Problem statement: We allow employees to use their own Windows and MacOS PCs, and I am worried that data could get saved locally and then can leak from the organization. Ideally I would like a way that when someone logs in from a non-managed device, they are restricted to web version of Office only and can't save or edit files locally.

More details:

We issue all of our employees a company-owned laptop which is in Intune and fully managed.

However, we also allow users to access to access Office on their personal computer and currently have no restrictions around devices.

I've applied the Conditional Access policies CA001 through CA014.

Ideally, when someone wants to access company info on a personally owned computer, I would like them to be restricted to the web browser only, no downloading of files. I don't want them using OneDrive on their computer or opening files with a local version of Office.

Is there any way to do this? Am I thinking about things wrong? My concern is that in our current setup, someone can save a document to their personal computer and now I can't wipe that document when they leave the organization.

I found this guide but it seems outdated and using it vs. the templatized CA policies caused more problems.