Thanks for your fast answer..
So what could be a solution for this problem?
I have to roll out certificates automaticly via scep for different devices (MDM, IP Phones, Thinclient, Printers) with different rules...
What is best practice for example authenticating thinclients with certificate?
I have to check if there is a possiblity to set a attribute like "thinclient" in the SAN ? Am i right, it is possible to filter SAN for attributes? It is the same as it is in the onboarding process?