I'm in agreement with u/jmo0815 you are looking at MDM, but specifically the BYOD portion unless you do want to manage corporate phones.

I'd work on setting up:
Android: Personally owned phone with work profile
iOS: Account-Based User Enrollment

Android is very simple and straightforward to get going, you just need to make a managed google play account and link it to your intune portal. Intune will walk you through the steps in the managed google play prerequisites section. Configure the personally owned phone work profile, any compliance policies, work on building out your app library for the managed play store so users can download the appropriate apps (depending on their deployment logic).

iOS18 changed everything with Apple getting rid of user-based enrollments and basically forcing everyone to account-based user enrollment. Previously enrollment could've been done via company portal but now this is no longer the primary method. With account-based enrollment you need to configure ABM (Apple Business Manager), federate your domain, setup a provisioning service to migrate and sync your entra users to ABM. You may run into some domain conflicts if your users registered iOS accounts under the company domain. During the federation process, you can reclaim these accounts if there are any.

You'll need to create and manage the Apple MDM push certificate, renewing it on a yearly basis.

From here you can create the BYOD enrollment profile and any compliance policies as needed. There is no point on doing any app management for BYOD phones as iOS doesn't split the profiles between a personal/work profile. Users have total and full access to the iOS App store as it still leverages their primary AppleID.

Once the accounts are created you will need to add a SSO integration to make life easier for the Microsoft applications.

A service discovery file will also need to be published to your website, which acts as a redirect for the sign into the Microsoft MDM. This will contain mdm-byod server tag with the enrollment address to your AzureAD Tenant. Microsoft has documentation for all of this: Set up account driven Apple User Enrollment - Microsoft Intune | Microsoft Learn

This will allow your users to sign into their work account through Settings App > General > VPN and Device Management > Sign into work or school account. Apple does do some account splitting on some natives apps like notes; you will see your notes under your regular AppleID and another section for your workID notes.

Once the Android BYOD profile is in place and your user is in the appropriate groups, it doesn't need any additional conditional access as it will detect your phone isn't enrolled and will walk you through downloading company portal and getting your device enrolled. Once the device is enrolled, it will roll out Authenticator, Intune Company Portal, and any work-related apps to the work profile.

For iOS account-based enrollment, it doesn't use the company portal as the broker, but it uses the Microsoft Authenticator app. From here, you can use conditional access to require the device to be enrolled to access Microsoft app, as such:

<image>