Thank you for posting your query on Microsoft Q&A. From above description I could understand that user have 2 devices registered in Entra ID and you want to block content download on 1 of them and allow one.
Please do correct me if this is not the ask by responding in the comments section.
By default a device is considered as Corporate when its Azure AD or Hybrid AD joined. Any device which is registered as a workplace join device is considered to be personal. However here are the few ways you could try for this particular user:
- From Intune/MEM portal create two device categories namely corporate and personal.
- The assign personal category to the device you want to block, by navigating to the device properties on Intune console
- Create a dynamic group with category as personal.
- Now create a conditional access policy blocking access to corp applications and assign it to above created dynamic group.
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.