YubiEnroll Commands
The following describes commands available when using the YubiEnroll CLI, together with usage examples. For more examples of how to add providers and enrollment profiles and enroll end users, see Using YubiEnroll CLI.
yubienroll
yubienroll [OPTIONS] COMMAND [ARGS]...
Run yubienroll
at the command prompt to see available options and commands.
Options
Option | Description |
---|---|
-l, - -log-level
[ERROR|WARNING|INFO|DEBUG|TRAFFIC] |
Enable logging at given verbosity level.
|
--log-file FILE |
Write log to FILE instead of printing to
stderr (requires –log-level).
|
-v, --version |
Show version information about the app. |
-h, --help |
Show this message and exit. |
Commands
Command | Description |
---|---|
credentials |
Manage FIDO credentials for users. |
login |
Authenticate to the active provider. |
logout |
Log out from the active provider. |
profiles |
Manage enrollment profiles. |
providers |
Manage authentication settings for identity providers. |
readers |
List available smart card readers. |
status |
Show which provider is active and its authentication status. |
users |
Search for users. |
yubienroll credentials
yubienroll credentials [OPTIONS] COMMAND [ARGS]...
Lets users enroll, list and delete credentials on behalf of an end user. Subcommands require a User_ID
, which can be the ID or username for an end user. Use the yubienroll users [query]
command to get these values, see yubienroll users.
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
Commands
Command | Description | |
---|---|
add |
Enroll a FIDO credential on behalf of an end user. |
delete |
Delete FIDO credential(s) for an end user. |
list |
List FIDO credentials for an end user. |
yubienroll credentials add
yubienroll credentials add [OPTIONS] USER_ID
Add credentials on behalf of an end user enrolling them with the identity provider. User_ID
is the ID or username for an end user. Use the yubienroll users [query]
command to get these values, see yubienroll users.
The yubienroll credentials add
command creates a FIDO credential on the YubiKey and registers it with the identity provider for the specified user.
You can configure YubiKey settings, for example minimum PIN length or force PIN change on first use, either through the CLI options or by using an enrollment profile. This can be specified with the --profile
option or automatically applied if assigned to the active provider.
If not specified, the enrollment profile associated with the active identity provider will be applied. If no authenticator settings or enrollment profile exist, you will be prompted to provide these.
Examples
Add credentials and enroll end user with
user_ID
“firstname.lastname@email.com”.> yubienroll credentials add firstname.lastname@mail.com
Apply a different (configured) enrollment profile named “another-profile” than the one used by the active provider.
> yubienroll credentials add firstname.lastname@email.com --profile another-profile
Options
Option | Description |
---|---|
-r, --reader NAME |
Enroll a FIDO credential on behalf of a user. |
-p, --profile TEXT |
Set the enrollment profile to use. |
-d, --display-name TEXT |
Display name to set for the Security Key. |
--min-pin-length INTEGER RANGE |
Set the minimum length allowed for PIN [4<=x<=63]. |
--require-always-uv |
Always require UV. |
--no-require-always-uv |
Do not always require UV. |
--require-ea |
Require Enterprise Attestation. |
--no-require-ea |
Do not require Enterprise Attestation. |
--force-pin-change |
Force PIN change before use. |
--no-force-pin-change |
Do not force PIN change before use. |
--reset |
Factory reset and re-initialize key. |
--no-reset |
Do not factory reset and re-initialize key. |
--random-pin |
Set a new random PIN. |
--no-random-pin |
Do not set a new random PIN. |
--random-pin-length INTEGER RANGE |
Set the random PIN length [4<=x<=63]. |
-f, --force |
Confirm settings without prompting. |
-h, --help |
Show this message and exit. |
yubienroll credentials delete
yubienroll credentials delete [OPTIONS] USER_ID [CREDENTIAL_IDS]...
Delete one or more credentials for an end user available in the identity provider. If no credential IDs are provided, all credentials for the end user will be listed and you will be prompted to select the desired ones to delete.
