How Application Control policies and Application Isolation policies work together

If you run both Application Isolation and Application Control in the same device group, make sure that you know how their respective policies interact.
You might have to adjust the number of Application Control rules that you use when you run Application Isolation in the same device group.
For more information, see:
How policy settings interact to determine if an application can run
  • Application Control block rules take precedence over any setting in your policies.
  • By default, Application Control does not allow any application that is not on its allow list.
  • Operating system applications and Symantec applications are always allowed and get isolated by the settings in the Platform Isolation policy.
  • Application Control allow lists are combined with Platform Isolation policy settings for low, medium, and high isolation.
  • You might use an isolation castle policy for an application such as Microsoft Office. If you do not include the application in the Application Control allow or block list, Application Control treats the application as part of the allow list. The application then runs under the relevant security settings in the Platform Isolation policy. This behavior is true when the Application Control runs in either
    Strict Enforcement
    Enforce with Overrides
For more information, see:
Global monitor mode
The Platform Isolation policy contains a global monitor setting. If this setting is on, all of your Application Control policies run in monitor mode regardless of the individual policy setting. See: