There are several ways to initiate a revocation of a certificate on a mobile device, in this post we will discuss the options and their behavior per platform. It’s important to note that we can only revoke certificates which are delivered via SCEP.
There are two types of removal:
- Due to device wipe/retire or unenrollment.
- Due to user leaving the targeted collection/group, deployment being deleted or profile/policy is being deleted.
From a server side perspective, the certificate will always be revoked on the CA.
From a client side perspective, the certificate will be removed from the device. This applies to all platforms we currently support: Windows, Windows Phone, Android and iOS with one exception (see below).
The only scenario is we are currently investigating is removal type 2 in combination with Windows Phone, in certain conditions the certificate is not removed from the device.