To add to what @cappalli suggested.
You could also use the Endpoints database to manage your Apple iPhones/Tablets and Android phones/tablets.
Once there is an Endpoint profile exists for your device you could add a custom attribute to the device to identify it as a company owned device.
You could then design your rules to look for the device type + this custom attribute. It is a little bit of work in the beginning but once it's done it should be fairly easy to maintain.
And for coporate computers, if you can't issue certificates, just use EAP-PEAP and the [Machine Authenticated] TIPS Role.
As for the visibility for the TCP UDP ports, you could use the following command on the controller: show datapath session table <A.B.C.D>
This will show you all the active connects of the clients.
Cheers