An option that might work...
 - Create a VLAN and assign a group policy to it that denies all traffic. Set this VLAN on the SSID.

 - Once the device has connected, manually change the group policy of that device to one which allows network traffic.

Hi @jperez_netics, 

What about Layer 2/3 LAN isolation? Client that connect to a "blocked SSID", can be denied (except, DNS and DHCP, which you can controll anyway) to local netwoks. 

'Deny Local LAN' settings in Cisco Meraki MR firewall

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_...

You're right, most traditional Wi-Fi access points (APs) don't offer the functionality of blocking by default and allowing by exception for MAC addresses within an SSID (Service Set Identifier). However, there are alternative approaches to achieve a similar outcome. ny state of health
MAC Filtering with Open Network (Least Secure) This method involves creating an open Wi-Fi network (no password) and restricting access only to authorized MAC addresses through the router/access point's settings.
This approach is not recommended for secure environments as anyone can connect and potentially see network traffic if they have the authorized device's MAC address.

Yes, it's possible to implement a device policy where new devices are blocked by default and then manually allowed or set to normal access. This is a common approach to ensure that only authorized devices have access to the network while maintaining control over policy exceptions.

Here's how you can achieve this:

1. Create a Default Policy: Set up a default policy that blocks all new devices. This policy should apply to all devices that connect to the network initially.

2. Add Allow/Normal Policies: Create specific policies that allow or grant normal access to devices that are manually approved. These policies should be applied to the devices you want to grant access to.

3. Apply and Monitor: Apply these policies and monitor the network to ensure that new devices are initially blocked and only the approved devices have the desired access.

General Steps:

1. Set Default Block Policy: Configure the default policy to block any device that connects to the wireless network.

2. Manually Adjust Policies: Once a device is identified and verified, manually change its policy to allow or normal access.

3. Verify: Ensure the policies are working as intended by testing with new devices and checking access permissions.

This approach ensures that anySonic Happy Hour new device will not have network access until it is explicitly allowed. The exact configuration steps will depend on the wireless controller or network management system you are using, so consult your device's documentation for specific instructions.