Assuming that your clients are, in the majority, Windows clients, then you can enforce this in their Windows domain user profile. For iOS I think that anything after Mac iOS 7 actually forces the trust chain to be checked by default. I have had a customer case with iOS 8, the CA was corporate and not checked by default by iOS, hence authentication failed.
Either way, these are client settings and not really enforceable from the network side.