LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Automatic Revocation
  • Background
  • Revocation Behavior
  • Manual Revocation
  • Background
  • Certificate Master
  • Automatic versus Manual Revocation
  • Further Reading

Was this helpful?

  1. Certificate Management

Revocation

Automatic certificate revocation in Microsoft Intune or Jamf Pro via OCSP using SCEPman.

Last updated 1 month ago

Was this helpful?

SCEPman offers several ways to manage and revoke a certificate. The available options depend on

  • whether the certificate was automatically enrolled via an MDM solution or whether it was generated via the / ,

  • the MDM system that is used for (automatic) enrollment, and

  • the configuration of SCEPman.

Below section provides an overview of the different management options and revocation mechanisms and under which circumstances they are available.

Automatic Revocation

Only available when Microsoft Intune and/or Jamf Pro are used as MDM solution(s) for certificate enrollment. Alternatively, it is available with any 3rd party MDM that is able to sync device and/or user objects with Microsoft Entra ID (Azure AD) (i.e. can be used).

Supported on OCSP.

Background

Automatic revocation is always active and enables convenient certificate lifecycle management by linking each certificate to a directory object such as a user or device identity. Through this object binding mechanism, SCEPman can infer the revocation status based on certain lifecycle characteristics of the object is has been linked to. The mapping from the object's lifecycle state to the certificate's revocation state is implemented to match best practices from years of security and endpoint management experience.

The binding between directory object (user or device) and certificate is established by introducing appropriate variables in the SCEP profile for the Subject Name or Subject Alternative Name properties. Upon receiving a Certificate Signing Request (CSR) from an MDM-managed client, SCEPman identifies the bound object and encodes this information into the serial number of the certificate before returning it to the client. It is the serial number that is transmitted to SCEPman's OCSP responder during certificate validation, allowing SCEPman to decode the object information, perform a search of the appropriate directory, and finally make a revocation status decision.

Revocation Behavior

In any of the below scenarios, revocation can be considered to be effective immediately, once the bound object's state has changed. Please note that local caching of OCSP responses on the client may suggest otherwise.

During testing, please consider that deleting/removing a device from the respective directory/MDM solution is an irreversible operation that will require you to re-enroll the device afterwards.

Bound Object
Delete from Directory
Disable in Directory
Optional

Intune Device {{DeviceId}}

Not available

Entra (Azure AD) Device {{AAD_Device_ID}}

Delete: permanent revocation

Disable: reversible revocation

Entra (Azure AD) User {{UserPrincipalName}}

Delete: permanent revocation

Disable: reversible revocation

Delete: permanent revocation

Not available

Not available

Delete: permanent revocation

Not available

Not available

  • Delete (Computer): permanent revocation

  • Delete (User): permanent revocation

Not available

Not available

  • Delete (Device): permanent revocation

  • Delete (User): permanent revocation

Not available

Not available

Manual Revocation

SCEPman Enterprise Edition only

This feature requires version 2.3 or above.

Background

Manual revocation is available for any certificate issued by SCEPman - regardless of whether it was automatically enrolled via MDM, manually issued via the Certificate Master, or deployed via the Enrollment REST API. Manual revocation is useful when automatic revocation is not available or when automatic revocation paths are not sufficient to meet specific requirements.

Keep reading to learn how manual revocation is handled leveraging Certificate Master and its search and filtering options.

Certificate Master

SCEPman Certificate Master lets you search, inspect, and manage the certificates that your SCEPman PKI has issued:

Automatic versus Manual Revocation

SCEPman uses different sources of revocation information to determine whether a certificate is valid when an OCSP request arrives. Furthermore, SCEPman's revocation logic follows an or-ed approach, which means if any revocation source deems the certificate to be invalid, it will be reported as revoked. There is no precedence from automatic over manual revocation or vice versa.

Please note, that the tables in Certificate Master only show the status of manual revocation and not other sources. Therefore, a certificate may be shown as valid in the table, although it is actually considered revoked, for example because the corresponding device was deleted in Intune (automatic revocation).

Further Reading

Delete, *, *: permanent revocation

: reversible revocation

: permanent revocation

: reversible revocation

: permanent revocation

: reversible revocation

: permanent revocation

CN=$JSSID,OU=computers

CN=$JSSID,OU=devices

CN=$JSSID,OU=users-on-computers

CN=$JSSID,OU=users-on-devices

*: Ensure during wipe, that "Wipe device, but keep enrollment state and associated user account" is disabled. Revocation is only immediate if is set to true (default).

Supported on OCSP and .

To facilitate manual revocation, SCEPman needs to store certain metadata of the certificates it issues. While this is the case by default for certificates issued via the Certificate Master UI and the Enrollment REST API, it is not the case for other certificate types. Therefore, please ensure to review the depending on your requirements.

Information on how to test (automatic) revocation and troubleshoot certificate validity in some of the above scenarios can be found .

General Information on Azure and M365 device directories can be found .

Certificate Master UI
Enrollment REST API
Static AAD Validation
CRL
Manage Certificates
here
relevant settings
Wipe
Retire
Endpoint List
Endpoint List
Endpoint List
Jamf Computer
Jamf Device
AppConfig:IntuneValidation:RevokeCertificatesOnWipe
Intune Device Compliance
Entra (Azure AD) Device Compliance
User Risk
here
Jamf User on Computer
Jamf User on Device