Real-World Experiences with App Control for Business

Make sure to enable the managed installer during your setup. Recently, Microsoft allowed you to target specific groups instead of the whole environment, which is a game changer. Start with a minimal base policy that includes only Microsoft publishers, PowerShell, and the managed installer. Then, create separate supplemental policies for each application you need. Yes, it might end up being around 39 policies, but I promise it simplifies testing and makes it easier to manage. Plus, if something goes sideways, pinpointing the issue is way simpler! And always document everything; trust me, you’ll thank yourself later when managing these policies is less of a headache.

Honestly, if the budget allows, consider looking into a third-party solution like Threatlocker or Airlock Digital. WDAC seems great at first, but my experience is that it can turn into a real pain to manage. Even if you get the hang of it, the learning curve is steep for others who might have to support it after you're gone, so that's something to think about. Just keep an eye on what gets enforced in audit mode—some things might surprise you.

If you're using Intune, just know that changes won't happen instantly. Be prepared for managers to want immediate access to apps and remind them there might be wait times. Also, you'll likely be tuning policies a lot while dealing with helpdesk calls regarding access issues. It's a learning curve for sure, so keep communication open within your team.

A lot of the issues you're likely to face will come from developers. They tend to try downloading and compiling their own stuff, so you've got to really understand their workflows. Don't skip on training your service desk team, either! This product can be pretty tough for newcomers to wrap their heads around.