommend you start with Level 1 which can be found here.
- Level 1 is designed with basic data protections in mind
- Level 2 is designed with an enhanced data protection approach
- Level 3 is designed for high data protection
Once you have an Applicaiton Protection Profile don't forget to create a Conditional Access Policy which requires. We also recommend you restrict sending company data to Microsoft managed apps such as Outlook, Teams, etc. This can be done within the same Conditional Access Policy.
Design amazing digital experiences that create more happy in the world.
Address: 130 N Preston, Rd., Suite 529, Prosper, TX 75078 Phone: 469-715-5255