Hi all 

customer has a requirement to use certificates to trust BYOD devices on their network with ISE - Contractors bring in there own machines and have AD accounts for Auth .. 

They have tested "device on-boarding" workflows with ISE However have hit a few stumbling blocks 

1) they don't believe that using a username/password to then use SCEP to issue a cert is secure enough ...

2) We have tested using temporal agent to validate some checks for the BYOD devices to add a further level of validation however one of the checks they need to validate is disk encryption check - and temporal agent doesn't support this ....

3) they need to support , Windows , Mac and Linux machines 

4) they know we have workflows in Guest for Sponsor approval and have asked if we can do something similar for BYOD validation .. ie allow the byod machine to auth with AD credentials , BUT then only get a cert issued once "approved" 

Any ideas guys ?