A client has asked for additional security for a web app which would allow only company owned and approved tablet computers (brand not yet known) to connect to a PHP web app.
The app will be un/pw protected but the company would like to prevent all access except via the tablets.
MAC addresses would be great for this but these will be used in the field and use a myFi portable wifi to connect to the server so the MAC address will not be available.
Can anyone point me to a sound method for this secondary validation?
Your best solution here would be to deploy mutually-authenticated SSL between your client tablets and your server. You can use self-signed certificates here so you don’t need to buy any from a CA. This will ensure that your server only accepts requests from tablets that have the client-side certificate (configure your server to only accept the self-signed client certificates deployed on your tablets for client authentication).