A customer uses Microsoft Intune as MDM solution which integrates with ISE. They are going to enroll mobile devices,laptops off-premises and connects to the enterprise network via EAP-TLS with profiled BYOD certificate.
We are not going to enable ISE BYOD Wireless On-boarding (EAP-MSCHAP login then redirect to provisioning to EAP-TLS) since we also have to allow users to login from EAP-MSCHAP for phase 1 migration.
One thing observed from ISE admin guide: You must register a device that is enrolled on the MDM server outside of a Cisco ISE network via the MDM portal. This is applicable for Cisco ISE, Release 1.4 and later. Earlier ISE versions allow devices enrolled outside of a Cisco ISE network to be automatically enrolled if they are compliant with the posture policies.