.. Onboarding.rst .. _onboarding: ========== Onboarding ========== This section describes how to onboard YubiEnterprise Services and getting access to the YubiEnterprise Console to start creating shipment requests. When your Yubico sales person or a channel partner has issued a purchase order for the desired products, subscriptions, and services for your organization, the onboarding procedure starts. This includes setting up accounts for your organization and providing access to the Console. .. _onboarding-label: Procedure Overview =================== When Yubico has received the initial purchase order for your organization, an account is created for your organization and the purchased products and services are added to the account. When the account is created, an activation email is automatically sent to the email address of the first user added to the organization's account. This user is assigned the *Console Owner* role, and is added as a *demo user* with permissions restricted as follows: * Cannot ship more than 10 YubiKeys * Cannot add new Console users * Cannot generate API tokens User permissions remain restricted until the demo user registers a security key as part of the onboarding. When a security key has been registered for the account in the Console, the user acquires full Console Owner permissions. The **first Console Owner** performs the following actions during their onboarding: 1. Activates account and performs initial login to the Console. 2. Verifies the content of the first purchase order. 3. Creates an initial shipment request of maximum 10 YubiKeys (optional). 4. Registers at least one security key for their user account to get full feature access. 5. Adds Console users as needed for the organization, at least one more Console Owner is recommended. .. .. note:: Except when activating a first Console Owner account, logging in to the Console always requires a multi-factor authentication (MFA) method that supports FIDO2/WebAuthn, for example a YubiKey. Be aware that if you use a biometric option to log in to your computer, the credentials will be tied to the computer. This means that you might be locked out from the Console if your computer gets a hard reset or you get a new device. The onboarding procedure is described in more detail in the following. .. _prerequisites-label: Prerequisites =============== The following is needed for the onboarding: * A browser such as Chrome, Firefox, or Edge, with the popup-blocking function disabled. * Email with account activation link provided by Yubico. Note that the link expires after 7 days. * To get full Console feature access, you need to register a YubiKey. .. note:: To use the YubiEnterprise API you also need access to the Console to be able to set up an API caller user account with an associated API token. For more information, see :ref:`api-onboarding-pb-label`. .. _procedure-label: Onboarding Procedures ======================= The first user account registered with an organization will also automatically be the first Console Owner (account owner) for the organization. Onboarding a first Console Owner and registering a YubiKey for this account is required to be able to add more Console users for the organization and create shipment requests for YubiKeys. .. note:: It is recommended to have at least two users with the Console Owner role as this is the only role that can perform password and account resets. If your organization only has one Console Owner and that person locks themselves out or leaves your organization, you must contact Yubico to set up a new Console Owner. To add users and assign roles, see :ref:`add-users-label`. The YubiEnterprise Console uses :ref:`passwordless-auth` through YubiKeys. Only passkeys stored on security keys (device-bound passkey) are allowed when logging in. When accessing the Console, you will only use a password during onboarding of your organization as the first user (Console Owner) logging in for the first time. .. _onboard-console-owner: Activating First User -------------------------------- To activate your account and onboard as the first Console user, do the following: 1. Click the **Activate your YubiEnterprise account** link in the activation email you received from Yubico. 2. Create a strong password following the recommendations in the activation dialog and click **Activate Account**. .. image:: graphics/onboard-activate-account.png :width: 450 3. In the YubiEnterprise Console login page that opens, click **Login**. 4. In the **Welcome to the YubiEnterprise Console** dialog, click **Sign in with Password**. .. note:: The "Sign in with Passkey" option displayed in the dialog will be used once you have registered a YubiKey. .. image:: graphics/welcome-dialog.png :width: 450 5. Enter your email address and the previously created password, and click **Sign in with Password**. .. image:: graphics/sign-in-password.png :width: 400 6. In the **YubiEnterprise Console Acceptance Use Policy** dialog, click **I agree** to continue. 7. When successfully logged in you will be taken to the **Dashboard** page for your organization where you can see your initial purchases and YubiKey license inventories. Since you have not yet registered a YubiKey, you will be notified that you are in “demo mode” with limited feature access. .. image:: graphics/dashboard-demo.png :width: 800 8. *Register at least one YubiKey* to get full Console feature access, if you have a YubiKey available at this point. If you *do not have a YubiKey*, you can still order up to 10 keys as a demo user, and register a key when you have one. Continue to step 13 to create an initial shipment request for YubiKeys if you do not have any. If you have a YubiKey, click the link in the **demo mode message** at the top to register a passkey on your YubiKey. In the dialog that opens, click **Create Passkey**. .. image:: graphics/upgrade-passwordless.png :width: 500 9. When prompted, tap your YubiKey and provide the PIN associated with the YubiKey. 