Android - MDM (I think the stock google apps MDM can do client Certs and 802.11x network config)
Nest - would not bother; stick on a dedicated standard WPA2 network, segregate from rest of network then leave well alone.
Wired network - yes, you'd need a managed L2 switch (but then you'd need that anyway to trunk multiple tagged vlans to your APs).
Android - MDM (I think the stock google apps MDM can do client Certs and 802.11x network config)
Nest - would not bother; stick on a dedicated standard WPA2 network, segregate from rest of network then leave well alone.
Wired network - yes, you'd need a managed L2 switch (but then you'd need that anyway to trunk multiple tagged vlans to your APs).