YubiEnroll Commands

The following describes commands available when using the YubiEnroll CLI, together with usage examples. For more examples of how to add providers and enrollment profiles and enroll end users, see Using YubiEnroll CLI.

yubienroll

yubienroll [OPTIONS] COMMAND [ARGS]...

Run yubienroll at the command prompt to see available options and commands.

Options

Option Description
-l, - -log-level [ERROR|WARNING|INFO|DEBUG|TRAFFIC]
Enable logging at given verbosity level.

--log-file FILE
Write log to FILE instead of printing to stderr
(requires –log-level).
-v, --version Show version information about the app.
-h, --help Show this message and exit.

Commands

Command Description
credentials Manage FIDO credentials for users.
login Authenticate to the active provider.
logout Log out from the active provider.
profiles Manage enrollment profiles.
providers Manage authentication settings for identity providers.
readers List available smart card readers.
status Show which provider is active and its authentication status.
users Search for users.

yubienroll credentials

yubienroll credentials [OPTIONS] COMMAND [ARGS]...

Lets users enroll, list and delete credentials on behalf of an end user. Subcommands require a User_ID, which can be the ID or username for an end user. Use the yubienroll users [query] command to get these values, see yubienroll users.

Options

Option Description
-h, --help Show this message and exit.

Commands

Command | Description
add Enroll a FIDO credential on behalf of an end user.
delete Delete FIDO credential(s) for an end user.
list List FIDO credentials for an end user.

yubienroll credentials add

yubienroll credentials add [OPTIONS] USER_ID

Add credentials on behalf of an end user enrolling them with the identity provider. User_ID is the ID or username for an end user. Use the yubienroll users [query] command to get these values, see yubienroll users.

The yubienroll credentials add command creates a FIDO credential on the YubiKey and registers it with the identity provider for the specified user.

You can configure YubiKey settings, for example minimum PIN length or force PIN change on first use, either through the CLI options or by using an enrollment profile. This can be specified with the --profile option or automatically applied if assigned to the active provider.

If not specified, the enrollment profile associated with the active identity provider will be applied. If no authenticator settings or enrollment profile exist, you will be prompted to provide these.

Examples

  • Add credentials and enroll end user with user_ID “firstname.lastname@email.com”.

    > yubienroll credentials add firstname.lastname@mail.com

  • Apply a different (configured) enrollment profile named “another-profile” than the one used by the active provider.

    > yubienroll credentials add firstname.lastname@email.com --profile another-profile

Options

Option Description
-r, --reader NAME Enroll a FIDO credential on behalf of a user.
-p, --profile TEXT Set the enrollment profile to use.
-d, --display-name TEXT Display name to set for the Security Key.
--min-pin-length INTEGER RANGE Set the minimum length allowed for PIN [4<=x<=63].
--require-always-uv Always require UV.
--no-require-always-uv Do not always require UV.
--require-ea Require Enterprise Attestation.
--no-require-ea Do not require Enterprise Attestation.
--force-pin-change Force PIN change before use.
--no-force-pin-change Do not force PIN change before use.
--reset Factory reset and re-initialize key.
--no-reset Do not factory reset and re-initialize key.
--random-pin Set a new random PIN.
--no-random-pin Do not set a new random PIN.
--random-pin-length INTEGER RANGE Set the random PIN length [4<=x<=63].
-f, --force Confirm settings without prompting.
-h, --help Show this message and exit.

yubienroll credentials delete

yubienroll credentials delete [OPTIONS] USER_ID [CREDENTIAL_IDS]...

Delete one or more credentials for an end user available in the identity provider. If no credential IDs are provided, all credentials for the end user will be listed and you will be prompted to select the desired ones to delete.

Examples

  • Delete credentials in the identity provider for the end user with user_ID “4321” and credential_ID “123XYZ”.

    > yubienroll credentials delete 4321 123XYZ

  • Delete multiple credentials for a user by passing a space-separated list of credentials. For example, a user with user ID “X” has two credentials with ID “Y” and “Z”, and you want to delete both in one go.

    > yubienroll credentials delete X Y Z

Options

Option Description
-f, --force Confirm deletion without prompting.
-h, --help Show this message and exit.

yubienroll credentials list

yubienroll credentials list [OPTIONS] USER_ID

List active credentials registered for an end user available in the identity provider.

Examples

  • List available credentials for end user with user_ID “firstname.lastname@email.com”.

    > yubienroll credentials list firstname.lastname@email.com

yubienroll login

yubienroll login [OPTIONS]

Authenticate to the active provider. Starts a web-based authentication flow to get access credentials for the user account.

Examples

  • Show supported identity providers to select and log in to the desired one.

    > yubienroll login

  • Use --no-launch-browser if you do not want the command to launch the default system browser. This prints the authorization URL in the terminal so you can manually open the URL in a desired browser.

    > yubienroll login --no-launch-browser

Options

Option Description
--no-launch-browser Do not open browser automatically.
-h, --help Show this message and exit.

Commands

Command Description
login Authenticate with an identity provider.

yubienroll logout

yubienroll logout [OPTIONS]

Log out the YubiEnroll user from the active identity provider.

Note

This command is currently only supported for the Okta identity provider.

Options

Option Description
-h, --help Show this message and exit.

Commands

Command Description
logout Log out from the active provider.

yubienroll profiles

yubienroll profiles [OPTIONS] COMMAND [ARGS]...

Manage enrollment profiles for an identity provider. Profiles are presets of configuration parameters used when enrolling credentials. You can for example enforce minimum PIN length or force PIN change prior to use. You can edit profile settings or delete the profile from the provider configuration. Deleting an enrollment profile will remove it from any provider using it.

