Onboarding

This section describes how to onboard YubiEnterprise Services and getting access to the YubiEnterprise Console to start creating shipment requests.

When your Yubico sales person or a channel partner has issued a purchase order for the desired products, subscriptions, and services for your organization, the onboarding procedure starts. This includes setting up accounts for your organization and providing access to the Console.

Procedure Overview

When Yubico has received the initial purchase order for your organization, an account is created for your organization and the purchased products and services are added to the account.

When the account is created, an activation email is automatically sent to the email address of the first user added to the organization’s account. This user is assigned the Console Owner role, and is added as a demo user with permissions restricted as follows:

  • Cannot ship more than 10 YubiKeys
  • Cannot add new Console users
  • Cannot generate API tokens

Note

Except when activating a first Console Owner account, logging in to the Console always requires a multi-factor authentication (MFA) method that supports FIDO2/WebAuthn, for example a YubiKey. Be aware that if you use a biometric option to log in to your computer, the credentials will be tied to the computer. This means that you might be locked out from the Console if your computer gets a hard reset or you get a new device.

User permissions remain restricted until the demo user registers a security key as part of the onboarding. When a security key has been registered for the account in the Console, the user acquires full Console Owner permissions.

The first Console Owner performs the following actions during their onboarding:

  1. Activates account and performs initial login to the Console.
  2. Verifies the content of the first purchase order.
  3. Creates an initial shipment request of maximum 10 YubiKeys (optional).
  4. Registers at least one security key for the user account.
  5. Adds Console users as needed for the organization, at least one more Console Owner is recommended.

The onboarding procedure is described in more detail in the following.

Prerequisites

The following is needed for the onboarding:

  • A browser such as Chrome, Firefox, or Edge, with the popup-blocking function disabled.
  • Email with account activation link provided by Yubico. Note that the link expires after 7 days.

Note

To use the YubiEnterprise API you need access to the Console to set up an API caller user account with an associated API token. For more information, see API Onboarding Playbook.

Onboarding Procedures

The first user account registered with an organization will also be the first Console Owner for the organization. Onboarding a first Console Owner and registering a YubiKey (WebAuthn credential) with this account is required to be able to add more Console users for the organization.

Activating First Console Owner

To onboard as the first Console Owner (account owner), do the following:

  1. Click the Activate your YubiEnterprise account link in the activation email from Yubico.

    _images/onboard-activate-email.png

  2. Create a strong password following the recommendations in the Welcome dialog and click Continue.

    _images/onboard-activate-credentials.png

  3. In the YubiEnterprise Console login page that opens, click Login.

    _images/onboard-login.png

  4. In the YubiEnterprise Console Acceptance Use Policy dialog, click I agree to continue.

  5. The Dashboard page for your organization opens. Verify that the inventory displayed corresponds to the initial purchase orders, including subscriptions and expected product quantities.

    _images/onboard-verify-order1.png

  6. Create a first shipment request. If you do not have a YubiKey already, you have the option as demo user to request a shipment of up to 10 keys for yourself and other users in your organization. For more information on how to create a shipment request, see Shipping to a Single Address. When you have a key available, the next step is to register the key.

  7. Register at least one security key with your YubiEnterprise account as described in Adding WebAuthn Credentials. When registering a security key, you will be prompted to log out and in again using the security key. It is recommended that you also register at least one additional key as backup to avoid losing access to the Console if a key is lost. When you have registered a key you will get full Console Owner role permissions.

  8. Add an additional Console Owner for your organization. It is recommended to have at least two users with the Console Owner role as this is the only role that can perform password and account resets. If your organization only has one Console Owner and that person locks themselves out or leaves your organization, you must contact Yubico to set up a new Console Owner. To add users and assign roles, see Adding or Deleting Users.

  9. Add more Console users as needed for your organization, for example users that will be managing shipment requests or API integration users. For more information, see Roles and Permissions. The system sends activation emails to each new user so they can log in and activate their account as described in the following.

Note

If your organization is using the single sign-on (SSO) method, you cannot change your password or your authentication method when you log in via SSO. You must use your credentials (username, password and YubiKey) to log in. Only then can you manage your credentials.

Activating Additional Users

Note

If your organization has Single sign-on (SSO) enabled, new users do not have to register. Users are immediately added to the organization in the Active state and can use the SSO service-provider-initiated login link to log in to the Console. For more information, see Managing Passwords with SSO.

When a Console Owner has added you to the YubiEnterprise Console as a member of your organization you will receive an account activation email from Yubico.

To activate your account and log in to the Console for the first time, do the following:

  1. Click the Activate your YubiEnterprise account link in the activation email from Yubico.
  2. Create a strong password following the recommendations in the Welcome dialog and click Continue.
  3. If you have a YubiKey available, register this with your Console account as described in Adding WebAuthn Credentials. It is recommended to register an additional YubiKey as backup to avoid losing access to the Console if the original key is lost. If you do not have a YubiKey, register using another of the multi-factor authentication options available.
  4. In the YubiEnterprise Console login page that opens, click Login.
  5. In the YubiEnterprise Console Acceptance Use Policy dialog, click I agree to continue.
  6. You will be taken to the Dashboard page for your organization providing an overview of available inventory, and recent shipments and purchase orders.
  7. You are now ready to start using YubiEnterprise services and the Console! To get started, see the Getting started section.

Distributors and Resellers

Yubico channel partners can use the “Distributor” and “Reseller” views in the Console to see what was sold to associated end customers, monitor their inventories, and provide access to purchase order information.

To onboard as an account owner for a channel partner organization, follow the procedure for Activating First Console Owner. When adding Console users for your organization, you can assign the “Distributor” and “Reseller” roles to those specific users. These roles provide access to the “Distributor” and “Reseller” views. To add users and assign roles, see Adding or Deleting Users.

For more information about channel partner roles, see Roles and Permissions. For more information about channel partner views, see Dashboard.

To file a support ticket for YubiEnterprise Delivery, click Support.