Revoke a user's certificate from the Okta Certificate Authority

Revoke a user's Device Trust certificate(s) from the Okta Certificate Authority if their computer is lost or stolen, or if their account is deactivated. If you have revoked a user's Device Trust certificate and you want to secure their computer again, you'll need to remove the revoked certificate from their computer before enrolling a new certificate.

Managed Windows computers

  1. In the Admin Console, go to DirectoryPeople.
  2. Click a user name in the Person & Username column.
  3. Click More Actions and select Revoke Trust Certificate.
  4. Click Revoke Trust Certificate.
  5. To remove the Device Trust certificate:
    • Single computer: Use a third-party management tool such as Certificate Manager Tool (Certmgr.exe) to remove the certificate issued by the Okta MTLS Certificate Authority.
    • Multiple computers: Use a third-party management tool such as GPO or SCCM to remove the certificate issued by the Okta MTLS Certificate Authority.

Jamf Pro managed macOS devices

  1. In the Admin Console, go to DirectoryPeople.
  2. Click a user name in the Person & Username column.
  3. Click More Actions and select Revoke Trust Certificate.
  4. Click Revoke Trust Certificate.
  5. To remove the Device Trust certificate:
    • Command line: Open a terminal on the target computer and issue the command python <fileName>.py uninstall where <fileName> is the name of Okta Device Registration Task. For example, if the name of the Okta Registration Task is MacOktaDeviceRegistrationTaskSetup.1.0.2.py, you would issue this command:

      python MacOktaDeviceRegistrationTaskSetup.1.0.2.py uninstall

      If you reuse a script, remove the Org Token. The token is not necessary for the uninstall operation.

    • Uninstall script: Create an uninstall script in Jamf Pro configured to pass the uninstall parameter. See Adding a Script to Jamf Pro.