BYOD is fine (although I'm fairly sure the civil services DOES supply work phones to most line of business staff who require one). However you should be enforcing Android Work Profile or the iOS equivalent when accessing corporate resources as part of a Conditional Access Policy. E.g. as soon as you sign into work email etc it enforces MDM before you get access. This will do stuff like insist on a secure PIN/password screen lock, control over application install under an allow/deny list, enforce device encryption as well as provision it with any certs needed to access company resources. Every company I can think of has been doing this for years and it's trivial and essential under a Zero Trust model for security.