I would recommend that for a stand-alone App-V (ie with App-V Management, Publishing and Reporting servers) that you use AD Group membership. That is that the App-V delivery is triggered by AD group membership. Then AppPortal can just add users or devices to an AD group. Also I would not have mixed objects in such AD groups - either device-targetted so that AD groups are populated by machine objects or user-targetted where the groups are populated by user objects. Use one AD group per App-V app.
However, to remove access to an App-V app then you would need to remove objects from AD Groups and AppPortal would need to call a script to do that.