Certainty factor is cumulative and it increments for every profiling rules it passes so the higher the number, the more ISE believe what the device really is.

Thanks my think as well I just need to be double sure.

Can you share ideal about what to go about profiling some non-user endpoint that has mac addresses provided.

1. Should I allow ISE to profile them before modifying the result of the profile to suite my need.
2. Or should I create the profile from from the mac-address I already have

The drawback to the second option is could be mac-address spoofing.

Thanks.

If you have an exact list of MAC addresses, you might as well create an Endpoint Group and add MAC addresses to the group and just use that in your auth policies without having to bother with profiling. Of course, MAC spoofing is always as issue when using a static list of MAC addresses
You use profiling when you only have partial information of the device, like MAC OUI or certain strings in HTTP request etc. and collectively create a device profile from them.

Coming up with device check yourself can get tricky since you need to know the exact characteristic of the device. I would only use it as a last resort.