Central management of YubiKeys with Enrollment
The challenge
Setting up individual YubiKeys for each user can be time-consuming and burdensome for IT staff.
solution
Appterix offers the option of centrally preparing the configuration of YubiKeys. With YubiKey Enrollment, YubiKeys can be set up either by users themselves or by administrators on their behalf. This accelerates the entire process, reduces the burden on IT, and ensures secure login for all employees.
Add YubiKey Enrollment
The following enrollment steps are available for YubiKey configuration:
- PIV reset
- PIV input
- USB applications
- NFC applications
- Certificate import
- Certificate-based authentication
- Passwordless authentication with Microsoft Entra ID
- OTP configuration
How to add YubiKey enrollment
- In the Appterix Management UI, navigate to YubiKey Management > Enrollment.
- click on Add Enrollment.
- Select one or more enrollment steps you want to add to the YubiKey configuration by dragging and dropping the steps or clicking on them.
You can then adjust the order of the steps by dragging and dropping them into the desired order, which is important for correct configuration of the YubiKey. - Next to the default enrollment name, click the icon Editto edit the enrollment information.
- (Recommended) Change the default name to a more descriptive name that makes the purpose of the enrollment easier to understand.
- (Optional) In the field Description a short description.
- (Optional) Enable Automatic enrollmentto enable automatic start of enrollment for users.
When users insert their YubiKeys, a pop-up window appears prompting them to begin the enrollment process. This option is only available for self-enrollment. - Place under allocation Specify the users and/or groups to which this enrollment applies and select the preferred enrollment method.
- Choose how enrollment will be conducted:
- Self-enrollment: Enable this option to allow users to complete YubiKey enrollment independently.
The button Start enrollment is displayed for the selected users on the Appterix agent, indicating that an enrollment is available for execution. - Enrollment on behalf of usersEnable: Enable this option to allow administrators to perform YubiKey enrollment on behalf of users. Once enabled, assign the appropriate administrators.
The button Start enrollment on behalf of becomes available to the selected administrators on the Appterix Agent, indicating that an enrollment is available to be executed on behalf of a user.
The YubiKey to be set up must be physically connected to the administrator's device to start the enrollment process.
- Self-enrollment: Enable this option to allow users to complete YubiKey enrollment independently.
- (Optional) Click Add new assignment groupto create a new assignment group that can be configured specifically for a team or department.
- click on Close.
- Once the enrollment configuration is complete, click Save.
The YubiKey enrollment was successfully added. The enrollment information has been transmitted to the relevant Appterix agents.
Next steps: Perform the YubiKey enrollment
After the configuration of the enrollment is completed and the users / groups are added to the enrollment have been assigned, the information about the enrollment is sent to the respective Appterix agents of the affected users within a few seconds:
- If the option Automatic enrollment has been activated, a pop-up window will appear upon YubiKey insertion, prompting users to start the enrollment process.
- With YubiKeys shall to the right of the respective information of plugged-in YubiKeys the button Start enrollment and / or Start enrollment on behalf of (depending on the specified configuration).
After successfully completing the enrollment using Appterix Agent, we recommend re-infection the YubiKey.