But then best practices say you should be doing cert pinning. That will block your CA.
Although for most apps modifying that check to look for another cert is probably not too hard. (But of course if the app is obfuscated and does integrity checks on itself, it can get arbitrarily complicated.)
I visit sites with cert pinning at $EMPLOYER. $EMPLOYER runs a very expensive solution from Blue Coat which includes a MITM CA - no issues intercepting anything here. Amusingly, this meant the proxy itself was vulnerable to Heartblead while the client machines were not.
The only foolproof way to get around this is to hardcode the certificate into the application itself, or at least the intermediate chain. Otherwise, you could have always intercepted the first request and made that the certificate of record.
Although for most apps modifying that check to look for another cert is probably not too hard. (But of course if the app is obfuscated and does integrity checks on itself, it can get arbitrarily complicated.)