YubiEnroll Commands

The following describes commands available when using the YubiEnroll CLI, together with usage examples. For more examples of how to add providers and enrollment profiles and enroll end users, see Using YubiEnroll CLI.

yubienroll

yubienroll [OPTIONS] COMMAND [ARGS]...

Run yubienroll at the command prompt to see available options and commands.

Options

Option	Description
`-l, - -log-level [ERROR\|WARNING\|INFO\|DEBUG\|TRAFFIC]`	Enable logging at given verbosity level.
`--log-file FILE`	Write log to FILE instead of printing to `stderr` (requires –log-level).
`-v, --version`	Show version information about the app.
`-h, --help`	Show this message and exit.

Commands

Command	Description
`credentials`	Manage FIDO credentials for users.
`login`	Authenticate to the active provider.
`logout`	Log out from the active provider.
`profiles`	Manage enrollment profiles.
`providers`	Manage authentication settings for identity providers.
`readers`	List available smart card readers.
`status`	Show which provider is active and its authentication status.
`users`	Search for users.

yubienroll credentials

yubienroll credentials [OPTIONS] COMMAND [ARGS]...

Lets users enroll, list and delete credentials on behalf of an end user. Subcommands require a User_ID, which can be the ID or username for an end user. Use the yubienroll users [query] command to get these values, see yubienroll users.

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command \| Description
`add`	Enroll a FIDO credential on behalf of an end user.
`delete`	Delete FIDO credential(s) for an end user.
`list`	List FIDO credentials for an end user.

yubienroll credentials add

yubienroll credentials add [OPTIONS] USER_ID

Add credentials on behalf of an end user enrolling them with the identity provider. User_ID is the ID or username for an end user. Use the yubienroll users [query] command to get these values, see yubienroll users.

The yubienroll credentials add command creates a FIDO credential on the YubiKey and registers it with the identity provider for the specified user.

You can configure YubiKey settings, for example minimum PIN length or force PIN change on first use, either through the CLI options or by using an enrollment profile. This can be specified with the --profile option or automatically applied if assigned to the active provider.

If not specified, the enrollment profile associated with the active identity provider will be applied. If no authenticator settings or enrollment profile exist, you will be prompted to provide these.

Examples

Add credentials and enroll end user with user_ID “firstname.lastname@email.com”.

> yubienroll credentials add firstname.lastname@mail.com
Apply a different (configured) enrollment profile named “another-profile” than the one used by the active provider.

> yubienroll credentials add firstname.lastname@email.com --profile another-profile

Options

Option	Description
`-r, --reader NAME`	Enroll a FIDO credential on behalf of a user.
`-p, --profile TEXT`	Set the enrollment profile to use.
`-d, --display-name TEXT`	Display name to set for the Security Key.
`--min-pin-length INTEGER RANGE`	Set the minimum length allowed for PIN [4<=x<=63].
`--require-always-uv`	Always require UV.
`--no-require-always-uv`	Do not always require UV.
`--require-ea`	Require Enterprise Attestation.
`--no-require-ea`	Do not require Enterprise Attestation.
`--force-pin-change`	Force PIN change before use.
`--no-force-pin-change`	Do not force PIN change before use.
`--reset`	Factory reset and re-initialize key.
`--no-reset`	Do not factory reset and re-initialize key.
`--random-pin`	Set a new random PIN.
`--no-random-pin`	Do not set a new random PIN.
`--random-pin-length INTEGER RANGE`	Set the random PIN length [4<=x<=63].
`-f, --force`	Confirm settings without prompting.
`-h, --help`	Show this message and exit.

yubienroll credentials delete

yubienroll credentials delete [OPTIONS] USER_ID [CREDENTIAL_IDS]...

Delete one or more credentials for an end user available in the identity provider. If no credential IDs are provided, all credentials for the end user will be listed and you will be prompted to select the desired ones to delete.

Examples

Delete credentials in the identity provider for the end user with user_ID “4321” and credential_ID “123XYZ”.

> yubienroll credentials delete 4321 123XYZ
Delete multiple credentials for a user by passing a space-separated list of credentials. For example, a user with user ID “X” has two credentials with ID “Y” and “Z”, and you want to delete both in one go.

> yubienroll credentials delete X Y Z

Options

Option	Description
`-f, --force`	Confirm deletion without prompting.
`-h, --help`	Show this message and exit.

yubienroll credentials list

yubienroll credentials list [OPTIONS] USER_ID

List active credentials registered for an end user available in the identity provider.

Examples

List available credentials for end user with user_ID “firstname.lastname@email.com”.

> yubienroll credentials list firstname.lastname@email.com

yubienroll login

yubienroll login [OPTIONS]

Authenticate to the active provider. Starts a web-based authentication flow to get access credentials for the user account.

Examples

Show supported identity providers to select and log in to the desired one.

> yubienroll login
Use --no-launch-browser if you do not want the command to launch the default system browser. This prints the authorization URL in the terminal so you can manually open the URL in a desired browser.

> yubienroll login --no-launch-browser

Options

Option	Description
`--no-launch-browser`	Do not open browser automatically.
`-h, --help`	Show this message and exit.

Commands

Command	Description
`login`	Authenticate with an identity provider.

yubienroll logout

yubienroll logout [OPTIONS]

Log out the YubiEnroll user from the active identity provider.

Note

This command is currently only supported for the Okta identity provider.

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`logout`	Log out from the active provider.

yubienroll profiles

yubienroll profiles [OPTIONS] COMMAND [ARGS]...

Manage enrollment profiles for an identity provider. Profiles are presets of configuration parameters used when enrolling credentials. You can for example enforce minimum PIN length or force PIN change prior to use. You can edit profile settings or delete the profile from the provider configuration. Deleting an enrollment profile will remove it from any provider using it.

