Thanks for the reply Colin.
Unfortunately....I think we're stuck with onboarding. A few factors....
1...our enterprise has a significant # of non-domain joined devices
2...even if we had a majority of domain joined devices, our enterprise could not find a workable process to distribute certificates. The registration and use requirements were too hard and would make them unusable.
3...security pushed strongly for EAP-TLS over EAP-PEAP....as they felt a certificate authority was coming too...but it turned out to only be machine certs...and very delayed.
We do have a refresh of a clients coming soon (12-18 months) and will most likely fix our domain joined problem. I will probably see if we can get the new domain to SCEP requests over to Clearpass...as we don't mind paying Aruba for the certs. Either that...or see if I can get them to relax on the EAP-TLS and to EAP-PEAP and do machine auth based on domain membership.
My real problem is fostering non-cached logins and login scripts for those who have played nicely and have machines that are domain joined. This is a new region for our global deployment...the first region with a large % of domain joined....so we didn't catch that in our initial roll-out and thus need to make a change to our production system for subsequent onboards.
I have a process to captive portal those that are expiring in a few weeks forcing them to reprovision and then starting emailing them in the last week telling them to delete profiles so they can re-onboard at a later date if they need to.