Hi @atif.mohamed
That's quite straightforward. You need to inspect the certificate that the MDM has pushed to the client, and then ensure that ISE contains the Root CA, and any intermediate CA certs that were used by the MDM in creating that cert. Put those CA certs into ISE's Trusted Certificates section. That will ensure that ISE will trust the certs that are coming from clients during EAP-TLS.
For the Policy part of the configuration, you need to consider Authentication and Authorization
Authentication: Is there an identity element in the cert that you can (or want to) use to lookup the user in AD (for example)? Let's say the client cert contains a Subject Common Name that resembles a valid AD user's UPN. If you want to perform Authentication, then you can create a cert profile in ISE that will do just that. But it's optional. You do not need to perform Authentication against an external identity source. A client that presents a cryptographically valid cert is sufficient enough for AuthN.
Authorization: This is where you look deeper into the cert and look for a distinguisher (e.g. Certificate Issuer) to decide what to do with this client. If Issuer Contains "Meraki MDM" (or whatever) then put this user in the BYOD VLAN and apply ACL etc. There are no hard and fast rules - look at the client cert and then create an AuthZ policy that will 100% match that cert as a BYOD user.
Hope that helps.
Now the Policy part is