Introduction
Note
YubiEnroll is currently in Early Access. For more information, see YubiEnroll.
YubiEnroll enables administrators in organizations of all sizes to easily enroll YubiKeys on behalf of end users supporting the move to a passwordless and phishing-resistant enterprise.
YubiEnroll is a software application that provides organizations with the ability to create FIDO credentials on YubiKeys, and configure and register the YubiKey with their identity provider on behalf of a user account. Pre-used YubiKeys can also be reset through YubiEnroll. For more information, see About YubiEnroll.
YubiEnroll offers a command line interface (CLI) through which an IT administrator can perform desired YubiKey configurations, for example to set minimum PIN length or force PIN change. When the YubiKey is configured, the IT admin can then enroll the YubiKey for a future key holder through the organizations´ identity provider (currently Okta and Microsoft Entra). For more information, see Using YubiEnroll CLI.
Supported Platforms
Yubienroll is compatible with and tested on Windows 11. If end users log in with admin-enrolled YubiKeys to systems on different platforms, they might encounter FIDO2 capabilities that are not yet supported.
The following describes which FIDO CTAP2.1 features are natively supported by a platform.
| YubiEnroll Feature | Platforms supporting the feature on a YubiKey |
|---|---|
| Minimum PIN length | Windows 11, Chrome on MacOS, Linux. |
| Force PIN change before use | Windows 11, Chrome on MacOS, Linux. |
| Require always UV | Windows 10*, Windows 11, macOS, Android, iOS, Linux. |
*On Windows 10, security keys enabled with “Require always UV” will work with Okta or Entra ID. However, other websites supporting WebAuthn that do not request user verification, might block the user from logging in.
Hardware
Configuration of YubiKeys through the YubiEnroll CLI supports the entire current Yubico hardware product portfolio including all types of YubiKeys. Supported interfaces where applicable are USB-A, USB-C, and NFC.
Note
The configuration options “Min PIN length”, “Require always UV”, and “Force PIN change before use” are only supported for YubiKeys with firmware version 5.5 and higher.