Examples
Delete credentials in the identity provider for the end user with
user_ID
“4321” andcredential_ID
“123XYZ”.> yubienroll credentials delete 4321 123XYZ
Delete multiple credentials for a user by passing a space-separated list of credentials. For example, a user with user ID “X” has two credentials with ID “Y” and “Z”, and you want to delete both in one go.
> yubienroll credentials delete X Y Z
Options
Option | Description |
---|---|
-f, --force |
Confirm deletion without prompting. |
-h, --help |
Show this message and exit. |
yubienroll credentials list
yubienroll credentials list [OPTIONS] USER_ID
List active credentials registered for an end user available in the identity provider.
Examples
List available credentials for end user with
user_ID
“firstname.lastname@email.com”.> yubienroll credentials list firstname.lastname@email.com
yubienroll login
yubienroll login [OPTIONS]
Authenticate to the active provider. Starts a web-based authentication flow to get access credentials for the user account.
Examples
Show supported identity providers to select and log in to the desired one.
> yubienroll login
Use
--no-launch-browser
if you do not want the command to launch the default system browser. This prints the authorization URL in the terminal so you can manually open the URL in a desired browser.> yubienroll login --no-launch-browser
Options
Option | Description |
---|---|
--no-launch-browser |
Do not open browser automatically. |
-h, --help |
Show this message and exit. |
Commands
Command | Description |
---|---|
login |
Authenticate with an identity provider. |
yubienroll logout
yubienroll logout [OPTIONS]
Log out the YubiEnroll user from the active identity provider.
Note
This command is currently only supported for the Okta identity provider.
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
Commands
Command | Description |
---|---|
logout |
Log out from the active provider. |
yubienroll profiles
yubienroll profiles [OPTIONS] COMMAND [ARGS]...
Manage enrollment profiles for an identity provider. Profiles are presets of configuration parameters used when enrolling credentials. You can for example enforce minimum PIN length or force PIN change prior to use. You can edit profile settings or delete the profile from the provider configuration. Deleting an enrollment profile will remove it from any provider using it.
Examples
Add an enrollment profile with the name “standard” to the (active) provider.
> yubienroll profiles add standard
Show enrollment profiles available for the provider.
> yubienroll profiles list
To unset a profile from a provider, run the following command and select “0”.
> yubienroll profiles edit <provider_name>
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
Commands
Command | Description |
---|---|
add |
Create a new profile. |
delete |
Delete a profile. |
edit |
Modify an existing profile. |
list |
List profiles. |
yubienroll profiles add
yubienroll profiles add [OPTIONS] NAME
Creates a new profile where NAME
is the name of the new profile.
Options
Option | Description |
---|---|
--min-pin-length INTEGER RANGE |
Set the minimum length allowed for PIN [4<=x<=63]. |
--require-always-uv |
Require always UV. |
--no-require-always-uv |
Do not require always UV. |
--require-ea |
Require Enterprise Attestation. |
--no-require-ea |
Do not require Enterprise Attestation. |
--force-pin-change |
Force PIN change before use. |
--no-force-pin-change |
Do not force PIN change before use. |
--reset |
Factory reset and re-initialize key. |
--no-reset |
Do not factory reset and re-initialize key. |
--random-pin |
Set a new random PIN. |
--no-random-pin |
Do not set a new random PIN. |
--random-pin-length INTEGER RANGE |
Set the random PIN length [4<=x<=63]. |
-h, --help |
Show this message and exit. |
yubienroll profiles delete
yubienroll profiles delete [OPTIONS] NAME
Deletes an existing profile with the name NAME
.
Options
Option | Description |
---|---|
-f, --force |
Confirm deletion without prompting. |
-h, --help |
Show this message and exit. |
yubienroll profiles edit
yubienroll profiles edit [OPTIONS] NAME
Modifies an existing profile with the name NAME
.
