I don't know much about Airwatch, but if the devices you really trust now are EAP-TLS (rather than PEAP)...
If those same devices are MS OS, why not do a GPO update to them, to convert them to EAP-TLS? Once complete, change the PEAP authenticated devices by setting a role via RADIUS returned attribute?
I'm guessing not all your "really trusted" devices are MS OS? Maybe you thought of this already?