Re: Do this if you want to destroy IT
"...If that's the way Microsoft operate..."
Have you THOUGHT about it beyond gleefully bashing Microsoft?
Imagine you're an IT guy told to allow BYOD but to make it secure. You realise you can't, unless you're allowed to enforce *some* policy on the devices. So you allow BYOD, as long as your employees agree to resetting their iPads and Nexuseses (Nexi?) to factory spec + your policy.
Of course your employees can agree to this state of affairs ...or not. If not, you cannot reap the benefits (reduced cost) of BYOD.
How do YOU think this should operate?
My suggestion? Don't allow unstructured corporate data (documents, spreadsheets, presentations) onto any cloud or BYOD service or device. Structured data (database data) is allowed, but only through a corp-sanctioned (or developed) app. Email is allowed, but PIN + remote wipe policy is enforced. BYOD allows unrestricted Internet access, but taboo on corp-net.
Corp-net services are accessed through DirectAccess (VPN) or LAN using a corp-provisioned device. If you're important enough, you get a laptop. If not, you get a desktop.
If you want to do a better job of security than the NHS, MOD, Sony or Walmart, make judicious use of X509, F5 BigIP, TMG and so on and so forth. Oh, and don't rely on TLS. Supplement TLS with stuff like VPN. If you MUST allow remote access into SharePoint or something, don't expose corp-net credentials. Set up another AD in the DMZ and federate into corp-net. Don't use Google, and don't use Heroku, Azure, AWS or Office365.
Unless you're a hipster startup with 20-something pimply-faced kids, in which case simply swap out all the "don't"s with "do"s.