10. A passkey is created on the YubiKey, and a passkey confirmation dialog is displayed. A notification with details about the registered YubiKey is sent to the email address associated with your Console account. It is recommended that you register an additional YubiKey as a backup to avoid losing access to the Console. This can be done at any time. Click **Yes, create another** to register a spare YubiKey and follow the instructions. Click **No, I’m done for now** to continue without registering a spare key. .. image:: graphics/passkey-created.png :width: 500 11. When you have registered a YubiKey, you will be prompted to log out and in again using the YubiKey. In the **Welcome to YubiEnterprise Console** dialog, click **Sign in with Passkey**, tap your YubiKey, enter the PIN, and tap your YubiKey again to log in. 12. When you have registered at least one YubiKey you will get full feature access. .. image:: graphics/login-full-access.png :width: 800 13. *Create a first shipment request*. For more information on how to create a shipment request, see :ref:`requesting-shipment-label`. If you did not yet register a YubiKey, you have the option as demo user to request a shipment of up to 10 keys for yourself and other users in your organization. When you have a YubiKey available, follow the steps in the Console login dialog to log in with passkey and gain full feature access, see steps 8-11. 14. *Add an additional Console Owner* for your organization, if not already done (you must first have registered a YubiKey to be able to do this). It is recommended to have at least two users with the Console Owner role. Click **Add Console Owner** in the notification message at the bottom right of the page. 15. *Add more Console users* as needed for your organization, for example IT administrators that will be managing shipment requests, or API integration user accounts. For more information, see :ref:`user-permissions-label`. The system will send activation emails to each new user so they can log in and activate their account as described in :ref:`onboard-users`. New users will need to register a YubiKey to be able to log in to the Console. .. _onboard-users: Activating User Accounts ---------------------------- .. note:: If your organization has Single sign-on (SSO) enabled, new users do not have to activate their account. Users are immediately added to the organization in the *Active* state and can use the SSO service-provider-initiated login link to log in to the Console. For more information, see :ref:`sso-label`. When a Console Owner has added you to the YubiEnterprise Console as a member of your organization you will receive an account activation email from Yubico. You will need a YubiKey to be able to log in to the Console as a new user. To activate your account and log in to the Console for the first time, do the following: 1. Have your YubiKey ready and click the **Activate your YubiEnterprise account** link in the activation email from Yubico. 2. In the setup dialog, click **Activate Account**. .. image:: graphics/activate-account.png :width: 500 3. When prompted, tap your YubiKey and provide the PIN associated with the YubiKey. 4. A passkey is created on the YubiKey, and a passkey confirmation dialog is displayed. A notification with details about the registered YubiKey is sent to the email address associated with your Console account. You will be prompted to register an additional YubiKey as a backup to avoid losing access to the Console if the original key is lost. This can be done at any time. Click **Yes, create another** to register a spare YubiKey and follow the instructions. Click **No, I’m done for now** to continue without registering a spare key. .. image:: graphics/passkey-created.png :width: 500 5. To activate your account, you will be prompted to log out and in again using the newly registered YubiKey. Follow the instructions to log in. 6. In the **YubiEnterprise Console Acceptance Use Policy** dialog, click **I agree** to continue. 7. You will be taken to your organization’s **Dashboard** page which provides an overview of available inventory, and recent shipments and purchase orders. 8. You are now ready to start working in the YubiEnterprise Console! To begin, see the :ref:`Getting started section `. .. _dists+resellers: Distributors and Resellers ---------------------------- Yubico channel partners can use the *Distributor* and *Reseller views* in the YubiEnterprise Console to see what was sold to associated end customers, monitor their inventories, and provide access to purchase order information. To onboard as an account owner for a channel partner organization, follow the procedure for :ref:`onboard-console-owner`. When adding Console users for your organization, you can assign the Distributor and Reseller roles to those specific users. These roles provide access to the Distributor and Reseller views. To add users and assign roles, see :ref:`add-users-label`. For more information about channel partner roles, see :ref:`user-permissions-label`. For more information about channel partner views, see :ref:`dashboard-label`. ------------------------------------- To file a support ticket for YubiEnterprise Delivery, click `Support `_.