You can use SNAC to do it. There are policies that be configured to not allow clients on the network if they don't have AV installed. Of course this will require some extra hardware.
Aside from that, there are other third party tools available.
If your looking to do it with SEP/SEPM, your options are pretty limited. And yea, CDW doesn't tell you if a client is managed or not, it only tells you if you have SEP installed or something else.