I have a client using RPi clients with a similar design, where only one (Vision) client is supposed to work with a given machine. I used a database to map client MacIDs to machine IDs, where a client startup script performs the check and opens the correct window with the correct tagpath. Any client that doesn't find itself in the DB goes to a "Commissioning" window and is shown a multi-level list (facility/department/line) of machines that it could be assigned. Machines already assigned to a different client are disallowed. A supervisor can forcibly "unassign" a client that isn't connected. The DB table has the machine ID as a primary key so no two clients can ever be given permission.
Use this technique to get the outbound network interface's Mac ID: