Hi Tony - great video, thanks for putting it together. It would have been useful if you also added as to how to deregister yubikey from Macbook. Unfortunately I realized this after that mine is M1 macbook for which no profile was created.
Hey, thanks a lot for your great videos. Is there any option to add a second key as backup, in case i lost my main Key? Would be awesome if you can help me and the community with it. Thanks in advance.
Hello Quentin, thanks for watching. I wish there was a simple way to do this. Unfortunately, there is not. Although, here is an article with very detailed steps, but be aware, you need to have a certain comfort level with the CLI, otherwise don’t attempt. glenngillen.com/setting-up-multiple-yubikeys/
Trey, thanks for watching. At the 1:12 mark in the video just copy the code from the website. Paste it into a text editor and save the file as sample.mobileconfig. Have a great day.
Hi Tony, excellent video. I have a question, you said you were not going to open the file you already copied. Why not open it? Is there any customization to the file required after copying it from apple support page? If so, what do we need to customize? Thanks.
Hello! Glad you enjoyed this part 2 video. To achieve the end result of using the Yubikey only to access the Mac, there is nothing in the sample code that needs to be altered. Just use the copied code as is. Have a great day!
Thank you for your excellent video. It looks like smart card only is possible now with Ventura 13.2? If the YubiKey has NFC, can that be used as well instead of using USB port?
Hello Tonny, please tell me if the key used for unlocking is lost, will it be possible to install the mackbook m1 through apple id with the loss of all data?
Thanks for watching. I’m not 100% sure about the answer to your question. However, what I can recommend strongly is make sure you have a backup of all your data stored somewhere safely so that if you should have to do a complete restore, you’ll be able to do so.
Thanks, Tony another informative video. I followed the instruction and its work very well, but when I try with same steps with a second Yubikey to duplicate(backup key) the key, doesn’t work. Still work login with first key, but not with the second. Please help.
Thanks for commenting. According to Yubico support, a 2nd key is supported. Here’s a link to the help doc - support.yubico.com/hc/en-us/articles/360016649059-Using-Your-YubiKey-as-a-Smart-Card-in-macOS. From what you are describing, you might have to remove all pairings, certificates, etc and start over. Every thing is outlined in this article.
What kind of file did you save the code? I tried to save it with the pages program, but it doesn't open to configure. it just opens it in pages. sorry im not tech savvy
I have not and don’t plan on trying. It’s wasn’t recommended to do this on M1 macs at the time this video was recorded. Unless things have changed since, I wouldn’t suggest trying on an M2 or M3.
@@QuikTechSolutions @QuikTechSolutions Forgot to reply to this; In case it helps anyway, I ended up getting it working weeks ago. This was done on an M3 Macbook Air on Sonoma. See the apple doc under "Smart card-only authentication using machine based enforcement" here for the terminal command (I think UA-cam won't let me paste the link to the doc, but its one of the top 2 search results on google from the official Apple website. Warning: Make sure though you have those YubiKey strings like the PIN recorded somehwere incase you forget it, otherwise you'll get locked out. Note: Also, make sure to enable it from an admin account; I did it from a standard account and inadverntly locked out the admin. Once I disabled this, and enabled it for the admin itself, it worked flawlessly. It also worked fine with multiple YubiKeys and with FileVault on
Hi Tony, I think I did it correctly. Removing the smartcard profile but when i shut down my M1 Studio it's asking for the smartcard password or pin and when I enter the pin or password it doesn't work. Do I need to do the second step by going to the yubico manager and delete as well. I only deleted the profile. Now i'm locked out. Is there a way to get in again using my password and pin. Thanks.
Yes, you have to delete from Yubico Manager as well. You could try starting into Safe Mode. Press and hold the power button on your Mac until “Loading startup options” appears. Select a volume. Press and hold the Shift key, then click Continue in Safe Mode. The computer restarts automatically. When the login window appears, you should see “Safe Boot” in the menu bar.
Copy the sample code from the Apple documentation. Open up a text editor, paste the information. Save using the filename suggested in the video. That’s it. Have a great day!
Hi Tony how do you create this file on the desktop.. when i past the code in the text editor it only gives me the option to save it as a rtf or html..when i do that it just open the text again and not the profile file you show in your video.. can you show us how to create that file and save it on the desktop using text editor please?
Initially this worked perfectly for me, however I just started trying to install python and it popped up a box asking me to sign in with my password in order to install software however my password doesn't work and it says I must use a smart card which i do have plugged in but it isn't asking me for a pin and entering my pin doesn't work. So I can't proceed with either password or pin. Do you know how I need to fix this problem? I also cannot remove the profile. It pops up the same login with password while my yubikey is plugged in but doesn't accept pin or password. I'm kind of stuck and afraid for my computer to lock itself. Help please if you can.