Options
Option | Description |
---|---|
--min-pin-length INTEGER RANGE |
Set the minimum length allowed for PIN [4<=x<=63]. |
--require-always-uv |
Require always UV. |
--no-require-always-uv |
Do not require always UV. |
--require-ea |
Require Enterprise Attestation. |
--no-require-ea |
Do not require Enterprise Attestation. |
--force-pin-change |
Force PIN change before use. |
--no-force-pin-change |
Do not force PIN change before use. |
--reset |
Factory reset and re-initialize key. |
--no-reset |
Do not factory reset and re-initialize key. |
--random-pin |
Set a new random PIN. |
--no-random-pin |
Do not set a new random PIN. |
--random-pin-length INTEGER RANGE |
Set the random PIN length [4<=x<=63]. |
-h, --help |
Show this message and exit. |
yubienroll providers
yubienroll providers [OPTIONS] COMMAND [ARGS]...
Manage authentication configurations stored in named provider objects for identity providers. You can add, activate, or delete authentication configurations. The active provider is the provider and tenant with which YubiEnroll communicates. Only one provider at the time can be active.
Note
If there are no existing provider configurations and you add one, YubiEnroll will automatically activate it. To explicitly activate a provider, use yubienroll providers activate
. An active provider configuration can be deleted.
Examples
Add a provider configuration with the name “entra”.
> yubienroll providers add entra
Show the configuration for the provider with the name “entra”.
> yubienroll providers show entra
Delete the provider configuration named “entra” without prompting.
> yubienroll providers delete --force entra
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
Commands
Command | Description |
---|---|
activate |
Select which provider to use for other commands. |
add |
Create a new provider configuration. |
delete |
Delete a provider configuration. |
edit |
Modify an existing provider configuration. |
list |
List all provider configurations. |
show |
Show the full configuration for a provider. |
yubienroll providers activate
yubienroll providers activate [OPTIONS] NAME
Activates an existing provider configuration with the name NAME
to be used for other provider commands.
yubienroll providers add
yubienroll providers add [OPTIONS] NAME
Creates a new provider configuration with the name NAME
. This command lets you define authentication settings for an identity provider. Settings include CLIENT_ID
, REDIRECT_URI
, and other OAuth2-specific configurations.
Note
The command requires an OAuth app to be registered with your identity provider.
Options
Option | Description |
---|---|
-p, -- provider [ENTRA|OKTA] |
The identity provider to choose. |
-a, -- activate |
Activate configuration. |
-h, --help |
Show this message and exit. |
yubienroll providers delete
yubienroll providers delete [OPTIONS] NAME
Deletes a provider with the name NAME
.
Options
Option | Description |
---|---|
-f, --force |
Confirm deletion without prompting. |
-h, --help |
Show this message and exit. |
yubienroll readers
yubienroll readers [OPTIONS]
Lists available smart card readers.
You can use a smart card reader to enroll a YubiKey over NFC. Use the --reader
option in the yubienroll credentials add
command to specify the name of the reader you want to use. Use the yubienroll readers
command to find the name of the reader you want to use.
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
yubienroll status
yubienroll status [OPTIONS]
Shows the name of the active provider configuration (used by default when enrolling end users), the identity provider used, and whether the user is authenticated with the provider or not.
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
yubienroll users
yubienroll users [OPTIONS] [QUERY]
When enrolling an end user, you will need the user identifiers “ID” and “Username”. To get these values you can search for users in the identity provider using the yubienroll users <query>
command where query
is a substring match of display name, username, or email.
query
can be for example the display name (firstname + lastname), username, or primary email address. The returned search result will include the ID, Display Name, Username, and Email for each user.
Note
When performing enrollment operations on behalf of a user, you can only use the username or user ID value. Using the email address will not work.
Examples
Search for an end user with the name “firstname lastname” in the identity provider. If no query is specified, all users are returned.
> yubienroll users firstname lastname
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
Commands
Command | Description |
---|---|
users |
Search for users. |