One of the primary reasons for using Endpoint Manager (or any MDM) is being able to manage the user's Apple ID and control what apps they can or cannot install. We DO NOT want them to be able to download anything they want from the App Store. We want them to be able to download specific applications that we approve and make available in EM. Currently, the only way to add new applications to a users device is by physically possessing the device and adding new applications via Apple Configurator.