OK. Can you try to use context about these devices from another source and NOT rely on a custom attribute...or if you DO use it, have another way to distinguish a post-onboarded device. For example the auth method = EAP-TLS or some identifier in the cert.
To move away from using a custom attribute, try leveraging the context of the user using AD memberof or using a static host list (MAC addresses) OR use device profiler information...
Just some initial thoughts...