>Any ideas on how to force users to use the works profile?
Never tried it myself - but if you are using Duo for MFA (including for email), you could enable a "Trusted Endpoint" policy so it can only be accessed from the work profile. Note you need to be on the "Duo Beyond" plan to get this feature.
https://duo.com/docs/policy#devices-policy-settings
Another painful option, and assuming you are using Exchange, would be to enable certificate-based authentication to Exchange (so usernames/passwords are disabled). Then only deploy the certificate into the work profile. Then only Outlook in that profile would be able to log into Exchange.