Firewall polices with Devices as source

I am looking to implement what I am calling a bit of a "NAC-Lite" solution for some branch offices. 

I can use FortiTelemetry and interface enforcement to restrict devices onto the network, but my other thought also involves allowing only certain devices (via custom device group) to be allowed to access certain resources by specifying them in the source for the policy.

This works, but my question is how rudimentary is this feature? Is it just MAC address whitelisting and susceptible to spoofing? Does the addition/existence of FortiClient on the clients help correlate the device and not rely on simple MAC addresses?

I'd also love any experiences people have with the telemetry and FC enforcement features - what kind of ticket volume it created for IT staff, etc.

Thanks!