Basically staff machines get a certificate to present to the server and the server controls the network.
So, if your machine does nothing, it's on the guest vlan and has limited access. If it presents a valid certificate that network port is reassigned to the staff vlan and you get full access.
If someone leaves, you just revoke the certificate and they have guest access again.
Not rocket science once you know it :)
802.1x certificate-based authentication at layer 2 is a good defense in depth strategy.
Edit: oh wait, you mean have the applications check the certificate? Yes, but then you need support from the application. Does your printer do that, for example? You need to make sure everything does. You can of course do both.