Hi Ben

Apologies for the delay in responding, I don't venture here as much anymore, and I thought we used to get notified when someone replies to a post? anyway...

Unfortunately I don't recall the exact fix since we've gone through a few versions of upgrade since when I had the issue. What you're saying about the android devices requesting a new cert daily seems a bit weird. What is the life span and request settings on your CA for the cert template? For example ours are set at 90 days for duration but 30 days at request, so there's a 60 day window for the device to renew the cert.

Any luck on figuring out this issue? Can report that we have the exact same problem. iOS requests 1 cert and sticks with it. Any of our android users however can get 25+ certs issued in a day. Overtime this goes as far to overwhelm the AD store and will not let any extended attributes be written as the allotted storage for the AD user object is full. Removing all the certs will correct the AD problem, and hey since a new cert will just issue in about an hour or less, it doesn't disrupt the user at all. This has been on going for years now and at first it never did this. So either an WSO or android update somewhere along the line caused this. So far I have been unsuccessful in finding the root of the issue.