Blacklist Trusted Endpoints

Hello DUO Experts,

I can see that DUO can verify if an Endpoint is trusted if it has a DUO certificate. From the admin panel, such trusted devices can be blacklisted to deny them access to certain applications.

How does DUO know that a device is blacklisted when it tries to login if it still has the certificate? What details does it parse to determine that the endpoint that is logging in is the same one i blacklisted a moment ago?

How does the blacklist work for other types of Trusted endpoints (for example using MDM)?