Examples

  • Add an enrollment profile with the name “standard” to the (active) provider.

    > yubienroll profiles add standard

  • Show enrollment profiles available for the provider.

    > yubienroll profiles list

  • To unset a profile from a provider, run the following command and select “0”.

    > yubienroll profiles edit <provider_name>

Options

Option Description
-h, --help Show this message and exit.

Commands

Command Description
add Create a new profile.
delete Delete a profile.
edit Modify an existing profile.
list List profiles.

yubienroll profiles add

yubienroll profiles add [OPTIONS] NAME

Creates a new profile where NAME is the name of the new profile.

Options

Option Description
--min-pin-length INTEGER RANGE Set the minimum length allowed for PIN [4<=x<=63].
--require-always-uv Require always UV.
--no-require-always-uv Do not require always UV.
--require-ea Require Enterprise Attestation.
--no-require-ea Do not require Enterprise Attestation.
--force-pin-change Force PIN change before use.
--no-force-pin-change Do not force PIN change before use.
--reset Factory reset and re-initialize key.
--no-reset Do not factory reset and re-initialize key.
--random-pin Set a new random PIN.
--no-random-pin Do not set a new random PIN.
--random-pin-length INTEGER RANGE Set the random PIN length [4<=x<=63].
-h, --help Show this message and exit.

yubienroll profiles delete

yubienroll profiles delete [OPTIONS] NAME

Deletes an existing profile with the name NAME.

Options

Option Description
-f, --force Confirm deletion without prompting.
-h, --help Show this message and exit.

yubienroll profiles edit

yubienroll profiles edit [OPTIONS] NAME

Modifies an existing profile with the name NAME.

Options

Option Description
--min-pin-length INTEGER RANGE Set the minimum length allowed for PIN [4<=x<=63].
--require-always-uv Require always UV.
--no-require-always-uv Do not require always UV.
--require-ea Require Enterprise Attestation.
--no-require-ea Do not require Enterprise Attestation.
--force-pin-change Force PIN change before use.
--no-force-pin-change Do not force PIN change before use.
--reset Factory reset and re-initialize key.
--no-reset Do not factory reset and re-initialize key.
--random-pin Set a new random PIN.
--no-random-pin Do not set a new random PIN.
--random-pin-length INTEGER RANGE Set the random PIN length [4<=x<=63].
-h, --help Show this message and exit.

yubienroll providers

yubienroll providers [OPTIONS] COMMAND [ARGS]...

Manage authentication configurations stored in named provider objects for identity providers. You can add, activate, or delete authentication configurations. The active provider is the provider and tenant with which YubiEnroll communicates. Only one provider at the time can be active.

Note

If there are no existing provider configurations and you add one, YubiEnroll will automatically activate it. To explicitly activate a provider, use yubienroll providers activate. An active provider configuration can be deleted.

Examples

  • Add a provider configuration with the name “entra”.

    > yubienroll providers add entra

  • Show the configuration for the provider with the name “entra”.

    > yubienroll providers show entra

  • Delete the provider configuration named “entra” without prompting.

    > yubienroll providers delete --force entra

Options

Option Description
-h, --help Show this message and exit.

Commands

Command Description
activate Select which provider to use for other commands.
add Create a new provider configuration.
delete Delete a provider configuration.
edit Modify an existing provider configuration.
list List all provider configurations.
show Show the full configuration for a provider.

yubienroll providers activate

yubienroll providers activate [OPTIONS] NAME

Activates an existing provider configuration with the name NAME to be used for other provider commands.

yubienroll providers add

yubienroll providers add [OPTIONS] NAME

Creates a new provider configuration with the name NAME. This command lets you define authentication settings for an identity provider. Settings include CLIENT_ID, REDIRECT_URI, and other OAuth2-specific configurations.

Note

The command requires an OAuth app to be registered with your identity provider.

Options

Option Description
-p, -- provider [ENTRA|OKTA] The identity provider to choose.
-a, -- activate Activate configuration.
-h, --help Show this message and exit.

yubienroll providers delete

yubienroll providers delete [OPTIONS] NAME

Deletes a provider with the name NAME.

Options

Option Description
-f, --force Confirm deletion without prompting.
-h, --help Show this message and exit.

yubienroll readers

yubienroll readers [OPTIONS]

Lists available smart card readers.

You can use a smart card reader to enroll a YubiKey over NFC. Use the --reader option in the yubienroll credentials add command to specify the name of the reader you want to use. Use the yubienroll readers command to find the name of the reader you want to use.

Options

Option Description
-h, --help Show this message and exit.

yubienroll status

yubienroll status [OPTIONS]

Shows the name of the active provider configuration (used by default when enrolling end users), the identity provider used, and whether the user is authenticated with the provider or not.

Options

Option Description
-h, --help Show this message and exit.

yubienroll users

yubienroll users [OPTIONS] [QUERY]

When enrolling an end user, you will need the user identifiers “ID” and “Username”. To get these values you can search for users in the identity provider using the yubienroll users <query> command where query is a substring match of display name, username, or email.

query can be for example the display name (firstname + lastname), username, or primary email address. The returned search result will include the ID, Display Name, Username, and Email for each user.

Note

When performing enrollment operations on behalf of a user, you can only use the username or user ID value. Using the email address will not work.

Examples

  • Search for an end user with the name “firstname lastname” in the identity provider. If no query is specified, all users are returned.

    > yubienroll users firstname lastname

Options

Option Description
-h, --help Show this message and exit.

Commands

Command Description
users Search for users.