yes you can accomplish this in two ways, one create a sub group and have a policy which allows this particular apps and move the user's machine/s to this group. the other way is to setup the computers in user mode and the integrate your AD in to SEPM and assign policies based on users. if its just a few users/machines I would suggest you to go with sub group with no blocking as its easier and convenient to setup and manage.