Help

Yubikey certification location

Eskobar
Contributor

Posted on ‎07-28-2022 02:54 PM

I have paired my Yubikey with my mac. Pin has replaced my system password.

I want to check the certificate expiry date in Jamf Inventory. I do not see the concerned certificate in Jamf inventory/computer/certificates !! I do not see the Yubikey certificate in my keychain either !!

Any idea where the cert is stored ? How make it visible in Jamf ?

0 Kudos
Reply
9 REPLIES 9

Jason33
Contributor III

‎07-29-2022 05:00 AM - edited ‎07-29-2022 05:01 AM

Use something like Smart Card Utility from the App Store to see the certificate(s) on the Yubikey, it will also show you when they expire.  I had to obtain 2 of the certs listed from our Cyber team to push to devices via a Config Profile, and I do see those in the inventory report for my machine in Certificates.

Reply

Eskobar
Contributor
In response to Jason33

Posted on ‎08-10-2022 04:49 PM

@Jason33 

Smart Card Utility is paid app, isn't ? I haven't got exactly what you did to display yubikey cert info in Jamf inventory

0 Kudos
Reply

boberito
Valued Contributor

Posted on ‎07-29-2022 11:18 AM

You wont be able to see any of the yubikey information in jamf unless you build some sort of EA to read the certificate. The certs are on the yubikey, not the device. They're only available when you have the yubikey plugged in. And like @Jason33 said, it requires some tool like Smart Card Utility.

Reply

Eskobar
Contributor
In response to boberito

Posted on ‎08-10-2022 04:53 PM

@boberito 

I can ran these commands in terminal with correct output.

Capture d’écran 2022-08-11 à 01.02.30.png

However, am not able to translate this in valid EA, any idea ?

Capture d’écran 2022-08-11 à 01.51.36.png

This EA is not working. What have is missed?

0 Kudos
Reply

Eskobar
Contributor

Posted on ‎08-10-2022 05:12 PM

Capture d’écran 2022-08-11 à 02.10.41.png

 this works in terminal as sh file not as EA!

0 Kudos
Reply

mknation
New Contributor II

Posted on ‎12-01-2022 07:40 AM

@Eskobar 
I am setting up Yubikeys in my environment. Have you been able to configure the Yubikey and deploy the Cert to another machine? 

0 Kudos
Reply

Eskobar
Contributor

Posted on ‎12-01-2022 09:51 AM

Hi @mknation 

You can use AD CS Connector to get cert from MMC to the key ( not validated  but should work).

We are using virtual Cirix access to get the cert (manual steps for user that requires pin/login pwd).

---------

Big Big Issue:

How can you help user to login to his session if his smartcard is blocked and he forgot his PIN code? !!!

Yubico has created Yubico mini driver for windows that can detect if card is locked and will prompt user for PUK. This tools is not created for mac side !!!

What are you planning for that scenario ?

0 Kudos
Reply

mknation
New Contributor II
In response to Eskobar

Posted on ‎12-05-2022 10:26 AM

Hi @Eskobar 

We plan on using Jamf connect/ have the user come into the office if they forgot their pin code. 

 

In your environment, do you domain join the Macs? I don't want to join it to the domain, but I was wondering if you did it? 

 

0 Kudos
Reply

R_C
Contributor

‎01-19-2023 08:08 AM - edited ‎01-19-2023 08:09 AM

@Eskobar I got the EA Working.

 

Use the following installer and the following EA:

https://github.com/Yubico/yubikey-manager/releases
Current Version at time of this message: 
https://github.com/Yubico/yubikey-manager/releases/download/5.0.1/yubikey-manager-5.0.1-mac.pkg

 

 

#!/bin/sh
if [ -e /usr/local/ykman/ykman ]
then 
	Serials=$(/usr/local/ykman/ykman piv info)
  	echo "<result>$Serials</result>"
else
  	echo "<result>NotInstalled</result>"
fi

 

0 Kudos
Reply