As I Understand the way these work is sort of like this.
A Check is something that could be looked for on a device with an installed NAA.
A Check really doesn't do anything until it is coupled in a Rule which will return the equivalent of a true or false.
The Rule simply shows whether or not something complies with it but unless there a Role Requirement NAC will do nothing to force remediation or prevent access provided authentication (login) passes.
Say I have what I perceive as a single employee user role based upon mapping but I have 2 very different OS's Window and MAC OSx. If I create a requirement for that role and it is Necessarily Windows-centric would it effectively keep the MAC OSx agents from accessing the network? Do I need to have a WINemployee role and a MACemployee role?
The agent is intelligent enough to discern that if a MAC is logging in, and your requirements are all Windows, it won't check for them. So long story short, you don't need a separate role for the MACs.