For preventing unauthorized 3rd party applications, etc there are 2 ways you can do this. The first is using an IT policy called disallow 3rd party applications (I think thats it, might be similiar in name) That will prevent ALL 3rd party applications from being installed. The other way is you can white list applications you want to allow to install. This is done by creating allow lists using software deployment setup. Here is a link for it. The 3rd party application block will override the whitelist.
The MDS-CS service will give the devices access to the local LAN the server is on. If this is the same subnet already as your workstations, likely is since you are using the professional version this doesn't matter. But larger organizations will have the BES server in a different network segment then the workstations so this service can be secured. You can setup a proxy connection on the MDS-CS to send the BB requests to a different gateway as well.
For device policies, you can use the included ones with the server as a starting point for the various levels. Then look though the other policies to see what else you might want to lock down on the phones