@Michael Novak, Thanks for posting in Q&A. Based on my researching, currently app protection policy does not support MacOS yet.
And for windows device, the Windows Information Protection without enrollment scenario in Microsoft Intune has been removed.
And now Microsoft develop Microsoft Purview Information Protection and Data Loss Prevention to help organizations protect enterprise apps and data against accidental data leaks. You can consider using them instead. Here is a link with more details:
For your second question, I would say yes, if no condition access policy blocks the access, the user is able to access office.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.