Having fewer than 10 devices using iPSK - then you can simply do this via the Meraki Dashboard. You can just load in the existing MAC addresses, and assign them the current PSK, and they will still be able to connect, while everything else will be blocked. Going forward you can use a unique PSK per device.
"assign group policies by device type" would not work for your use case. You would find it unreliable.
If using RADIUS, I would dump every single connected MAC address for the whole org. Apple devices should be easy to spot because of their MAC address. Delete all of those.
Now load in that MAC address list to your RADIUS server, and assign every one of them the current PSK.
Now on day one, every device will still be able to connect, except Apple devices. At this point, you have mostly achieved what you want. Only authorised MAC addresses can now connect.
As you go forward, you can then start assigning unique iPSKs.