Thanks Tim - sounds like the phrase 'unique client credentials' is used in the docs, purely to cover older OS versions then... I take it too that manually installing client certs, when using generic web-provisioning, can vary wildy, in terms of how easy or hard (or even possible) it is, dependent on the client's OS..?
On my second Q - Does the client's trust' for the ClearPass certificate come from actually installing ClearPass's CA cert itself on the device (presumably with just its public key) - or is there just some kind of record of what the cert 'looks like', which is configured by ClearPass as part of OnBoard provisioning ? (Forgive me, I realise this is just a fundamental ignorance, on my part, as to how clients trust CAs, within PKI)