I have Create role for Junos Pulse users using AD Group to do role checking for allowed Juno's Pulse users then set up under the Role, General Restrictions Browsers, "only allow users matching based on the user-agent*" enter JunosPulse* Allow,
then under our NC and other roles for windows i created under Browser restrictions "only allow users matching based on the user-agent*" user agent i entered "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Tablet PC 2.0; MS-RTC LM 8; Media Center PC 6.0)
This pushes all iPad and iPhone users to use the specific role that doesn't allow any thing but RDP to do this
Under Network connect access policies there is a policy that allows the junos pulse role to use tcp over port 3389 for RDP access. and a under NC Connection profiles i added the role to give them the IP connection required but No other remote Access is given to these users.
Still working on controling my Mac users but we do have a profile using JAVA RDP that allows them remote desktop so they don't need NC so we just put them in profile with out NC.
the admin guide is our best location for this information.
to differentiate between iOS clients and desktop machines, you will need to use a browser restriction on the realm or role.
for managed laptops, you can use host checker to guarantee it is our laptop; if you customize your user-agent, you can use that as well