LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Intune/Jamf/Other Configuration Profiles
  • Azure Resources
  • Custom Domain
  • App Registrations

Was this helpful?

Uninstallation

Last updated 1 month ago

Was this helpful?

How you uninstall SCEPman depends on whether there is only one SCEPman instance in your tenant and whether the SCEPman instance has been used productively or not, e.g., as a PoC. If productive certificates were enrolled, you must plan whether you want to softly fade out of this SCEPman instance's usage, and keep some parts of SCEPman running for some time, or whether you want to shut down hard.

If you have multiple SCEPman installations in a single tenant and want to uninstall only some of them, you must pay attention that you keep the components used by the live instances. This is especially the case for the App Registrations, which by default are shared by all instances.

This guide is not intended for situations where you have a and want to keep SCEPman, but remove an instance for a specific region. Please contact our support in this situation if you have questions.

Intune/Jamf/Other Configuration Profiles

For all platforms that you have used SCEPman on, you will probably have configuration profiles for

  • The distribution of the SCEPman Root CA,

  • enrollment of client certificates via SCEP, and

  • WiFi or VPN profiles that use this client certificate.

Each type of profile in the preceding list depends on the ones above it. Thus, you should delete them from bottom to top, so you don't have any open dependencies.

Note that , so there is no gentle phasing out of the certificate usage, but a hard cut.

Azure Resources

In many cases, there is a single dedicated Azure Resource Group for all SCEPman-related resources. Thus, you can just delete the whole Resource Group to get rid of all SCEPman resources. In case of a , there might be additional resource groups for the extra App Services and App Services plans. In this case, you also have a Traffic Manager somewhere.

In order to delete the resource groups, it might be necessary to remove Delete Locks from the Azure Key Vault and/or Storage Account. There are cases where deleting the whole resource group does not work because of the inter-resource dependencies. In this case, we recommend to delete the resources individually in the following order:

  1. App Insights

  2. App Services

  3. Storage Accounts

  4. Key Vault

  5. App Service Plan

  6. the Resource Group itself

Deleting the Storage Account results in information about manually created SCEPman Certificate Master certificates being lost, especially revocation information. Since deleting you SCEPman instances invalidates all issued certificates due to the failing OCSP responses anyway, this might not be an issue.

Custom Domain

You may have registered a custom domain for SCEPman like scepman.contoso.de. Remove this entry from DNS to make it clear that it is not required for any service anymore.

App Registrations

SCEPman and SCEPman Certificate Master each use an app registration. By default, all SCEPman instances in a tenant share these two app registrations, so only delete them if this is the only SCEPman instance in your tenant -- except when you have used the optional AzureADAppNameForSCEPman and AzureADAppNameForCertMaster parameters in the SCEPman Powershell module to make your other SCEPman instances use different app registrations.

SCEPman configures and Purge Protection for 90 days by default for its Azure Key Vault. Thus, even if you delete the whole Resource Group, the CA key SCEPman used will be recoverable for the configured time frame. Afterwards, the CA key is gone and you cannot recover it. This means that there is no way to restore this SCEPman instance and since there is no instance to create valid OCSP responses, all issued certificates are invariably considered invalid.

Your Storage Account might also . If you want to keep them, either keep the Storage Account and only delete the other Azure Resources or copy the log files to another location before deleting the Storage Account.

The default names of the app registrations are SCEPman-api and SCEPman-CertMaster. You can find and delete them by navigating to . Switch to "All applications" to search for them.

geo-redundant setup
Intune will remove the enrolled certificates from the client as soon as you remove the SCEP enrollment profiles
geo-redundant SCEPman installation
soft-delete
App registrations in the Azure Portal
contain SCEPman's log files