ISE-PIC is a license that is purchased for the FPR 1120 in addition to the URL filtering license?

I can update it to 7.6 if necessary, but would the passive identity agent also require a ISE-PIC license?

Do either of these option require a client to be deployed on the end user's device?  For devices that do not have a user authenticated to AD, such as an Android or iOS phone, how does the filtering get applied?  Can it be applied per VLAN or network?  For example if we setup a "Admin" and "User" network can different filtering policies be applied to those networks?

@Keegan Santos ISE-PIC is a separate license to the URL Filtering license.

You do not need to use Cisco ISE with the passive identity agent. Passive ID agent works by sending session data (event logs) from Microsoft Active Directory (AD) to the FMC. You create an Identity Policy to control trafffic based on AD group/user etc

So then based on your response an agent would be required on the computers with Passive Identity correct?  How is traffic filtering if a device doesn't have the agent installed?  Such as with an Android or iOS phone.

@Keegan Santos You can just install on an AD server, so it would send all AD authentication events. You don't necessarily need to install on windows AD domain joined endpoints, although you can install on a client. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/passive-identity-agent.html

How are the android and iOS devices authenticating to the network? If they authenticate some how to AD and generate the necessary Windows event IDs (as per the guide already provided), then the Passive ID agent will receive those events.

They authenticate with a WPA key.  Devices on the guest network don't authenticate, they connect to an open network that is restricted from accessing any network except the Internet and has its bandwidth limited.  We wouldn't restrict the guest network heavily, we would still like to restrict access to a few select categories such as adult content though.

@Keegan Santos you could use a captive portal to authenticate the guest users https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/identity-captive-portal.html

Or just apply a normal Access Control rule for the guest network(s) that restrict access to adult content.

You can still apply different Access Control rules for your AD devices based on the information learnt from the ID agent (as per the above information).