We are successful with blocking any apps outside of the specific folders that we allow using a configurations profile. Using the restrictions - Apps feature. We Allow the following folders:
/Applications Folder
/var
/usr
/private
We allow these folders for any system apps that may need to run outside of the Applications folder.
I have disallowed the opening of apps from the following folders:
/Library/Application Support/App Store
/Library/Caches

Students were opening apps from these folders because every other folder is writable and thus, they were able to open apps from these folders

This works very well except we found out that Microsoft AutoUpdate won't run. Even if I add the parent directory(/Library/Application Support/Microsoft/MAU2.0) is still says it doesn't have permission. I have added the .app and even the file embedded in the package. I am still unable to get microsoft Auto Update to run. If I add the /Library folder to the Allowed folders list. It will run but then it opens up the Caches or App Store folder to have apps run from them even though they are still in the disallow folder. This is very confusing and any insight into this would be greatly appreciated. Thanks for your time. First time posting here so I hope I am making sense.