Get Backdoor Admin Password From Keychain
The Get Backdoor Admin Password From Keychain tool retrieves the password of a designated "backdoor" or breakglass admin account from the system keychain. It is primarily designed for integration with Jamf extension attributes.
To use this tool effectively within a Jamf extension attribute, refer to the following script example:
#!/bin/zsh
# Define the username, extension attribute and key chain path of the backdoor admin account
BreakglassAdminUsername=$(defaults read "/Library/Managed Preferences/tech.rocketman.breakglass.plist" shortName)
BreakglassAdminExtAttr=$(defaults read "/Library/Managed Preferences/tech.rocketman.breakglass.plist" extAttr)
BreakglassAdminKeyChain=$(defaults read "/Library/Managed Preferences/tech.rocketman.breakglass.plist" keyChain)
# Check if rocketman (RCC) is installed
if ! command -v rocketman &>/dev/null; then
echo "<result>RCC Not Installed</result>"
exit 0
fi
# Retrieve the password from the keychain
BreakglassAdminLog=$(
rocketman GetBackdoorAdminPasswordFromKeychain \
--shortName "$BreakglassAdminUsername" \
--extAttr "$BreakglassAdminExtAttr" \
--keyChain "$BreakglassAdminKeyChain" \
2>/dev/null
)
exitCode=$?
BreakglassAdminPassword=$(echo "$BreakglassAdminLog" | tail -n2 | head -n1)
# Evaluate the result
if [[ $exitCode -eq 0 && -n "$BreakglassAdminPassword" ]]; then
echo "<result>$BreakglassAdminPassword</result>"
elif [[ $exitCode -eq 1 ]]; then
# Tool indicates no password set
echo "<result>No Backdoor Admin Password Set</result>"
else
# Any other non-zero exit code is considered an unknown error
echo "<result>Other Error Occurred</result>"
fi
This script:
- Sets the username, extension attribute and keychain path for a backdoor admin account.
- Checks if the Rocketman Command Center (RCC) is installed and indicates if it is not.
- Attempts to securely retrieve the password for the specified account from the keychain using RCC.
- Outputs the password or a relevant status message in a format suitable for Jamf extension attributes.
None. This tool can run without specifying optional parameters.
The short name or username of the admin account whose password is stored in the keychain.
- Type: string
-
Default:
commander -
Example:
rocketman GetBackdoorAdminPasswordFromKeychain --shortName breakglass
The name of the extension attribute used to store the password in the keychain. This attribute enables precise retrieval of the password.
- Type: string
-
Default:
RCC Break Glass Admin Password -
Example:
rocketman GetBackdoorAdminPasswordFromKeychain --extAttr "BreakGlass Admin Password"
Specifies the domain to use for locating configuration options in local or managed .plist files.
- Type: string
-
Default:
tech.rocketman.getbdadminpassfromkeychain -
Example:
rocketman GetBackdoorAdminPasswordFromKeychain --domain "custom.domain.getBackdoorPassword"
Path to the keychain file where the password is stored. Typically set to /Library/Keychains/System.keychain for system-wide credentials.
- Type: string
-
Default:
/Library/Keychains/System.keychain -
Example:
rocketman GetBackdoorAdminPasswordFromKeychain --keyChain /Library/Keychains/System.keychain
- Recommended Usage: While this tool can be used directly from the command line, its primary use case is within Jamf extension attributes for secure, automated password retrieval.
-
Keychain Access: Ensure the specified keychain file contains the correct password entry. Use the
--keyChainparameter to point to the appropriate file. -
Case Sensitivity: The extension attribute provided with
--extAttris case-sensitive. Ensure it matches the exact name used in the keychain.