As promised, a follow-up to my "issue"
First, I inherited this configuration hence my lack of understanding.
The goal here is to allow residents to see only there own AirGroup devices by using Clearpass enforcement.
The non-browser capable devices were being registered by a help desk techinition as a Guest Device. They would configure the Device MAC address as well as a list of users to be shared with. The user in this case is explained below. All these devices would be "Airgroup Servers" such as AirPrint capable printers and Apple TV's.
The browser capable devices are connecting to a PSK network and redirected to a registration Captive Portal. They would enter a username (same as defined on the Guest Device above) in the portal. The portal would create an Entry in the Endpoint Repositry, mark the device as Known and also add a Username entry into the Attributes. These devices would then MAC Trac when connected and an enforcement policy would pass back the Username to the controller.
We now have AirGroup Servers with a list of Users that can Share the device. We also have a list of clients that have a properly mapped username. With these two pieces of information passed from Clearpass to the Controller, they can now use AirGroup properly. We can turn on Clearpass Enforcement and lock them down to their own devices.
The better solution, IMO, is to have the clients use a 802.1x network. This however was not possible for this client and a PSK network was utilized instead.