Hi Ricky,
If those ports are protected by a physical security measures such as restricted access to the comms room then I think that is absolutely considered an acceptable way to deal with this scneario.
Alternatively, you can think about deploying the NAC solution in low-impact mode where you will have to define an ACL allowing PXE services in this case and apply that ACL to the users switch ports. Alternatively you can configure MAB on those specific ports and add the new devices MAC addresses as you go. It would seem cumbersome but I think it's worth the effort compared to leaving the ports open.
Another option you might have would be to configure the dot1x supplicant in hardware, but obviously the NIC firmware would need to support this, I think an example of this would be Intel vPro cards.