Limiting Devices on VPN

We currently have two 500D's in an HA configuration.  We are using the FortiClient (VPN Only) for SSL VPN connections on our laptops with a user cert.  That's all working great.  I have now been tasked by our parent company to block VPN connections to mobile devices with the exception of a few selected company owned devices.  How can I limit mobile devices that connect to the VPN? 

I was hoping to use the device detection, but that option isn't presented on the WAN interface.  Limiting device connections via a user cert works, but the cert can easily be exported to another device.  It's also a royal pain to install certs on mobile devices. 

Anyone have any brilliant ideas on how to meet this requirement?