This is a really good, and clear article. There is one thing missing, and that's the question of what happens when a WIP policy is assigned to a group, and group members are too lazy to register the device when asked - there is nothing that forces them to register or prevents the user from continuing to access resources. If the answer is conditional access, and I see that being mentioned elsewhere, why is their never an explanation of how to do that in a way that triggers a user prompt to register the device? But otherwise blocks their access?
Anthony