Hi Craig_ITD,
For point 1)
Is the policy to which users must be compliant defined in the Meraki Security Policies or are you using another solution? If it is defined within Meraki you can setup your exchange ActiveSync payload to only sync to client devices which are compliant with a particular security policy using tags. This is described here.
The downside to this is that a user will have to re-enter their password / re-authenticate using OAuth every time their device becomes compliant again as it will remove the ActiveSync account completely from the device. This is probably okay if you don't expect devices to become uncompliant very often, but if it's a weekly thing it will definitely annoy users (maybe they'll start keeping their devices compliant!).
Unfortunately a more streamlined solution would be to use Microsoft Conditional Access policies to block ActiveSync connections when devices are not compliant with InTune MDM policies as described
here. Of course this assumes your organisation has Office 365 with InTune. This would also mean abandoning Meraki EMM which is unideal.
A further solution (and perhaps the best if you can get it to work) would be to use Mobile Device Mailbox policies in the Exchange Admin Center (Office 365 or on-premises). This would let you apply policies only to ActiveSync connections which would auto-deny them on the server-side if certain conditions are not met. This seems more efficient than manual quarantine each time. The only policy available in the GUI is a password policy but there are more if you connect through powershell. This is described
here. It seems to be what you’re already doing in the question.
However for this last solution the documentation is sparse and for me it's been hit-and-miss on iOS. I think Android still supports it but I'm not sure. I am pretty sure Microsoft is planning to abandon this in favour of it's InTune App Protection Policies / Conditional Access policies which they can use to extract even more money out of people.
Have you considered using a third-party application for email which can be managed separately? Or using the Outlook for iOS / Android app with InTune?
For point 2)
Meraki MDM is active as long as the device is connected and the profile is installed. If the profile is removed, the accounts get removed too. If your security policy needs constant location feedback you can make sure that in the security policy the Systems Manager app is set as mandatory and location services must be enabled. That means if users remove the Systems Manager app but not the profile they also lose access to their exchange account because their device violates the Security policy.
I hope this helps you out.