Whoa, that's a lot of questions , and some of them have "it depends..." answers, but let me give it a shot.
If you enable application blocking without any additional configuration, only executables from the Windows and Program Files folders are allowed. Everything else will be blocked. Whether you should put a condition on this global configuration setting depends on what exactly you'd like to achieve. If there are power users who should just have access to everything, you might want to use a condition here.
For your Root of C:\ applications, I would add specific path-based allow rules:
You can use conditions on such a setting to make sure it's only applied to user who should have access.
For Visio, it's the other way around, in a sense. As it's installed in Program Files, the application blocking's global configuration grants access by default, so you would need to block it (with the correct path, unlike my example below ):
Condition-wise, you'd need to use something like:
If you don't use conditions, the setting will apply to everyone, blocking Visio for everyone.
Whether applications are installed in the base image or coming from an AppStack should not affect UEM's application blocking. The Work with Multiple Types of Application Blocking topic describes how the different application blocking settings interact.
Thank you DEMdev I think I understand it now. It looks like it works pretty slick and had to add c:* to allow those odd programs to function. The only problem now we are seeing is that since we are redirecting Desktop, DOcuments, etc libraries it doesn't let me execute from desktop for example because to uem it looks like it is being executed from \\fileshare and I cannot add it to UEM as it only allows absolute paths
you're right it appears that I can do like \\server\share\* not sure what I was thinking that I cannot. FOr some reason when I tried it before it told me that only absolute path is accepted.
I'll give that a shot and let you know