From version SEP 12.1.x & later, there is now an option to Check / Uncheck for settings:
With this extra option, users are now allowed to disable Application & Device Control manually by unchecking this available option, that is, if this is allowed, as set from the SEPM console.
1. In the Symantec Endpoint Protection Manager (SEPM) Console, select:
Clients > {Highlight the specific group applicable - My Company / Default Group} > Policies tab
2. Expand the Location-specific Settings:
By clicking on the (+) Plus sign, you will expand to see:
Client User Interface Control Settings
3. From 'Client User Interface Control Settings'
Click Tasks>> Edit Setting
If having chosen:
Server Control mode
a. Click Customize ... button
b. From section => Proactive Threat Protection
Uncheck 'Allow user to enable and disable the application device control'
c. Click [ OK ] button
Mixed Control mode
a. Click Customize ... button
b. Click 'Client User Interface Control Settings' tab
{Similar options are displayed as was seen in the Server Control mode window}
c. Uncheck 'Allow user to enable and disable the application device control'
d. Click [ OK ] button