Limit Client/App Additions

We’re trying to limit the first device sign in so it’s only possible on our internal network.
User A is in a corporate office and installs the Mac Client. They sign in and documents sync. They are still able to sync documents from external Networks once they leave.
User B is at home and installs the Mac Client. They cannot complete sign in, because they are registering a new device.

One of my co-workers saw the Nextcloud team at Scale and they mentioned it should be possible via .htaccess files and file permissions. I was able to block client access completely from external networks, but I’m not clear on how to configure the site so that only sign ups are blocked externally.

How would we accomplish this?

Answering my own question after doing some inspection of the web calls.

I disabled the ability to create a device password by adding a file in conf.d with the following content. This way users can only generate device passwords when they are internal.

<Location /index.php/settings/personal/authtokens>
        Order deny,allow
        deny from all
        Allow from