I had the same problem and it was trial and error. Going from memory....
Mine was Juniper
Using workgroup manager I didn't block users directory but I allowed
/Applications/
/Applications/Utilities/
/Library/
/System/
/opt/
/Developer/
/Library/Application Support/Juniper/
~/Library/Application Support/Juniper/HostChecker/JuniperSetUpClient.app/Contents/MacOS/JuniperSetupClient
I also from my test machine just did a touched JuniperSetupClient and HostChecker in terminal to create blank files and dragged that in the Always allow this App and the unsigned ( Juniper always update their software so no way am I signing that all the time)
I pulled my hair out and it seemed a simple ~/Application Support/ didnt work. The only way I could get things working was to allow the exact binary of the app within the app bundle and also allow the app without signing it!
I had to do this with Google chrome path, whitelist ksadmin and similar with FontExplorerAutoload
Then on my test 10.6.8 I was able to get the plist.
I then used mcxToProfile for my 10.8 machines. One note on 10.8 is that you do not get a pop up telling the user that the app didn't launch and to contact the administrator. Instead it just doesn't launch.
Bit of a bummer because for trouble shooting I always have to have a 10.6.8 dev box.
