Here is an article on blocking BIS. I don’t have a similar article for iPhone unfortunately. One thing you can do is turn off active sync for all users and then enable it for only those who are approved, but that does not stop them from using OWA on the iPhone instead. It just stops active sync.
If u lock the BIS at the firewall then they will never connect. Just block BIS IP’s incoming ports 80 and 443 for SSL.