When I worked at Google over 5 years ago, mobile device options for accessing company accounts were a company-provided and company-owned device with a company-paid phone bill, a personal device with company-provided mobile device management (and sometimes cell phone bill expensing if you for example had on-call duties), a personal device with only limited browser-based work account access, and no account access via mobile.
The first of these could sometimes have implications for ownership of personal projects created using the device, which was one of many reasons I picked the second option, but it was absolutely permitted at least for any case where the company cared about you having mobile account access.
The third option - accessing only browser sites - is under appreciated. I never needed to install Google's MDM on my mobile devices, I just used mobile web gmail and so forth. It's great, honestly, and the mobile web Calendar has the advantage that it doesn't destroy your battery life like the Calendar app will.
I even saw a guy using the code review site on his mobile, on BART. That was dumb from the standpoint of infosec, usability, and mental health, but shows how much is possible in the browser.
Part of me thinks that MDM on employee phones has become a something of a checkbox item because customers ask for it but it's not clear to what extent it really protects sensitive customer data (which is what they're concerned about).
Like most normal people I have no idea what PCI DSS requires. All I know is what the PCI compliance inquisitor says it says, or really what my risk management guy says the compliance guy says it says. And what’s the difference? If he says he says it says we have to have MDM on BYOD, it’s not like I’m going to write a first-principles rebuttal.
Having the code review app available outside of the corp network / VPN is pretty unusual, at least for shops who aren't just using SaaS services that are available publicly anyway (github, gitlab.com, etc).
Nowadays, at least on Android (though I think iOS has something similar now?), one can have a work profile, and the employer can only control activity in / monitor / wipe that profile. Most employers have switched to that for personal devices.
The first of these could sometimes have implications for ownership of personal projects created using the device, which was one of many reasons I picked the second option, but it was absolutely permitted at least for any case where the company cared about you having mobile account access.