De-register, Ban and Unban Devices

How to manage misplaced or decommissioned devices in your organization

  • Updated on Jul 16, 2025

Motivation

When an end user installs the desktop app or mobile app, an X.509 Device Certificate is issued and placed in their device’s system keychain to register that device. The end user can now access secured services from their registered device based on the organization’s security policies.

In some scenarios, such as if an employee leaves a company, you may need to de-register the device. When a device is de-registered, the Device Certificate is removed from the device’s system keychain. As an additional security measure, the Device Certificate is also revoked so the certificate will no longer be deemed valid, thus blocking access to secured services.

In other scenarios, such as when a device is misplaced or stolen, you may need to ban the device. When a device is banned, the Device Certificate is revoked and the device is placed on a “banned device list” so it can never be registered with the Cloud Secure Edge.

To enable users to re-register a banned device, the org’s Admin must unban the device, to remove it from the “banned device list”.

How it Works

SonicWall Cloud Secure Edge leverages the Online Certificate Status Protocol (OCSP) to revoke certificates for de-registering and banning devices.

In OCSP scenarios, an OCSP client (such as an Internet browser) requests the status of one or more certificates to an OCSP responder (generally a server hosting certificate information). Then, the responder returns status information (valid or revoked) about the certificate(s) to the OCSP client.

The Banyan TrustProvider component behaves as the OCSP client. It requests certificate statuses with the OCSP responder, and then grants access to devices accordingly. If the certificate is valid, then the device is granted access to protected resources. If the certificate is revoked, then the device is blocked.

De-register and Delete a Device

To de-register a device and delete it from your list of devices:

  1. Navigate to Directory > Devices.

  2. Select the device you are de-registering, and then select Delete Device (i.e., the garbage can icon).

The device’s certificate is now revoked and the device is no longer associated with your organization.

An end user may also de-register their device by themselves. To do so, the end user would perform the following steps:

  1. Launch the app on the device they are de-registering.

  2. Navigate to Settings, select My Organizations, and then select the option to Remove All Orgs.

  3. Accept the prompt to Delete Device Registration.

The device will no longer be able to access Cloud Secure Edge-secured applications and services until it is re-registered.

Ban a Device

To ban a device:

  1. Navigate to Directory > Devices.

  2. Select the device you want to ban, and then select Edit Device.

  3. Set the Banned Status field to Yes, and then Save Changes.

The device will no longer be able to access Cloud Secure Edge-secured applications and services until it is unbanned by an administrator and re-registered by a user. Optionally, you can also de-register and delete the device from your organization.

Unban a Device

To unban a device:

  1. Navigate to Directory > Devices.

  2. Select the device you are allowing to re-register, and then select Edit Device.

  3. Set the Banned Status field to No, and then Save Changes.

After the device is unbanned by the Cloud Secure Edge (CSE) Admin, the user must re-register the device. Re-registering will install a valid and unexpired Device Certificate, which will allow the user and their device to access corporate assets again.