Device initialization is straightforward but requires some organization around secret management. In the future, this can be improved by defining a group policy distributed via MDM which can enforce some of the settings mentioned below.
- Enter a new PIN with 8 numeric characters if macOS login is intended. macOS won't work if the PIN contains alphanumeric characters. Generate and store this PIN securely on a password manager.
- Set the Management Key option to Use a separate key.
- Under Store management key, randomize and store the resulting key on a password manager.
- Enter a new PUK with 8 alphanumeric characters (A-Z, a-z, 0-9 and symbols are allowed), also generated on a password manager.
- When asked if you want to Set up Yubikey for macOS by generating certificates, choose No. This can be handled later on more selectively.