Gotcha. That system doesn't work that well ...
For main network access, you would probably want to be used 802.1x (whether for WiFi or Wired). If you use Cisco ISE as the backend then you could have it test compliance (such as has AMP for Endpoints installed, is in a "happy" state, etc) and then have it decide which should be done.
In my perfect world, Systems Manager would be extended to be able to check the Windows Security Centre. This would then support pretty much every endpoint security product out there, and then create policies off that. You can kinda do something similar at the moment but it doesn't work very well.
At the moment Systems Manager can check for security software running (but you can specify what software - perhaps you could tie that down with group policy):
https://documentation.meraki.com/SM/Tags_and_Policies/Security_Policies_in_Systems_Manager
And then you can dynamically assign policy based on that dynamic tag.
The biggest problem I had had is the Systems Manager agent does not check the machine posture very frequently (I think it might only do it on boot - not sure). So it takes a while to get this to trip, but then once you have finished remediating the machine it can take a LONG time (like a day) for it to report that it is now fixed and remove the restriction.
I last tested this a couple of years ago, so perhaps it has improved.
If Meraki sorted this out and made it work on switches as well I could sell a tonne of Systems Manager licences.
