Conditional Access - How to prevent a user logging on with apps from their private profile, not work

We have intune setup to push out outlook, teams, onedrive etc when a new android device is registered. These would be in the company profile, so when they leave the company we can delete all the apps and data without affecting their personal profile.

If they installed apps to their personal profile then we would not be able to delete the data from them in the same way. 

So how can you create conditional access rules so that work installed apps can access 365 resources, but personal ones cannot even though they are installed on an approved device?