Hi Chris, not something I have tried but you are looking at Device-based conditional access with Intune to achieve something like this, along with the extra licences that would be needed for this. There may be other ways of doing this but this is what I came across:
"As an Intune admin, you can identify devices as corporate-owned to refine management and identification. Intune can perform additional management tasks and collect additional information such as the full phone number and an inventory of apps from corporate-owned devices. You can also set device restrictions to block enrollment by devices that aren't corporate-owned."
A few more links that explain what this is all about
Is Intune really the only way to achieve this? It looks like each device must be enrolled in Intune to be identified as corporate or personal. Is that right? If so, it's a non-starter. To identify a device as personal and, block installations, you have to enroll first. OK so I just won't enroll my personal device and then I can connect to all the services I want! :)
Am I wrong for thinking is this is a big oversight/blunder from MS?