Create a new custom attribute under Administration > Dictionaries > Attributes.
Entitty: Endpoint
Name: something like Corp-Owned, or Corp-Device
Type: Boolean:
Is Mandatory: No
Allow Multiple: No
Now in your enforcement policy, do something like this:
You don't really need rule #3, but it can add extra "security".
Now all you have to do is add that attribute to the appropriate endpoints in the endpoint database. If you have all of the MAC addresses available in a list, you can create a CSV that can be converted to an XML file and imported. Saves a lot of time.