You should be able to do this. In our MDM it's called application run control and takes affect on entire device, so if i would add for example chrome per bundle id there, it will diappear from the device (private and work profile) and not able to be installed again.
So i guess there can be something in Intune but as i don't use Intune (luckily) i don't know if they have build in that possibility there as well.
But i would need to test and check this as I currently don'T use BYOD.
I did some testing and it only affects apps in work profile (so my remembering was totally wrong, sorry for that).
So, the only thing i know of you can block is installation from unknown sources (in both profiles).
I guess i mixed it up with COPE but this needs to be testedfrom your side as well and not sure if this is a possibility to think about as this makes completely difference in the purpose the device is handled and controlled.
What's the reason you want block apps in private part of a BYOD (which should be ideally untouched by a company)? For me your request looks more like you need to look for COPE or fully managed device enrollment.
That sounds weird to me somehow.
So, they should be used at the same time? If not you should investigate into shared device.
If yes, you can add multiple accounts to the app and switch between them just inside the app. But ofc then the data is not entirely separated.
Not sure if you look into something like "secured folder" Motorola provides on their (latest) devices but they don't have tablets as their tablets are provide via Lenovo which use different oem.
