yubikey jamf login

Configuring Yubikey Desktop Login on Jamf-Managed Devices

Patrick Grubbs Consumer Protection

Configuring Yubikey Desktop Login on Jamf-Managed Devices

Yubikeys represent an exciting opportunity to merge two features that are often at odds: security and convenience.

Many organizations have purchased Yubikeys and distributed them to their employees for that extra layer of physical security. They’re commonly used to securely access networks, databases, applications, and services in lieu of (or in addition to) regular credentials.

But Yubikeys can do so much more.

SecureW2 has independently developed software that expands and enhances the functionality and security of Yubikeys. Instead of PINs and passwords, we can help you store ultra-secure digital certificates on your Yubikey. Instead of just logging into Wi-Fi or email, we can help you strengthen your physical security by using a Yubikey to login to a desktop.

For organizations that currently use Jamf to configure their managed devices, our solution pushes a config to prompt users to automatically enroll their device for Yubikey-desktop login.

And it’s easy, too.

yubikey jamf login1. Set up Yubikey Normally

The best part about about our Yubikey solution is that users can self-enroll painlessly.

Start off by plugging in your Yubikey and allowing it to self-install the necessary drivers. Follow the instructions on the prompts.

2. Enrolling your Yubikey for a Certificate with SecureW2

The next step is to download some additional software from Yubico so that your security key can interface with our software.

Macs should grab the Yubico Device Manager here. Windows devices need to install an additional Yubico Smartcard Mini Driver instead. Remember to restart your computer afterwards.

Have the user navigate to your organization’s SecureW2 landing page. It will prompt the user to download the JoinNow client which, once run, will initiate a Setup Wizard to guide the user through the rest of the configuration process.

Ensuring your users have non-default, and properly complex, PIN/PUKs is an important facet of YubiKey security. Our software prompt users to enter their PIN and/or PUK in order to enroll for a certificate, and allows them to easily reset their PIN/PUK if a default value is detected. After the software verifies the YubiKey is protected with a secure PIN, it  prompts users to enter in their AD/LDAP credentials or redirects to a single-sign-on page for SAML-Based Identity Providers.

The SecureW2 client provides a mobile configuration that will enable the Yubikey to perform desktop login. Using Jamf, we can push these configuration settings to all of the managed devices – eliminating the need for manual configuration which requires command line prompts and is difficult for end users.

3. Login to Managed Devices With Yubikey

Once you’ve completed Yubikey setup, configured desktop login with the SecureW2 client, and pushed the config settings out to managed devices – you’re all set. Users will be able to use the authentication that they established in Step 1 to access login to their desktops with ease.

It’s as simple as sticking the security key into the computer and entering the PIN.

Using a Yubikey to login to Jamf-managed devices is both supremely secure and very convenient. Any organization that uses Jamf to manage their devices should utilize this method to protect themselves and their data from malicious actors.

SecureW2 has affordable options for organizations of all sizes. For more information on our pricing, click here.