- people tend to use company devices for private stuff, even when its explicitly prohibited, - draconian policing leads to employee dissatisfaction; you won't be able to fire that great engineer you spent 3 months hiring because he logged in to Spotify running within Chrome, and if you can - and do - soon you will be unable to hire top talent,

Thus, even with those policies in place, end user devices still need to be considered un-trusted. Specifically, that they can be key-logged and remote accessed by the attackers.

Hence, (a) anything sensitive should involve transaction level validation, not just end user authentication, (b) for logging in an out, as well as for confirming sensitive operations, proper MFA needs to be in place (physical key + token on a mobile device, for instance), (c) apply lightweight, reasonable restrictions to reduce the chances of device compromise dramatically (e.g., no downloading of 3rd party apps or binaries - but do whitelist things like Skype or Spotify, force strong password for devices, etc).

This means reasonable personal use is perfectly fine, employees happy, and you are safer vs. assuming local devices are clean.