So if I created a Policy without any macs, no APs join the controller...

Sounds like exactly what I need.

Thanks!

Correct, only MACs that would be on the AP list would be allowed to join. 

Looking at the AP Policies screen on one of my controllers, accept MIC is checked and there are several MACs in the authorization list.  Do I just uncheck MIC and remove the APs from the auth list?

yes that would do it i think. or checkk box 

Authorize MIC APs against auth-list or AAA

and remove the aps on the list 

If I accepted SSC,MIC, & LSC certificates, will I need to add the MACs to the auth-list when I'm ready to put the controller back in production?

Let's cover what these are .. 

Ssc, mic, lsc are different certs installed on the ap. By check boxing these you are saying aps with these types of certs are allowed to join the WLC. Ssc is only needed if you converted very old 1131 1242 model aps and during that conversion a self signed cert was created. If don't tic that ssc box these aps won't join. 

Mic is is what every newer ap comes with. Same applies you don't tic that box they wouldn't join. 

Lsc is if you had a PKI and you installed your own cert. Same apples. 

So if you tic mic your aps will come back and join. 

If if you want to limit what aps can join say if you have mic enabled and you only want set aps to join the WLC you would tic mic and ap authorization and add the ap Ethernet MAC address. 

Make sense ? 

Hi Jason,

On the WLC, use the AP authorization list to restrict LAPs based on their MAC address. The AP authorization list is available under Security > AP Policies in the WLC GUI.

yes, you need to remove the mac of AP, which you don't want to join to this WLC.

More info:http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/98848-lap-auth-uwn-config.html#backinfo

Regards

Don't forget to rate helpful posts