802.1x certificate authentication. Macs are joined to Active Directory and get a machine certificate through Active Directory Certificate Services. Requires Mountain Lion and higher. Works for Wi-Fi and Ethernet and the network is available at the logon screen so network accounts are able to log in.
Mobile devices BYOD and are enrolled in MaaS360. MaaS360 access Active Directory Certificate Services using NDES/SCEP and pushes a user certificate to the device. The user is logged into Wi-Fi and Exchange with that cert. No saved user/pass on the device, so no more account lockouts when users change their Active Directory passwords.
Both configurations can be done in Casper. We opted for MaaS360 for the mobile devices as we have staff with Android and Windows phones in addition to iOS and we wanted a secure container solution for email instead of using the native email client on the device. This allows us to remove MaaS360 control and any corporate data without having to do a full wipe of the employee owned device.