Most users in companies have multiple devices, a mix of corporate and personal.
Most users don't mind enrolling Corporate devices but do not want to enrol personal devices but want access to email on those devices as well.
It should be possible to ensure the corporate devices must enroll, but the personal devices are only affected by MAM-WE policies so the personal devices for the same user do not need to enrol but only need to register.

Maybe add an option to say if device in Corporate Identifiers it must enrol or make the conditional access policy able to read an Azure AD Device Group, so if the device is in a group it must enrol.

Many of our users work from home and do not want their personal Windows computer to be either enrolled into our MDM suite or onto Azure AD. With our strict compliance regulations users are struggling to make their own Windows computer devices compliant.

Would it be possible to have a policy that is in the middle, where users can access emails, OneDrive for Business and SharePoint sites without the need to be on a domain joined computer or enrolled into our MDM suite. I would like to see this policy give the user access to all content but only from the browser such as IE and not from any applications as all the office packages are now mostly available to use in a web browser. This would mean that the user is just working in the cloud without the need to download any applications. I would also like this policy to stop users from downloading any content to their personal device so it just stays in the office applications that are cloud based while working in this way. This policy could be enforced by a user’s having to provide a two factor authentication to be able to access their OneDrive for Business and SharePoint Sites etc. from their own personal device.

Could we please look at implementing a policy such as this to help users work on their own personal device easier without the need to enrol on either Azure AD or MDM suite.

We have many MAC OS X Computer on our network and would like our Users to be able to access Sharepoint online and Exchange online from their MAC OS X Machines.

We have a conditional access policy setup for all our User to protect our data around Sharepoint and Exchange online however MAC OS X users cant access these features online or even offline due to the policy being in place. This could be a supported device if a user for MAC OS X could complete the authentication process with the use of the digital certificate which is prompted to be install on first time access and then can be seen in the Keychain on the MAC. The certificate is recognised on login to SharePoint online but then says that the browser is not a supported browser. This could work exactly the same as IOS Devices accessing SharePoint Online with the certificate being installed on the Mobile Device and then allowing access to the site by authenticating the users with the digital certificate.

I've been looking at deploying Windows Information Protection (WIP) to BYO Win10 devices. Got the policy working and thought we were good to go. The issue now is Windows 10 Home doesn't support WIP. So these users have access to the corporate data by default.

I think it would be nice to be able to base a condition on the version (edition) of Windows. This would allow us to block windows 10 Home from using OneDrive sync/office apps natively and only allow access via the session based policy. We can then allow a better experience on Window 10 Pro users with the help of WIP.

At present we can only require a device to be marked as compliant. This may be too high of a bar for some organizations, specifically with Windows 10 devices. There should be an option to Require device enrollment, this would make implementing Conditional access easier for Windows 10 especially. That way, we can still force devices into our inventory and bring them under management control, without evaluating compliance as a bar to access. Compliance could be measured separately, and once the org has reached an acceptable compliance status across the entire inventory, only then move the lever up to Require device to be marked as compliant. I want inventory first, compliance second, rather than having to clear both hurdles in one step.

It also fixes another issue: compliance policies are not supported with shared computers--but shared computers are very common, so this is a big road block for implementing conditional access with Windows 10. I believe this access control would address this scenario as well.