If the requirement is that only users with domain laptops can connect then you can create a policy that only allows [machine authenticated] + [user authenticated] = allow access and the rest will be denied by the default profile applied under the policy .
Another method you can use to deny access is use the profiling data in the endpoint database and add it in. Your enforcement policy , Endpoint > OS Family = Linux > Deny Access
Thank you
Victor Fabian
Pardon typos sent from Mobile