@@QuikTechSolutions 000000 did not work either. I decided to roll the dice and just reboot. I expected I would get locked out and have to do a factory reset. Fortunately when I inserted my yubikey it was asking for pin again instead of password and I was able to get in. I then removed the sample.mobileconfig file that was installed but strangely when I rebooted, when I entered my password it said a smart card was still required. Is it not sufficient to simply remove the installed profile? Or do I actually have to remove the 2 certificates that were installed in order to fully back out of this setup to get back to original state prior to using yubikey?
@seatownrocks that’s exactly right, you have to remove the 2 certificates in addition to the sample.mobileconfig. Glad you were able to get around the issue.
I mistakenly did this using an account that did not have Admin privileges. I am now having an issue accessing the other user accounts. I have tried going into Recovery Mode to execute some terminal commands but I am unable to remove the files listed in the path. I get the error, 'no directory exists'. When looking in the folder path in the account which I can access through the YubiKey, it does not match the location of the paths listed in the commands to execute in terminal. I am basically at the point of having to migrate an old profile from an similar system (user does not have a backup drive). I'd really like to not have to do that so I was just curious to know if there is a way to undo all this when paired with a standard user. Any help is greatly appreciated. Thanks!
@@QuikTechSolutions Hi so I tried doing that but I'm asked to enter the credentials for admin user and password. When I input them it says the "Smart Card must be inserted" however, the smart card is in the machine. Any ideas or do I need to just wipe the machine?
I cant seem to install the script :( i copy the text in text editor but i cant just open it and install what should i do? This is a Macbook air im using
I can only speculate at this time by saying, in theory yes, as it should only apply to the individual user account. However, I would have to test this out to say for sure.
Hello Abhishek, So here's what I came up with during my testing. When applying only the steps in the first video part 1, the user can sign in with the PIN when the Yubikey is inserted, or the password if the Yubikey is not inserted. Other users on the computer can sign into their accounts using their passwords regardless if the Yubikey is inserted. Now if you apply the steps in the second video part 2, then that's an entirely different story. Once I installed the Smart Card Profile System Preference, other users I have setup on the computer could not sign in. When the password is entered, the MacOS returns a response saying Smart Card is required. As soon as the Yubikeyis inserted, the computer switches to the user that is associated with the Smart Card. Hope this makes sense and answers your question. Have a great day.
Copy the code from the Apple Support page. Open a blank text file, paste the contents into the blank file. Save the file using the name sample.mobileconfig.
Hello, thanks for watching. You bring up a very valid point. However, because of the key’s firmware, cloning a key to have as a backup isn’t possible, at least to my knowledge. In some instances, you can register a second Yubikey to a service or website to have as a second key. Or you can program the secret key into a second Yubikey to have a second key. But in the case of MacOS, I haven’t figured out a way to create a second key. Have a great day.
Super clear and concise video! Thank you!
Thank you. 🙏🏻 I appreciate you watching and leaving a comment. Have a great day!
Loved the follow-up video, Tony!
Thanks Frank! Have a great evening!
Great Video Thank You
Anyway to modify the profile so that after 'x' amount of failed attempts it erases the drive?
Not that I am aware.
Thanks, Tony another informative video. I enjoyed it.
Thanks DJ Ware! Appreciate you tuning in and taking the time to comment. Have a great day!
Another great video Tony, very informative!
Hey Jay, thanks for watching!
Great video Tony! absolutely loved it!
Thanks Avi!
Hi Tony - great video, thanks for putting it together. It would have been useful if you also added as to how to deregister yubikey from Macbook. Unfortunately I realized this after that mine is M1 macbook for which no profile was created.
Thank You! I used these steps to add the configs to Intune as well.
Thanks for watching. Glad the content was helpful. Have a great day.
Hey, thanks a lot for your great videos.
Is there any option to add a second key as backup, in case i lost my main Key?
Would be awesome if you can help me and the community with it.
Thanks in advance.
Hello Quentin, thanks for watching. I wish there was a simple way to do this. Unfortunately, there is not. Although, here is an article with very detailed steps, but be aware, you need to have a certain comfort level with the CLI, otherwise don’t attempt. glenngillen.com/setting-up-multiple-yubikeys/
Good to know, thank you @@QuikTechSolutions
I've been looking for this video some time ago :) thank you.
You’re welcome. Thanks for watching.
Thank you!
How do you save the code to your desktop?
Trey, thanks for watching. At the 1:12 mark in the video just copy the code from the website. Paste it into a text editor and save the file as sample.mobileconfig. Have a great day.
Hi Tony, excellent video. I have a question, you said you were not going to open the file you already copied. Why not open it? Is there any customization to the file required after copying it from apple support page? If so, what do we need to customize? Thanks.
