@Djaswant How do you enroll the iOS devices? ABM of Apple Configurator? From what I read, I can't make out how you enroll, but it looks like a user enrollment where you enroll using the company portal app. This app is also used to check compliance and that is why the company portal app opens. You will have to sign in with your username and password. You did say devices are compliant in MEM. Can you see who the primary user is and who enrolled the device? I'm also interested in ownership.

 

If you do enroll using ABM or Apple configurator, the ownership should be corporate by default. And in that case you can simply block all personal devices when accessing Office 365 using a conditional access policy combined with filter for devices. Assuming this is want you want to achieve.

 

Your CA would look like this:

  • Cloud Apps - Office 365
  • Conditions:
    • Device platform =iOS
    • Client Apps = Mobile Apps (or others if needed
  • Filter for devices - EXCLUDE
    • device.deviceOwnership -eq "Company"
  • Grant = Block Access

 

This CA will block all devices where the device ownership does not equal Company. 

 

Note: Make sure you test block policies with a select group of users or at least exclude a break-glass account if you do test in your production tenant.

 

Hope this helps.

 

www.000webhost.com