Unenroll Devices for Client-Based Zero Trust Access

After a user enrolls their device for zero trust access on the Cisco Secure Client, the device appears on Secure Access. The user's device can create secure zero trust sessions and connect to their organization's private resources.

If you need to remove a user device that has zero trust access enabled from the organization, you can unenroll the user's device on Secure Access. The unenroll administrative action has these consequences:

  • Prevents new zero trust connections from the device.
    • The user device can not create any new zero trust sessions to private resources.
    • Any existing zero trust connections on the device remain active until the user unenrolls the Zero Trust Access on the Cisco Secure Client.
  • Invalidates the devices's zero trust certificate.

Reenroll the User Device on the Secure Client

After you unenroll a device on Secure Access, the end user can reenroll their device to enable zero trust access from the Cisco Secure Client. For more information, see Invite Users to Enroll in Zero Trust Access for Secure Client.

Table of Contents


  • Full Admin user role. For more information, see Manage Accounts.
  • A user device that has enrolled in zero trust access on the Cisco Secure Client.


Unenroll user devices on Secure Access that have enabled zero trust access on the Secure Client.



After you unenroll a user device with zero trust access in Secure Access, the device may have active zero trust connections to Secure Access from the Secure Client on the device.

  1. Navigate to Connect > Users and Groups.
  2. Click Users to view the users provisioned in the organization.
  3. Click on the Name of a user that has configured Enrolled (ZTNA).
  1. For User Details, navigate to Client-based ZTA, and then click Unenroll ZTNA.
  2. Click Unenroll ZTNA, and then confirm the removal of the user device.

View Group Details < Unenroll Devices for Client-Based Zero Trust Access > Provision Users and Groups from Active Directory