Pushing out FortiGate cert to BYOD devices.

As far as I know there is no built in mechanism on FortiGate to do this. You can distribute it via mail or to instruct the user to download this certificate from an internal webserver.

There is no solution from Fortinet that I know of, and Fortiauthenticator would not help either. You are talking about MDM solution potentially, but even then if the byod devices are managed by this mdm, not someone else’s devices just connecting via wifi. 

Not a solution to your problem, but may I ask why you need to do DPI on a BYOD network?

As an option, you can use an authorized portal that requires users to pre-accept a certificate before they can access the internet. Alternatively, you can use a QR code that users can scan on their devices to install the certificate. You can create a QR code containing the certificate's URL and display it on a poster or screen at the school. In our college, we displayed a poster with a QR code during debates when students from other colleges participated. At that time, we required all participants to choose debate topics for college students from a single authorized portal, which was https://papersowl.com/blog/35-best-debate-topics-for-students, and this method saved us time. It made our debate organization more convenient and effective, ensuring high-quality discussions among students from different institutions.