De-register, Ban and Unban Devices
How to manage misplaced or decommissioned devices in your organization
- Updated on May 31, 2024
Motivation
When an end user installs the desktop app or mobile app, an X.509 Device Certificate is issued and placed in their device’s system keychain to register that device. The end user can now access secured services from their registered device based on the organization’s security policies.
In some scenarios, such as if an employee leaves a company, you may need to de-register the device. When a device is de-registered, the Device Certificate is removed from the device’s system keychain. As an additional security measure, the Device Certificate is also revoked so the certificate will no longer be deemed valid, thus blocking access to secured services.
In other scenarios, such as when a device is misplaced or stolen, you may need to ban the device. When a device is banned, the Device Certificate is revoked and the device is placed on a “banned device list” so it can never be registered with the Cloud Secure Edge.
To enable users to re-register a banned device, the org’s Admin must unban the device, to remove it from the “banned device list”.
How it Works
SonicWall Cloud Secure Edge leverages the Online Certificate Status Protocol (OCSP) to revoke certificates for de-registering and banning devices.
In OCSP scenarios, an OCSP client (such as an Internet browser) requests the status of one or more certificates to an OCSP responder (generally a server hosting certificate information). Then, the responder returns status information (valid or revoked) about the certificate(s) to the OCSP client.
The Banyan TrustProvider component behaves as the OCSP client. It requests certificate statuses with the OCSP responder, and then grants access to devices accordingly. If the certificate is valid, then the device is granted access to protected resources. If the certificate is revoked, then the device is blocked.
De-register and Delete a Device
To de-register a device and delete it from your list of devices:
1. Navigate to Directory > Devices.
2. Select the device you are de-registering, and then click Edit Device.
3. Select Delete, and then confirm the device deletion.
The device’s certificate is now revoked and the device is no longer associated with your organization.
An end user may also de-register their device by themselves. To do so, the end user would perform the following steps:
-
Launch the app on the device they are de-registering.
-
Navigate to Settings and select the option to “Remove All Orgs”.
-
Accept the prompt to “Delete Device Registration”.
The device will no longer be able to access Cloud Secure Edge-secured applications and services until it is re-registered.
Ban a Device
To ban a device:
1. Navigate to Directory > Devices.
2. Select the device you are banning, and then select Edit Device.
3. Set the Banned field to Yes, and then click Update.
The device will no longer be able to access Cloud Secure Edge-secured applications and services until it is unbanned by an administrator and re-registered by a user. Optionally, you can also de-register and delete the device from your organization.
Unban a Device
To unban a device:
1. Navigate to Directory > Devices.
2. Select the device you are allowing to re-register, and then click Edit Device.
3. Set the Banned field to No, and then select Update.
After the device is unbanned by the Cloud Secure Edge (CSE) Admin, the user must re-register the device. Doing so installs a valid and unexpired Device Certificate, which allows the user and their device to access corporate assets.
Can’t find what you’re looking for?
We’re happy to help. Contact our team.