Conditional Access is the easiest way (in my opinion) to force users to have their device managed and enrolled to allow them to get access to resources like email, teams etc.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview
If you are using Apple Business Manager and ADE (Automated device enrollment) I think there's a setting you can configure to block unenrollment as well.