From version SEP 12.1.x & later, there is now an option to Check / Uncheck for settings:

 

With this extra option, users are now allowed to disable Application & Device Control manually by unchecking this available option, that is, if this is allowed, as set from the SEPM console.

1. In the Symantec Endpoint Protection Manager (SEPM) Console, select: 

Clients > {Highlight the specific group applicable - My Company / Default Group} > Policies tab

2. Expand the Location-specific Settings:

By clicking on the (+) Plus sign, you will expand to see: 

Client User Interface Control Settings

3.  From 'Client User Interface Control Settings' 

Click Tasks>> Edit Setting

If having chosen:

Server Control mode

  a.  Click Customize ... button

  b.  From section => Proactive Threat Protection

      Uncheck 'Allow user to enable and disable the application device control'

  c.  Click [ OK ] button

Mixed Control mode

  a.  Click Customize ... button

  b.  Click 'Client User Interface Control Settings' tab 

      {Similar options are displayed as was seen in the Server Control mode window}

  c.  Uncheck 'Allow user to enable and disable the application device control'

  d.  Click [ OK ] button