Introduction

Note

YubiEnroll is currently in Limited Early Access for identity providers Okta and Microsoft Entra. For more information, see YubiEnroll.

YubiEnroll enables organizations of all sizes to easily enroll YubiKeys on behalf of end users supporting the move to a passwordless and phishing-resistant enterprise.

YubiEnroll is a software application that provides organizations with the ability to create FIDO credentials on YubiKeys, and configure and register the YubiKey with their identity provider on behalf of a user account. Pre-used YubiKeys can also be reset through YubiEnroll. For more information, see About YubiEnroll.

YubiEnroll offers a command line interface (CLI) through which an IT administrator can perform desired YubiKey configurations, for example to set minimum PIN length or force PIN change. When the YubiKey is configured, the IT admin can then enroll the YubiKey for a future key holder through the organizations´ identity provider (currently Okta and Microsoft Entra). For more information, see Using YubiEnroll CLI.

Supported Platforms

Yubienroll is currently available for identity providers Okta and Microsoft Entra and is compatible with and tested on Windows 11.

Compatibilities

Configuration of YubiKeys through the YubiEnroll CLI supports the entire current Yubico hardware product portfolio including all types of YubiKeys. Supported interfaces where applicable are USB-A, USB-C, and NFC.

The configuration options “Min PIN length”, Require always UV”, and “Force PIN change before use” are only supported for YubiKeys with firmware version 5.5 and higher.