You need both methods.
2 out of 3 companies I worked for had a whitelisted set of tools you were allowed to install. It never contained either a the full set of tools you needed to do your work, nor the newest versions. So you were completly left in the dark if you were allowed to accept this auto-update or not.
This is the setup for employees who do not handle files from the outside world and only need internal networks.
The third company went along the lines of: We've hired expert developers, they all grew up with PC, have their own machines at home - who if not them should be trusted to know what tools they need and to discern usefull tools from BonzoBuddies.
This is the setup for employees who regularly work with outside files.