This seems like an open-ended question. Why not tell us what kind of additional restrictions you'd like to implement based on your internal security policy?
Otherwise you can benefit from reading the 16.10 release notes. They explain some of the improvements on App Policy.
R.P