Anyone who requires this level of security for regulatory purposes should not have a BYOD policy at all. "Only fully-managed, organization-owned devices get to touch this data" is the only fair way to both maintain data security in highly regulated environments and not effectively take ownership over employees (and, in a university context, student) computers).