After a user logs on to an endpoint, Endpoint Application Control evaluates the policy list in order to see if it matches the user or endpoint.
See About Rule Priority.
After matching a user or endpoint to a policy, user and endpoint matching stops and Endpoint Application Control deploys the policy by taking the following actions:
The agent may perform an endpoint inventory.
The agent identifies the current user.
The server matches applications between the endpoint inventory and the rules in the policy.
By default, Endpoint Application Control deploys policies that contain customized versions of rules. Customized versions of rules contain only the applications matched in each endpoint's inventory.
The server deploys the policy.
The agent applies the policy.
During lockdown, if a user adds an application that was not on their endpoint during inventory, the application may be blocked even if it should be allowed. To always send the full list of applications, specify that the "full policy" be deployed.
To learn about other methods of allowing applications installed after lockdown, see About Lockdown Allow Conditions.