I've been doing some testing with HTTPS inspection using a sub-CA from our internal domain CA. I'm wondering if there are any methods to scoping the hosts you apply inspection to that I am missing in the documentation or elsewhere. From what I can tell you just have to use the source field with Access Roles, Networks, Hosts, etc. The issue with our environment and I'm sure many environments is that our subnets are not totally separated in ways that keep domain joined or managed devices separate from something that does not trust our CA. So just turning on HTTPS inspection for entire subnets is not really possible in our environment without causing issues.
I would be interested to hear what others have done to scope out their environments to only hit devices that are either on the domain or otherwise managed where the root certs can be pushed to them. At one point I seem to recall a VAR telling me that Check Point was going to have a way to do it by device type (Windows, Mobile, ETC) where you could scope that way, but I have never found anything like this.
Thanks!