We are a company that routinely deals with Personal Health Information (PHI) which is protected by HIPAA regulations, and as a result have a need to control what types of data end up on which devices.
We are looking for a way to restrict which devices a user can install Microsoft 365 apps that have the potential to cache sensitive data locally on devices not managed by our IT department.
My initial thought was to restrict how users can register devices with AAD. But as far as I can tell, since we use Autopilot and Intune that is not possible.
The next best option is going to be to restrict the installation of apps that typically store at least some protected data locally. The big ones that I can think of are Outlook, OneDrive, and to a lesser extent OneNote.
We basically need to restrict our users to the web client versions of these applications as that is the only way to ensure that PHI data is not being stored in an insecure manner on a personal device.