Dealing with Apple Watches?

[Ted Hyde (RSI)]

Howdy - So I'm not an "Apple Guy". I tolerate them, I support them, but 
I don't own them. I recently redesigned one of our office networks to 
split up departments into vlans (something that was on my list for a 
long time and desperately needed), and after some labbing, rolled it out 
last week. I intentionally kept the wifi out of the main distribution 
loop because I needed to really find out what levels of security the 
staff would permit. While I would love to enforce full EAP-TLS (or TTLS) 
some of that is difficult with transient workers, staff, and of course 
some devices that don't support certificates. So to wrangle this, I 
created a dedicated subnet (a little /27) and made it wpa2-psk. Simple 
test just to keep the bare minimum going. Except after giving two people 
the pwd, I ran out of scope. This seemed odd, how could two people eat 
up some 28-odd ip addresses? First thought, they blabbed. Turns out they 
did tell "only a couple of other people" - which is exactly what I 
needed to find out in this test - a psk is useless security in the 
workplace. That still didn't account for everything. So I cleared out 
all the ip bindings and watched as all the clients re-acquired ip 
addresses. 28 gone in a heartbeat. There weren't 28 people in the 
building. Half of these folks were "very-Apple-people". That means iMac, 
Mac-top, ipad, watch, phone, backup watch, backup phone..... and they 
all of course (in hindsight it's obvious) use their devices in "Default" 
mode which means accepting all of Apple's recommendations without 
reading them. After clearing the scope and changing the password, I went 
and worked with one user directly, typed in the credential myself on her 
laptop. While I was holding her phone, I got interrupted, and when my 
attention went back to the phone, I saw that it had already connected - 
how did it get the new key? I'm sure at this moment there are 50 admins 
talking to the screen saying "oh, all Apple users can set their devices 
to share and automatically connect as a convenience" - an item that I 
was not aware of prior. I took the test a step further and was able to 
observe that another user has credentials automatically pop up to his 
icloud account, wherein his ENTIRE FAMILY gets the credential.

Not good. Definitely not good.

I'm sure this is happening in school campus scenarios where staff and 
students eat up scope from devices that shouldn't ever be permitted on a 
particular network, and since folks like the convenience, they sync 
their phones to their dtops, and no group policy is going to get in the 
way of that.

Does anyone have a workable solution to controlling this above? Is it 
"some auth" + Mac Auth? Or is it "give up on control and just make huge 
networks so there's enough scope"?

With decidedly less hair, many thanks,

Ted.