The UID is created when the agent is first installed and connects to the manager. The agent should retain this UID as long as the agent remains installed. The UID acts as a primary key in some of the DB tables to track that agent's activity. When agents logs are uploaded to the manager (HI results, etc.), the UID is included for identification purposes.
Authentication occurs at two levels. The agent will perform the Host Integrity checks and provide the results to the Enforcer. At the same time, the Enforcer will verify the agent's UID with the manager to make sure it is a legit install.
Whether or not outside systems can connect to your network is dependent on how your network is configured and which type of enforcer you are using.
LAN Enforcers can direct the switch to open/close port or provide a Vlan assignment. In this scenario, your network can be configured to block/quarantine systems that do not have an agent. You can also have it configured to allow agent-less systems on your network anyway. Most customers will have these systems directed to a quarantine vlan.
Gateway Enforcers can block traffic from any system without an agent, but will only block traffic passing through the enforcer. If used to monitor a VPN gateway, then yes, an agent-less system will have blocked access (unless you provide them the option to use the On-demand agent). If a Gateway Enforcer is used to only protect specific enterprise resources, then the agent-less system will still get on the rest of your network, but won't be able to access the resources protected behind the Gateway Enforcer.
The DHCP Enforcer assigns IP address based on your authentication criteria. Agent-less systems can be assigned an IP on a quarantine network. This is similar to the Lan Enforcer function, but with IP addresses instead of vlan assignments.
Lan Enforcers on a 802.1x configured network is the most effective way to block agent-less systems from connecting to your network.