hi, and thank for your answer !
I was trying to limit the onboarding process to certain devices. I already limit the onboarding process to certain accounts. Example : Only AD members of clearpassOnboarding group can onboard devices.
But they can also onboard some devices that I don't want them to onboard.
If I only think of domain devices, I was trying to limit the devices that can be onboarded by AD groups membership. ie : I wanted to make onboard search if the device is in a specific group in our domain. and if not, refusing to onboard.
I know that onboarding process is typically for non-domain devices, but it not suits the needs of my customer