It would be easy to check the User-Agent value, but maybe not relliable. I use it for excluding specific applications that advertise what they are (like Lync or MS updates). Many people have servers in a separate secion of their network, so that would be a more reliable way of checking.
I don't have a good list of user agents to give you, or a rule XML, but here is how I have mine set up:
This is in the top level rule set. The actual authentication happens in a sub rule set.