I'm waiting for "Trusted Access" to become "full release" - and it sounds like it would suit your use case. You have to have a Systems Manager licence to use it - but the device does not need to be managed by Systems Manager.
Trusted Access is basically a Meraki based certificate server. Meraki handle all the complexities of managing the certificates and deploying them.
So it allows you to use super tight certificate based authentication without the usual pain of certificates.
I'm thinking this feature might be released in the new year. This is my guess.