I am in the process of creating a what I call is a service SSID. The purpose of this network is to allow staff to enroll chromebooks into the google console and Apple devices into the DEP program, and connect window machines to the domain, also to allow legacy and non dotx devices on to the network with a password. The key to this is that there is no web access.
I have gotten the list of ports need to enroll devices, allow printing, and other network functions (tftp, ftp, telnet, and so on). Should the last policy in the list be (user any svc-web [80,8080] deny )?