Intune-driven device compliance is one of the most under-used features in the M365 Business Premium stack. The premise is straightforward: define what a "compliant" device looks like (disk encryption on, OS patch level current, no jailbreak, minimum AV present), enrol devices into Intune so the posture can be evaluated, and tie Conditional Access policies to compliance state.
The resulting model is powerful and predictable. A compliant Surface in Perth signs in normally. A non-compliant laptop — because it's missed three months of updates — is blocked from sensitive resources until the user remediates. A device the user installed personally last week and never enrolled? It can't get to SharePoint at all.
The setup is hours of work per environment, not days. The licensing is already paid for in Business Premium. The blocker is usually that no one has been assigned to do it.