Policy for unsanctioned apps

Under the new SaaS security report you can now identify apps as either sanctioned or unsanctioned - is this for reporting only or can you create any policy based on this?

The SaaS security report is the Shadow IT Report. You can tag the apps as sanctioned or unsanctioned. To create a policy based on the Sanctioned or Unsanctioned, you will have to create it in the Cloud App Control.

But can the Cloud App policy be for “unsanctioned apps” or does it have to be for specific apps. Or even “unsanctioned webmail apps”? Can you use that classification in a policy? i do not see where that is an option.