Yeah, I tried with the certs, but looking for convenience. Since we are looking at thousands of devices and only putting them on a public network, we are just using 802.1x for the login, and then registering the device for tractability. Even if someone cloned a MAC, they would have to have a valid login.
The issue I had with the certs is on iOS, the user got prompted multiple times for login to install certs and profile. This would probably be less if we ran a public cert on ISE, but not completely. As for android, I don't like having to make them install an app, and in testing, I had it installed, but it said it couldn't talk to ISE even though it was redirecting web to it.