So we mandate that the users must have some form of encryption on their devices. For Macs this is pretty easy (just turn it on); it's harder on Windows but still doable.
Harder on Windows? Only if you are a biased, clueless MAC user. Enable bitlocker. Done. The decryption keys are stored in AD. End of problem.
As for keeping data on the phone secure, that's easy too. Require encryption on your mail app. Require RBA on documents. Use Office365. Done.