After much swearing and testing i have discovered the following information which hopefully helps someone else trying to do this.
The attributes that are populated by Airwatch (and presumably any other external context server) are not stored in the standard endpoints table in the tipsdb.
The Airwatch attributes are stored in the SELECT tips_endpoints_attr_view table which is not accessible using the appexternal user account.
the only way around this is to modify the default Endpoint Repository authentication source and add filters that perform the lookups here. These will work as the Endpoint Repository uses the appuser sql account which has the right permissions.
The next challenge with the variables in this table is that each endpoint attribute is stored as it's own table, not just a column on the existing one.
for example if i search for a mac address in this table it will return a large number of results where each attribute contains a tag_value and a tag_name . These don't have a direct relationship to each other but rather are tied to the mac_address.
So to return the device owner from MAC address you need to run something like this:
SELECT tag_value as owner FROM tips_endpoints_attr_view
WHERE tag_name = 'Owner' AND mac_address = '%{Authentication:Username}'
If you are using an authentication method such as 802.1x where the Calling Station ID is populated with the MAC address of the client, then this lookup is done automatically using some hidden query filter and the results are returned as "Endpoint:Owner" attributes in the access tracker which are then able to be used for enforcement / role mapping.
If however you are using a method that doesn't send calling station id, these lookups can't be automatically performed as the hidden filters only run based on the device mac address as presented in the calling station id.
Hopefully Aruba can provide a simpler method of retrieving these variables, i have been told by the TAC there is a high priority feature request in place to allow permissions of the appexternal account to be modified to allow direct query of the tips_endpoints_attr_view table.
Scott