I do both. I protect both company-owned and personal machines via the same console. I usually keep password-protection on when the device is company-owned and off when it's their own device.
The way I see it, if it's company-owned, I'm there to create and enforce policies and putting a password on the settings is a quick and easy way of making sure that endpoint is compliant. However, when they own the device, I want them to have a little more control while still having the benefit of being centrally managed. The settings that you use for their machines in the cloud console will usually (in time) supersede any changes that they make locally (as long as you've defined it) anyway, so their changes are usually temporary - this gives me (in my opinion) the right balance of security/convenience.
Good luck and stay safe!