Examples

Add an enrollment profile with the name “standard” to the (active) provider.

> yubienroll profiles add standard
Show enrollment profiles available for the provider.

> yubienroll profiles list
To unset a profile from a provider, run the following command and select “0”.

> yubienroll profiles edit <provider_name>

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`add`	Create a new profile.
`delete`	Delete a profile.
`edit`	Modify an existing profile.
`list`	List profiles.

yubienroll profiles add

yubienroll profiles add [OPTIONS] NAME

Creates a new profile where NAME is the name of the new profile.

Options

Option	Description
`--min-pin-length INTEGER RANGE`	Set the minimum length allowed for PIN [4<=x<=63].
`--require-always-uv`	Require always UV.
`--no-require-always-uv`	Do not require always UV.
`--require-ea`	Require Enterprise Attestation.
`--no-require-ea`	Do not require Enterprise Attestation.
`--force-pin-change`	Force PIN change before use.
`--no-force-pin-change`	Do not force PIN change before use.
`--reset`	Factory reset and re-initialize key.
`--no-reset`	Do not factory reset and re-initialize key.
`--random-pin`	Set a new random PIN.
`--no-random-pin`	Do not set a new random PIN.
`--random-pin-length INTEGER RANGE`	Set the random PIN length [4<=x<=63].
`-h, --help`	Show this message and exit.

yubienroll profiles delete

yubienroll profiles delete [OPTIONS] NAME

Deletes an existing profile with the name NAME.

Options

Option	Description
`-f, --force`	Confirm deletion without prompting.
`-h, --help`	Show this message and exit.

yubienroll profiles edit

yubienroll profiles edit [OPTIONS] NAME

Modifies an existing profile with the name NAME.

Options

Option	Description
`--min-pin-length INTEGER RANGE`	Set the minimum length allowed for PIN [4<=x<=63].
`--require-always-uv`	Require always UV.
`--no-require-always-uv`	Do not require always UV.
`--require-ea`	Require Enterprise Attestation.
`--no-require-ea`	Do not require Enterprise Attestation.
`--force-pin-change`	Force PIN change before use.
`--no-force-pin-change`	Do not force PIN change before use.
`--reset`	Factory reset and re-initialize key.
`--no-reset`	Do not factory reset and re-initialize key.
`--random-pin`	Set a new random PIN.
`--no-random-pin`	Do not set a new random PIN.
`--random-pin-length INTEGER RANGE`	Set the random PIN length [4<=x<=63].
`-h, --help`	Show this message and exit.

yubienroll providers

yubienroll providers [OPTIONS] COMMAND [ARGS]...

Manage authentication configurations stored in named provider objects for identity providers. You can add, activate, or delete authentication configurations. The active provider is the provider and tenant with which YubiEnroll communicates. Only one provider at the time can be active.

Note

If there are no existing provider configurations and you add one, YubiEnroll will automatically activate it. To explicitly activate a provider, use yubienroll providers activate. An active provider configuration can be deleted.

Examples

Add a provider configuration with the name “entra”.

> yubienroll providers add entra
Show the configuration for the provider with the name “entra”.

> yubienroll providers show entra
Delete the provider configuration named “entra” without prompting.

> yubienroll providers delete --force entra

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`activate`	Select which provider to use for other commands.
`add`	Create a new provider configuration.
`delete`	Delete a provider configuration.
`edit`	Modify an existing provider configuration.
`list`	List all provider configurations.
`show`	Show the full configuration for a provider.

yubienroll providers activate

yubienroll providers activate [OPTIONS] NAME

Activates an existing provider configuration with the name NAME to be used for other provider commands.

yubienroll providers add

yubienroll providers add [OPTIONS] NAME

Creates a new provider configuration with the name NAME. This command lets you define authentication settings for an identity provider. Settings include CLIENT_ID, REDIRECT_URI, and other OAuth2-specific configurations.

Note

The command requires an OAuth app to be registered with your identity provider.

Options

Option	Description
`-p, -- provider [ENTRA\|OKTA]`	The identity provider to choose.
`-a, -- activate`	Activate configuration.
`-h, --help`	Show this message and exit.

yubienroll providers delete

yubienroll providers delete [OPTIONS] NAME

Deletes a provider with the name NAME.

Options

Option	Description
`-f, --force`	Confirm deletion without prompting.
`-h, --help`	Show this message and exit.

yubienroll readers

yubienroll readers [OPTIONS]

Lists available smart card readers.

You can use a smart card reader to enroll a YubiKey over NFC. Use the --reader option in the yubienroll credentials add command to specify the name of the reader you want to use. Use the yubienroll readers command to find the name of the reader you want to use.

Options

Option	Description
`-h, --help`	Show this message and exit.

yubienroll status

yubienroll status [OPTIONS]

Shows the name of the active provider configuration (used by default when enrolling end users), the identity provider used, and whether the user is authenticated with the provider or not.

Options

Option	Description
`-h, --help`	Show this message and exit.

yubienroll users

yubienroll users [OPTIONS] [QUERY]

When enrolling an end user, you will need the user identifiers “ID” and “Username”. To get these values you can search for users in the identity provider using the yubienroll users <query> command where query is a substring match of display name, username, or email.

query can be for example the display name (firstname + lastname), username, or primary email address. The returned search result will include the ID, Display Name, Username, and Email for each user.

Note

When performing enrollment operations on behalf of a user, you can only use the username or user ID value. Using the email address will not work.

Examples

Search for an end user with the name “firstname lastname” in the identity provider. If no query is specified, all users are returned.

> yubienroll users firstname lastname

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Command	Description
`users`	Search for users.