Why not buy them some cheap Android Tablets. I mean you can pickup some really cheap ones, less than 50 bucks. As long as they are on the wifi then they use those. You have total control over the 2FA devices that way.
Now they are carrying around two devices with them, phone and this tablet.
It's worse than that. The device battery 6 months in last 10 minutes, the screen takes 2 minutes to use because it's some ancient touch screen, the Android release is 4 versions behind. The MDM API's are so crippled you can't get Airwatch or any real MDM solution to work. When you have labor resources that cost $100-500 an hour WTF would you try to save a few $ per person that will cripple their workflow? I've seen so many people try this and fail.
For what it's worth hospitals devices tend to be shared on call devices. My wife's on-call phone is locked down so tight that if she takes 2 steps out side air watch bricks the device till it comes back in the hospital. They use special Android devices that are properly patchable, have the full KNOX API's for air watch to hook, and have extra battery kits and hot docks everywhere.