Is anyone dealing with an O365 rollout in an organization that has the above mentioned restrictions? If so, are you requiring MDM enrollment on any device that wishes to use the native O365 apps like Outlook? If so, has your organization chosen an MDM other than the one that you are using to manage your devices? This is the current situation that I'm in with my organization. I'm using JAMF to manage devices but the organization is using a very stripped down version of InTune to make sure all devices that use Outlook are enrolled in that MDM and have several security policies in place(such as device pin, device wipe, and app data removal). Since there's no way for them to guarantee that devices managed with another MDM are fully compliant, they're requiring that the other MDM be removed in favor of the InTune MDM or that device must use the OWA or use IMAP instead. This will potentially make it impossible for me to manage the devices that fall under my support since I won't be able to use an MDM that i can control. I'm just trying to figure out how other organizations are handling this situation.
My company dosent have those restrictions, but im kinda surprised O365 is available to use for a company that needs HIPPA compliance. My best suggestion is contact your Jamf "Buddy" i think is the term there using this week. And chat with them about it im sure they have someone who is in the same situation as you.