I'd like to secure our network so that a person could not simply plug into a network port and be assigned an IP allowing them to run all kinds of network tools against it. I thought I could limit DHCP to known MAC addresses but I don't see it in my MX security appliance. Is there another way to accomplish my goal that I'm not thinking of? I could assign IPs manually but that's not a great option.
You have a couple of options. On your MS220 switches you could move to 802.1x port authentication. This means only authenticated machines will be able to attach to your machine. This is the most secure but also the most complex to setup.
This is typically done with a RADIUS server and a Windows AD domain, but you can also use Meraki Authentication if you have a small number of machines.
The next options are around group policy. You could make the default VLAN be a VLAN that is not conncted to anything. And then apply a group policy that overrides the VLAN and puts the user into a working VLAN.
You could also use a similar approach where you change the default L3 firewall rules to "deny any" and then use group policy to override those firewall rules to allow access.
On re-consideration, forget the VLAN option. MS doesn't respond to group policies. So one of the other two options,
Just to add: not giving out IP addresses (or even limiting those to known hosts) is nothing that would add a layer of security to your network.
If you really want to go for added security, see Philips advice on using 802.1x.
Looking into it further I cannot list MAC addresses in my Radius server. I am using Jumpcloud as my DaaS, I have opened a ticket on using MACs in the Radius server but they do not support it. Now looking at just whitelisting MACs in the MS port. I need to test to see if it will block other MACs from passing traffic on that port.