Can user certificates be exported to a non-corporate device?
User certificates can be exported to a non-corporate device. However, the certificates exported to such devices are ineffective because the export of private key with the certificate is not allowed.
In case, if you want to disable the export of user certificates itself, you can disable users from accessing the Certificate Manager Console using a group policy.
What to do in case of certificate expiry?
You must renew or create a new certificate for the user and add it to the user device. This can be done after the enrollment process, but must be done before the certificate expires. If the certificate expires, the user will not be able to logon to inSync.
How to generate and distribute certificates when a PKI does not exist?
Generating and distributing certificates is not possible without a PKI setup.