SOC 2 CC6.6 endpoint security controls: how do you prove mobile device compliance in a remote-first org?

We are a fully remote SaaS team pursuing SOC 2 Type II. CC6.6 requires logical access controls for endpoints, but our engineers work from personal devices across three jurisdictions. Jurisdiction: US, DE Confidentiality Acknowledged: true Specific questions: 1. How do you handle MDM enrollment without creating a data-privacy conflict under GDPR Art. 5(1)(c) data minimization? 2. Are you using EDR telemetry as audit evidence, or is that considered over-collection? 3. For contractors who refuse MDM entirely — do you segment them into a separate trust boundary, or exclude them from scope? Looking for real implementations, not policy templates.