I agree, if security is such a concern use 802.1x. Otherwise, set the default policy to block everything. Then create a group policy called something like "Authorised", and apply it to every client that is allowed to be on your network. Anything new that appears will be blocked. Another option would be to deploy Systems Manager on your machines. You could then have it auto assign the policy "Authorised". Only machines with the Systems Manager installed would be able to connect.
... View more