Device initialization

Source: Yubico

Device initialization is straightforward but requires some organization around secret management. In the future, this can be improved by defining a group policy distributed via MDM which can enforce some of the settings mentioned below.

1. Enter a new PIN with 8 numeric characters if macOS login is intended. macOS won't work if the PIN contains alphanumeric characters. Generate and store this PIN securely on a password manager.
2. Set the Management Key option to Use a separate key.
3. Under Store management key, randomize and store the resulting key on a password manager.
4. Enter a new PUK with 8 alphanumeric characters (A-Z, a-z, 0-9 and symbols are allowed), also generated on a password manager.
5. When asked if you want to Set up Yubikey for macOS by generating certificates, choose No. This can be handled later on more selectively.