The ability to deny a specific group(s) from being able to run an application, either by user or device. Being able to set this at either the provision and/or application level.