Unenroll a Device from Zero Trust Access

Table of Contents

• Immediately unenroll a device
• Permanently unenroll a device
• Unenroll from the user endpoint device (for enrollments using SSO Authentication only)
  • On Windows devices
  • On macOS devices

Immediately unenroll a device

1. For certificate based enrollment remove the enrollment configuration file from the device. For file location, see Enroll Devices in Zero Trust Access Using Certificates.
2. To remove SAML based ZTA enrollment from the user's device see: Unenroll Devices for Client-Based Zero Trust Access.

Permanently unenroll a device

To revoke Zero Trust Access for a device and prevent re-enrollment, perform the following steps in order:

1. Remove the user from the identity provider. (This may take up to 30 minutes to take effect.)
2. Unenroll the user's device from Zero Trust Access here: Unenroll Devices for Client-Based Zero Trust Access.

Additional steps for certificate-based enrollment:

1. Remove the identity certificate from the user identity keystore on the device. This certificate may be used for multiple purposes, including VPN access.
2. Revoke the identity certificate on your Certificate Authority (CA).
3. Remove the enrollment configuration file from the device. For file location, see Enroll Devices in Zero Trust Access Using Certificates.

If you do not perform all of these steps, the user may be able to re-enroll using the SSO authentication method.

Unenroll from the user endpoint device (for enrollments using SSO Authentication only)

Administrator access is not required. Users can perform this action themselves. Users can re-enroll unless you perform the steps for permanent unenrollment, above.

On Windows devices

1. On the user endpoint device, launch Cisco Secure Client

2. Click the Advanced Window button:
   

3. Click Zero Trust Access:
   

4. Click the Advanced tab:
   

5. Click Unenroll.

   

If the Unenroll button is not available and you see "This setting is managed by your administrator.", the device was enrolled using certificate-based enrollment and Administrator privileges are required to unenroll.

On macOS devices

1. On the user endpoint device, launch Cisco Secure Client.
2. Click the Statistics button:

3. Click the Advanced tab.

   

4. Click Unenroll.

   

If the Unenroll button is unavailable and you see "This setting is managed by your administrator.", the device was enrolled using certificate-based enrollment and Administrator privileges are required to unenroll.