Drew, there are 2 different policies to worry about.
1. IT Policy is the one you should use to restrict certain tasks, but if you restrict 3-rd party apps download you will not be able to install anything via Application Policy (see below).
2. Application Policy is the one yuou should use to push applications to the users that require it. Basically, you would set-up rules for Deny, Optional and Required (see elsewhere on this forum) and add applications to the policy. So, the overall policy would be to Deny all applications, except those specifically listed in the policy.
Create 2 (or more) groups of users and assign a blank Deny policy to those that do not need anything. Then create another App policy that has GMM and what ever else you want and set the applications as Required and Wireless. Assign that policy to the rest of the users that need it.