In that enviroment maybe you can consider clear pass if you got no budget for that maybe just quickconnect(this is a new product)
Quick connect let you to autoconfigure the EAP PEAP for example on this devices...
This mean that you can have those ipads with users of AD, and do derived roles....
You will not need to configure all the ipads manually as they willl autoconfigure themselft and its something you just need to do once... or at least the client... you dont need to touch anything on their ipads...
But then you will need to create all the users on AD or create another domain just for that with a separate AD....
You can ask for a demo license... and try it yourself...
Like i said its a new product
but i guess you can look on that on another time when you got no issues like you having now :)