Hello,
I am curious to know more when you say MACOS machines are part of domain. Are they joined to domain same way as Windows devices (can they also perform machine auth)?
Machine auth is one clear way to distinguish a User auth v/s a Machine performing auth and we can perform AD authorization to confirm the AD attributes.
Now coming to your question. We need to see what are the service conditions for your MAC-auth service. Can you share that?
Also could you confirm if the MACOS machines are forwarding the user-name as MAC-Address (meaning it's performing a MAC-auth as well)?
So as long as MAC machines send machine name (just like Windows machines perform machine auth), we could do a enforcemnt check.
Or we can also check for the MAC's machine attributes in AD to validate (but it all depends what usernmae is presented by the device).