I am having some difficulty in getting the SCEP to work as its not managed by our team and becoming hard to ask other to fix it.
So I am looking for alternative solution for this.
On our mobiles we do have MDM installed but again I dont have access to it to get my ISE certifcate to be added to MDM. Not sure if I can check if the mobile has MDM installed with the right coperate attributes to make Authz profile out of that.
If above is not possible what can be third secure way to deply BYOD?
You Can setup ISE internal CA, both as a standalone and intermediate CA, and creating certificate template to issue client certificate for your BYOD users. There are some LAB minutes videos on the same:
Setting up Internal CA
Wireless SIngle SSID BYOD
Wireless DUAL SSID BYOD
I gone through the first video but was looking for some documentation as he is using three different scanrio. I have two node deployment with with ISE contains CA certifcate. Also I am not sure changing the config in Internal CA will change anything in the existing environment as I dont want to break anything there.
I saw video tutorial where someone just made certifcate template and used it direct. I will test that once my download issue from cisco.com get solve.