De-register, Ban and Unban Devices

How to manage misplaced or decommissioned devices in your organization

Motivation

When an end user installs the Banyan Desktop App or Mobile App, an X.509 Device Certificate is issued and placed in their device’s system keychain to register that device. The end user can now access Banyan-secured services from their registered device based on the organization’s security policies.

In some scenarios, such as if an employee leaves a company, you may need to de-register the device. When a device is de-registered, the Device Certificate is removed from the device’s system keychain. As an additional security measure, the Device Certificate is also revoked so the certificate will no longer be deemed valid, thus blocking access to Banyan-secured services.

In other scenarios, such as when a device is misplaced or stolen, you may need to ban the device. When a device is banned, the Device Certificate is revoked and the device is placed on a “banned device list” so it can never be registered with Banyan.

To enable users to re-register a banned device, the organization’s Banyan Admin must unban the device, to remove it from the “banned device list”.

How it Works

Banyan leverages the Online Certificate Status Protocol (OCSP) to revoke certificates for de-registering and banning devices.

In OCSP scenarios, an OCSP client (such as an Internet browser) requests the status of one or more certificates to an OCSP responder (generally a server hosting certificate information). Then, the responder returns status information (valid or revoked) about the certificate(s) to the OCSP client.

The Banyan TrustProvider component behaves as the OCSP client. It requests certificate statuses with the OCSP responder, and then grants access to devices accordingly. If the certificate is valid, then the device is granted access to Banyan-protected resources. If the certificate is revoked, then the device is blocked.

De-register and Delete a Device

To de-register a device and delete it from your list of devices:

1. Navigate to Directory & Infrastructure > Devices.

2. Select the device you are de-registering, and then click Edit Device.

3. Click Delete and then confirm the device deletion.

The device’s certificate is now revoked and the device is no longer associated with your organization.

An end user may also de-register their device by themselves. To do so, the end user would perform the following steps:

  1. Launch the Banyan App on the device they are de-registering.

  2. Navigate to Settings and select the option to “Remove All Orgs”.

  3. Accept the prompt to “Delete Device Registration”.

The device will no longer be able to access Banyan-secured applications and services until it is re-registered.

Ban a Device

To ban a device:

1. Navigate to Directory & Infrastructure > Devices.

2. Select the device you are banning, and then click Edit Device.

3. Set the Banned field to Yes, and then click Update.

The device will no longer be able to access Banyan-secured applications and services until it is unbanned by an administrator and re-registered by a user. Optionally, you can also de-register and delete the device from your organization.

Unban a Device

To unban a device:

1. Navigate to Directory & Infrastructure > Devices.

2. Select the device you are allowing to re-register, and then click Edit Device.

3. Set the Banned field to No, and then click Update.

After the device is unbanned by the Banyan Admin, the user must re-register the device. Doing so installs a valid and unexpired Device Certificate, which allows the user and their device to access corporate assets.



Last modified: Aug 31, 2021