Hello! Glad you enjoyed this part 2 video. To achieve the end result of using the Yubikey only to access the Mac, there is nothing in the sample code that needs to be altered. Just use the copied code as is. Have a great day!
Good job pal :)
Thank you and thanks again for watching!
Hi Tony, will this work without issues on Apple MacBook Pro M3? Thanks!
Hi Mark, it was not recommended for the M1 series, so I’d suggest you don’t try. Thanks for watching.
Thaks, subbing to you for this.
Glad the content was helpful. Thanks for subbing.
Thank you for your excellent video. It looks like smart card only is possible now with Ventura 13.2? If the YubiKey has NFC, can that be used as well instead of using USB port?
Hi Jerry, thanks for watching. I don’t believe the Mac natively support NFC.
@@QuikTechSolutions Thank you for your answer! Appreciate!
Hello Tonny, please tell me if the key used for unlocking is lost, will it be possible to install the mackbook m1 through apple id with the loss of all data?
Thanks for watching. I’m not 100% sure about the answer to your question. However, what I can recommend strongly is make sure you have a backup of all your data stored somewhere safely so that if you should have to do a complete restore, you’ll be able to do so.
@@QuikTechSolutions Thanks dude. You're cool.
@vashnaya_ptica appreciate that! Have a great night.
Thanks, Tony another informative video. I followed the instruction and its work very well, but when I try with same steps with a second Yubikey to duplicate(backup key) the key, doesn’t work. Still work login with first key, but not with the second. Please help.
Thanks for commenting. According to Yubico support, a 2nd key is supported. Here’s a link to the help doc - support.yubico.com/hc/en-us/articles/360016649059-Using-Your-YubiKey-as-a-Smart-Card-in-macOS. From what you are describing, you might have to remove all pairings, certificates, etc and start over. Every thing is outlined in this article.
Thank you for quick response! Iwill try again. :)
What kind of file did you save the code? I tried to save it with the pages program, but it doesn't open to configure. it just opens it in pages. sorry im not tech savvy
Thx for watching. I opened a new Text Edit file. Pasted the information, then hit Save. The key is to name it sample.mobileconfig.
Has anyone tried this on Sonoma with Apple Silicon Macs, that have filevault enabled?
I have not and don’t plan on trying. It’s wasn’t recommended to do this on M1 macs at the time this video was recorded. Unless things have changed since, I wouldn’t suggest trying on an M2 or M3.
@@QuikTechSolutions @QuikTechSolutions Forgot to reply to this; In case it helps anyway, I ended up getting it working weeks ago. This was done on an M3 Macbook Air on Sonoma. See the apple doc under "Smart card-only authentication using machine based enforcement" here for the terminal command (I think UA-cam won't let me paste the link to the doc, but its one of the top 2 search results on google from the official Apple website.
Warning: Make sure though you have those YubiKey strings like the PIN recorded somehwere incase you forget it, otherwise you'll get locked out.
Note: Also, make sure to enable it from an admin account; I did it from a standard account and inadverntly locked out the admin. Once I disabled this, and enabled it for the admin itself, it worked flawlessly. It also worked fine with multiple YubiKeys and with FileVault on
Wow, you got this working on an M3. Great job! Thanks for sharing the process here. Have a great day.
Hi Tony, I think I did it correctly. Removing the smartcard profile but when i shut down my M1 Studio it's asking for the smartcard password or pin and when I enter the pin or password it doesn't work. Do I need to do the second step by going to the yubico manager and delete as well. I only deleted the profile. Now i'm locked out. Is there a way to get in again using my password and pin. Thanks.
Yes, you have to delete from Yubico Manager as well. You could try starting into Safe Mode.
Press and hold the power button on your Mac until “Loading startup options” appears.
Select a volume.
Press and hold the Shift key, then click Continue in Safe Mode.
The computer restarts automatically. When the login window appears, you should see “Safe Boot” in the menu bar.
Need to know how to make the text document
Copy the sample code from the Apple documentation. Open up a text editor, paste the information. Save using the filename suggested in the video. That’s it. Have a great day!
Tony - I get an error on profile after clicking on saved configs. I am running Big Sur OS. Is this a known issues or am I missing something?
Tony I am using Catalina and also get an error, when generating a profile, as instructed on your video. Otherwise excellent
Same problem here... Running Venture 13.6.9 :/
@user-bq7cj1qt7j are you running on an Intel or M processor, just curious?
@@QuikTechSolutions running on intel...
Thanks for the info on the processor. Not sure why you’re getting the error. The best I can do is attempt to re-create your scenario here in the lab.
Hi Tony how do you create this file on the desktop.. when i past the code in the text editor it only gives me the option to save it as a rtf or html..when i do that it just open the text again and not the profile file you show in your video.. can you show us how to create that file and save it on the desktop using text editor please?
