Recently I have implemented Endpoint Application wise Scan check successfully. There are documents where it is mentioned that how we can configure it but it is all theory. Here I have mentioned steps with snaps.
First mark the option "No threshold : configure endpoint compliance requirements individually per application" in Gateway properties --> Mobile Access --> Endpoint Compliance.
After that identify which application you want to restrict (Only it will be accessible if user fulfill Scan check) and which application you want to allow.
Create new Protection level (Protection Level --> Manage TAB) which specify that allow this application to access only if user pass security scan check.
The application which you want to allow even if user does not pass Security scan check, specify the protection level as permissive.
When User does not pass security scan check and try to access application for which we have set Protection level then user will get below message and will not able to access application.