+20Anyone want to share their experience or knowledge with YubiKeys in their Mac AD environment?
How was your set up and what issues did you run into with users? How did it compare to your Windows users? Are you using YubiKeys on Macs below 10.12.6?
Thanks for your thoughts.
Best answer by hulsebus
Yes, we did have to pair the Yubikey and AD accounts with an admin account. It was going to be a lot of work, but (at that time) we were only going to deploy about 400 if we used that as our final solution, so we just planned to have multiple admins with the capability and deploy in waves.
Those directions are significantly different than what we did. Apple has been 'enhancing' native smartcard support since they are (allegedly) making more use of it, and those instructions appear to be using that native capability.
When I had to set it up, I had to compile a third-party version of smartcard services and then use the Yubikey apps (like the Yubikey PIV Manager) and the Apple keychain to get everything working. It wasn't fun to setup, but worked reasonably reliably once the parts were in place.
+7We had a small scale test deployment that I was a part of. They worked, but not great. We tested them on 10.11 and 10.12. I found that we had to modify the code entry times because the default was too fast and the macs would miss characters. We had a couple users have issues with button timing, but that was more of a user problem. Our Yubikeys had the capability of housing two different cert/key-sets. You activated the first one by pressing the button for more than 0.8 seconds but less that 1.5 seconds on the second one by pressing for longer than 1.7 seconds (I think). We only used the first set, so we had to tell the test users not hold the button too long.
We also had some of our iMac users gripe because (at the time, don't know if it has changed) Yubikey didn't officially support using usb hubs. Those using iMacs either had to put the key in the back of their machine and feel around for the button or try a hub and hope it worked. The usb ports in the wired Mac keyboards are deep enough that the button was inaccessible when plugged in.
The setup process was simpler one Windows, but the user experience was very close to the same.
End of the day, they did technically work for what we needed, but we ended up going with a different solution. We do still keep them around for special cases where our other mfa won't work.
Fair warning, YMMV; this testing was done a long time ago so hardware/software may have changed.
+20Thanks @hulsebus. Were you pairing the Yubikey with local accounts or AD accounts? What was your different solution?
Thanks again for your post. We are finding it easier on the Windows so far.
+7We were pairing with AD accounts. We ended up going with Duo as our main solution. It's not as feature-rich on the Mac, but it's working for us so far.
+20Cool. Did you have to "Pair" the Yubikey and AD account manually with an admin account? If so, that's a lot of time with each user.
We tried to follow their link below. But I can't get the macOS to recognize the Yubikey even with the certs on there.
+7Yes, we did have to pair the Yubikey and AD accounts with an admin account. It was going to be a lot of work, but (at that time) we were only going to deploy about 400 if we used that as our final solution, so we just planned to have multiple admins with the capability and deploy in waves.
Those directions are significantly different than what we did. Apple has been 'enhancing' native smartcard support since they are (allegedly) making more use of it, and those instructions appear to be using that native capability.
When I had to set it up, I had to compile a third-party version of smartcard services and then use the Yubikey apps (like the Yubikey PIV Manager) and the Apple keychain to get everything working. It wasn't fun to setup, but worked reasonably reliably once the parts were in place.
+20Curious, for users who have to log in different Macs on shared-kiosks, you just paired it at request each time?
Also, in your environment now, did you flick on "SmartCard login" only? Otherwords, no passwords -- just SmartCards.
Thanks for all the info man. I'm going to hit you with questions on here down the line if you don't mind.
+7In our organization, we do not allow shared machines (kiosks or otherwise), so when a user gets a machine their creds are paired when we deploy (no such thing as a zero-touch deploy for us). Nope we, we require both password and mfa auth for logging in.
I hope I helped out a little at least. Happy to answer questions in the future if I can.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.