Hello KVR 99, I suggest you paste the code into BBEdit text editor, then save file with the name sample.mobileconfig. There is a free version for Mac.
I copied the APPLE sample into text file , saved as mobileconfig but when I try to open it returns an error.Any idea why?Many thanks!
Thanks for watching. The only thing that comes to mind is the version of MacOS you’re running.
@@QuikTechSolutions It's a VENTURA 13.2.1.Many thanks!
Initially this worked perfectly for me, however I just started trying to install python and it popped up a box asking me to sign in with my password in order to install software however my password doesn't work and it says I must use a smart card which i do have plugged in but it isn't asking me for a pin and entering my pin doesn't work. So I can't proceed with either password or pin. Do you know how I need to fix this problem? I also cannot remove the profile. It pops up the same login with password while my yubikey is plugged in but doesn't accept pin or password. I'm kind of stuck and afraid for my computer to lock itself. Help please if you can.
Try using the default pin of 000000.
@@QuikTechSolutions 000000 did not work either. I decided to roll the dice and just reboot. I expected I would get locked out and have to do a factory reset. Fortunately when I inserted my yubikey it was asking for pin again instead of password and I was able to get in. I then removed the sample.mobileconfig file that was installed but strangely when I rebooted, when I entered my password it said a smart card was still required. Is it not sufficient to simply remove the installed profile? Or do I actually have to remove the 2 certificates that were installed in order to fully back out of this setup to get back to original state prior to using yubikey?
@seatownrocks that’s exactly right, you have to remove the 2 certificates in addition to the sample.mobileconfig. Glad you were able to get around the issue.
Hi how do I save the file on iMac sorry still new
Copy & paste the code into a text editor such as BBEdit, then save & name as outlined in the video.
I mistakenly did this using an account that did not have Admin privileges. I am now having an issue accessing the other user accounts. I have tried going into Recovery Mode to execute some terminal commands but I am unable to remove the files listed in the path. I get the error, 'no directory exists'. When looking in the folder path in the account which I can access through the YubiKey, it does not match the location of the paths listed in the commands to execute in terminal. I am basically at the point of having to migrate an old profile from an similar system (user does not have a backup drive). I'd really like to not have to do that so I was just curious to know if there is a way to undo all this when paired with a standard user. Any help is greatly appreciated. Thanks!
Hello Josh, delete the Smart Card profile under System Preferences>Profile. Then launch Yubico Manager and delete the two certificates under PIV.
@@QuikTechSolutions Hi so I tried doing that but I'm asked to enter the credentials for admin user and password. When I input them it says the "Smart Card must be inserted" however, the smart card is in the machine. Any ideas or do I need to just wipe the machine?
When you enter the admin credentials and it prompts you for the smart card, remove the Yubikey and re-insert it.
I cant seem to install the script :( i copy the text in text editor but i cant just open it and install what should i do? This is a Macbook air im using
Try using BBEdit.
Can you please advise if another user tries to login into this Mac can he login?
I can only speculate at this time by saying, in theory yes, as it should only apply to the individual user account. However, I would have to test this out to say for sure.
@@QuikTechSolutions thank you so much and that will be great
Hello Abhishek, So here's what I came up with during my testing. When applying only the steps in the first video part 1, the user can sign in with the PIN when the Yubikey is inserted, or the password if the Yubikey is not inserted. Other users on the computer can sign into their accounts using their passwords regardless if the Yubikey is inserted.
Now if you apply the steps in the second video part 2, then that's an entirely different story. Once I installed the Smart Card Profile System Preference, other users I have setup on the computer could not sign in. When the password is entered, the MacOS returns a response saying Smart Card is required. As soon as the Yubikeyis inserted, the computer switches to the user that is associated with the Smart Card. Hope this makes sense and answers your question. Have a great day.
@@QuikTechSolutions thank you so much sir that is very helpful to know.
But how do we create a profile? you didn't explain that.
Hello Eric. Refer to the 1:15 timestamp in the video. It says to copy the code and save it to a file using the name sample.mobileconfig.
@@QuikTechSolutions save it to what file?
Copy the code from the Apple Support page. Open a blank text file, paste the contents into the blank file. Save the file using the name sample.mobileconfig.
again, where is the backup key info, ????? not helpful unless you cover creating a backup key
Hello, thanks for watching. You bring up a very valid point. However, because of the key’s firmware, cloning a key to have as a backup isn’t possible, at least to my knowledge.
In some instances, you can register a second Yubikey to a service or website to have as a second key. Or you can program the secret key into a second Yubikey to have a second key.
But in the case of MacOS, I haven’t figured out a way to create a second key. Have a great day.