Absolutely agree that policy needs to come before technology. Otherwise you pick the tech that you think will work based on assumptions of what you think users want, and what the business will allow.
Set up a policy on the basis that users WILL use their own devices, but make it appropriate to your organisation. CYOD will only work if you provide devices people want to use. You will lose staff to organisations that are less restrictive if you're not careful. If the policy means no data is ever stored on the device, then that's fine. If it means users have to use 2FA to access sensitive data, then make that the policy. But allow the policy to match expectations, then implement a technology that supports the policy.
Sticking your head in the sand and saying no users can access the data remotely ignores the fact that they will find a way, and unless you provide them a way to do it safely, the way they choose will certainly not be one you have any control over.