I have paired my Yubikey with my mac. Pin has replaced my system password.
I want to check the certificate expiry date in Jamf Inventory. I do not see the concerned certificate in Jamf inventory/computer/certificates !! I do not see the Yubikey certificate in my keychain either !!
Any idea where the cert is stored ? How make it visible in Jamf ?
Use something like Smart Card Utility from the App Store to see the certificate(s) on the Yubikey, it will also show you when they expire. I had to obtain 2 of the certs listed from our Cyber team to push to devices via a Config Profile, and I do see those in the inventory report for my machine in Certificates.
You wont be able to see any of the yubikey information in jamf unless you build some sort of EA to read the certificate. The certs are on the yubikey, not the device. They're only available when you have the yubikey plugged in. And like @Jason33 said, it requires some tool like Smart Card Utility.
Use something like Smart Card Utility from the App Store to see the certificate(s) on the Yubikey, it will also show you when they expire. I had to obtain 2 of the certs listed from our Cyber team to push to devices via a Config Profile, and I do see those in the inventory report for my machine in Certificates.
Smart Card Utility is paid app, isn't ? I haven't got exactly what you did to display yubikey cert info in Jamf inventory
You wont be able to see any of the yubikey information in jamf unless you build some sort of EA to read the certificate. The certs are on the yubikey, not the device. They're only available when you have the yubikey plugged in. And like @Jason33 said, it requires some tool like Smart Card Utility.
I can ran these commands in terminal with correct output.
However, am not able to translate this in valid EA, any idea ?
This EA is not working. What have is missed?
this works in terminal as sh file not as EA!
@Eskobar
I am setting up Yubikeys in my environment. Have you been able to configure the Yubikey and deploy the Cert to another machine?
Hi @mknation
You can use AD CS Connector to get cert from MMC to the key ( not validated but should work).
We are using virtual Cirix access to get the cert (manual steps for user that requires pin/login pwd).
---------
Big Big Issue:
How can you help user to login to his session if his smartcard is blocked and he forgot his PIN code? !!!
Yubico has created Yubico mini driver for windows that can detect if card is locked and will prompt user for PUK. This tools is not created for mac side !!!
What are you planning for that scenario ?
Hi @mknation
You can use AD CS Connector to get cert from MMC to the key ( not validated but should work).
We are using virtual Cirix access to get the cert (manual steps for user that requires pin/login pwd).
---------
Big Big Issue:
How can you help user to login to his session if his smartcard is blocked and he forgot his PIN code? !!!
Yubico has created Yubico mini driver for windows that can detect if card is locked and will prompt user for PUK. This tools is not created for mac side !!!
What are you planning for that scenario ?
Hi @Eskobar
We plan on using Jamf connect/ have the user come into the office if they forgot their pin code.
In your environment, do you domain join the Macs? I don't want to join it to the domain, but I was wondering if you did it?
@Eskobar I got the EA Working.
Use the following installer and the following EA:
https://github.com/Yubico/yubikey-manager/releases
Current Version at time of this message:
https://github.com/Yubico/yubikey-manager/releases/download/5.0.1/yubikey-manager-5.0.1-mac.pkg
#!/bin/sh
if [ -e /usr/local/ykman/ykman ]
then
Serials=$(/usr/local/ykman/ykman piv info)
echo "<result>$Serials</result>"
else
echo "<result>NotInstalled</result>"
fi
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.