In the past, I've worked with customers and they went the route of x509 or certificate authentication (using time based session with auth server). This meant that they distributed certificates out to the devices using an MDM, and then configured the iPads or iPhones to use MWG on a special proxy port (typically with wpad or proxy.pac).
The special proxy port allowed us to distinguish between normal proxy users (doing proxy auth) and byod or iDevices using x509 auth.
Separate from that, I have worked with some customers using wireless network controllers which allowed the MWG to query to see what users was logged into what IP address.
MWG then cached the information to reduce load on the wireless controller.
Apple devices in general do not play well with NTLM authentication so I tend to stay away from it.
If this is something you're interested in, let me know and we can have a chat!