16.1 and above
16.1 introduced the ability to disallow SAN types by policy
Disallow SAN: DNS
Disallow SAN: Email
Disallow SAN: IPAddress
Disallow SAN: OtherName UPN
Disallow SAN: URI
**To enable the following functionality you will need to contact support to request that the support tab be unlocked, this will be achieved via a challenge respond code**
To enable this functionality go to policy level that you would like to apply to, go to the support tab, select the Policy Attributes tab and add attribute.
Now select X509 Certificate and then select the SAN type you would like to disallow and enter a "1" in the Value box.
If a certificate is renewed which violates policy settings for the allowable SAN types it will go into error with an appropriate error.
E.G. Certificate will not be processed because there is a subject alternative name (IP address) in use. This folder prohibits subject alternative name (IP address).
If they saw this error and they needed an exception made they would likely need to unlock the policy setting for Disallow SAN: IPAddress so that it’s only a suggested setting and then on their immediate policy where they need to allow an exception they would need to override the policy setting with Disallow SAN: IPAddress = 0. Then hit retry on their cert.