Your comments

Best practice has become to block executable content from user location such as %temp% in order to prevent drive-by downloads that lead to ransomware.  Being able to create certificate-based exceptions for core applications helps to ease user pain around this policy.

The inability to do so for ConnectWise Control means that we can't use the product that we are paying for.

Alternatively, please provide a supported base installation via GPO that supports updates.  An example that comes to mind is Pulse Secure Connect, which allows us to push a Windows installer service that can then install and update the remaining components.