Restricting the installation is difficult to do as anyone can download it from either Apple's or Google's respective app store; and obtaining the install for Windows or Mac is not too difficult either. To prevent the download of a valid profile or authentication from unknown devices, you can consider the following:
- You can use ClearPass enforcement policies/profiles to return different Aruba roles to the controller or to deny access....however there needs to be something to differentiate the logon request from an "approved" system. What types of devices are you allowing; domain PCs? Company issues tablets? Phones? The key is finding something in the Radius request that you can use to validate this is an approved client device.....it can be as simple as a MAC address if you have a method of getting the list.
- You can consider using IKEv1 authentication for VIA. In doing so, you can use certificates for the first phase of authentication; then username and password as the second. You can then control what devices you allow to enroll for certificates, thus only allowing those to successfuly get to the second phase of authentication.