Permanently unenroll a device
To revoke Zero Trust Access for a device and prevent re-enrollment, perform the following steps in order:
- Remove the user from the identity provider. (This may take up to 30 minutes to take effect.)
- Unenroll the user's device from Zero Trust Access here: Unenroll Devices for Client-Based Zero Trust Access.
Additional steps for certificate-based enrollment:
- Remove the identity certificate from the user identity keystore on the device. This certificate may be used for multiple purposes, including VPN access.
- Revoke the identity certificate on your Certificate Authority (CA).
- Remove the enrollment configuration file from the device. For file location, see Enroll Devices in Zero Trust Access Using Certificates.
If you do not perform all of these steps, the user may be able to re-enroll using the SSO authentication method.