Certificates issued from Jamf Pro using Venafi as a CA can be automatically revoked from computers and mobile devices.
When automatic certificate revocation is enabled, certificates issued by Venafi are queued for revocation immediately after the Wipe Computer, Wipe Device, or Unmanage Device action is taken. When computers or mobile devices fall out of the scope of the configuration profile that issues the certificates, the certificate will be queued for revocation after the computers or mobile devices acknowledge the remove profile command.
You can enable automatic certificate revocation while you are configuring Venafi as a CA in Jamf Pro or afterward. When automatic certificate revocation is enabled and scope has been defined in configuration profiles, Venafi certificates will be automatically revoked from computers or mobile devices when they fall out of scope.
If automatic certificate revocation is enabled and you disable it, any certificates that have been marked for revocation will continue to be revoked after revocation is disabled.
- In Jamf Pro, click Settings in the sidebar.
- In the Global section, click PKI certificates .
- Click View in the Manage CA column.
- Click Edit .
- Enable or disable automatic certificate revocation as needed (enabled by default).
- Click Save .
When viewing the list of Venafi certificates, revoked certificates will have a Status of "Inactive" and a State of "Revoked".
The Jamf Pro revocation service sends revocation requests either every 30 seconds or in batches of 100, depending on which constraint is met first. If there are less than 100 revocations, the revocation requests are sent 30 seconds after the first configuration profile is set to be removed. If there are 100 or more revocations, the first 100 revocation requests are sent immediately. Subsequent revocation requests are then immediately sent in groups of 100 or are deferred for 30 seconds if less than 100 remain.