Yes. This is possible using constraints on activities. As you noted, this is available on Upload, Download, as well as Logins and other activities. You will need to figure out the sanctioned apps to allow this login and then block remaining apps via categories or app tags (I.e allow logins with corp credentials to apps with the "sanctioned" tag and block all others). You can create a User Constraint profile with your corporate domains:
You can then create a policy that blocks any Login activities with these domains to specific apps. In my policy below I block logins to any Webmail tagged as Unsanctioned. You could expand this to additional categories such as Cloud Storage and others.
The exact policy structure will depend heavily on how you've written policies already.
Yes this is possible... didn't see Sam's reply before and I can't erase mine haha... Sam's smart, listen to him 🙂
Excellent, thank you for the detailed response. Exactly what I was looking for!