As a policy, we want to prevent users from playing movies on work devices. We've selected "Movies" in our Content Category policy however, our IT deployment team is unable to load/use iTunes (to download/install apps, not the url) when building new MacBooks.
You can leverage Application settings to perform a specific Allow to certain app, this will have higher precedence than content categories. Depending if you are using DNS or SWG rules might be vary but logic will be same:
Allow all request associated with Itunes, then block based categories, ie: Movies and Streaming Services