Break Glass Admin - Rocketman-Tech/rcc GitHub Wiki
The Break Glass Admin tool creates or manages a backdoor administrator account with a customizable, secure password. It supports both static and randomized password generation methods and is designed for emergency access to user devices. Passwords can be stored securely in the system keychain (local), in Jamf Pro as an Extension Attribute (remote), or in both locations.
Note
If the specified backdoor admin account already exists on the system, Break Glass Admin will automatically rotate its password using the configured method. It will not delete or recreate the account unless the --force flag is provided and a password change attempt fails. This ensures a safe and non-destructive update flow by default.
To quickly create a backdoor admin account with a randomized password (generated using the NATO phonetic alphabet) that is stored in the local keychain and in Jamf Pro, you will need to deploy the following:
- Configuration Profile
- Policy
- Extension Attribute
Below is a Managed PLIST that can be deployed through a Configuration Profile to the following domain: tech.rocketman.breakglass
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>passMethod</key>
<string>nato</string>
<key>storage</key>
<string>local</string>
<key>shortName</key>
<string>breakglass</string>
<key>extAttr</key>
<string>RCC Break Glass Admin Password</string>
<key>keyChain</key>
<string>/Library/Keychains/System.keychain</string>
<key>fullName</key>
<string>Break Glass Admin</string>
</dict>
</plist>When using the local storage method for the backdoor admin password, you will need to create an Extension Attribute to retrieve the backdoor admin password:
See it in this GitHub Gist.
For details on setting up the Jamf Pro Extension Attribute with local keychain storage, visit: Get Backdoor Admin Password From Keychain
When setting up the Launch a Tool Script in Jamf Pro, use the following script parameters:
-
Parameter 4 (Global Options and Tool Name):
BreakGlassAdmin
Important
Make sure to check the “Update Inventory” box in the policy's maintenance payload. Without it, extension attributes won’t refresh during recurring check-in.
Tip
Best practice: Run the Break Glass Admin tool on a weekly schedule via a recurring check-in policy to rotate the password regularly. For new devices, consider using a separate one-time onboarding policy to create the account and set the initial password.
Specifies the password generation method.
-
Default:
nato -
Options:
-
nato: Uses words from the NATO phonetic alphabet (e.g., “WhiskeyTangoFoxtrot”). -
xkcd: Generates random words in the style of the XKCD webcomic. -
names: Similar toxkcdbut uses proper names. -
wopr: Mimics launch codes from the movie WarGames (e.g., “CPE 1704 TKS”). -
pseudoRandom: Follows University of Nebraska’s LAPS format to generate a pseudorandom password. -
static: Uses a user-specified password (see--staticPassword). -
custom: Allows complete customization via additional parameters.
-
-
Example:
--passMethod xkcd
Specifies where the password will be stored.
Tip
For security and stability, use the local storage method. The both and remote options are advanced storage options provided only for legacy scenarios and migration from older LAPS methods.
-
Default:
local -
Options:
-
local: Stores the password in a hidden, secure file on the system keychain. This file is accessible only by Rocketman Command Center and can (if desired) be synced to Jamf Pro through an Extension Attribute. For details on setting up this Extension Attribute, see Get Backdoor Admin Password From Keychain. -
remote: Stores the password directly in Jamf Pro via the API as an Extension Attribute. This legacy method is less secure and stable thanlocalstorage because it involves sending Jamf Pro API credentials in plain text. It is only required in certain use cases. Requires--clientIdand--clientSecret -
both: Stores the password in both thelocalsystem keychain and in theremoteJamf Pro Extension Attribute. This option is useful when migrating from older LAPS methods where the password is only stored within a Jamf Pro Extension Attribute. Once all passwords are stored locally, you can eliminate the API call and use the more securelocalmethod exclusively. Requires--clientIdand--clientSecret
-
-
Example:
--storage local
The username for the backdoor admin account.
-
Default:
commander -
Example:
--shortName emergencyAdmin
The full name associated with the backdoor admin account.
-
Default:
Breakglass Admin -
Example:
--fullName "Emergency Administrator"
Sets the account to be visible if this flag is enabled.
- Type: Boolean
- Default: Hidden
-
Example:
--adminVisible
Specifies a static password for the account.
Only applicable when using --passMethod static
-
Example:
--staticPassword "SuperSecretPassword123!"
Defines the number of words or characters in the generated password.
- Type: integer
-
Default: Depends on the chosen
--passMethod -
Example:
--num 4
Forces account recreation if the password retrieval process fails.
- Type: boolean
-
Example:
--force
A fallback password that will be attempted if the regular password retrieval process fails.
-
Example:
--defaultPass "BackupPassword123!"
Specifies the path to the keychain file for local password storage.
-
Default:
/Library/Keychains/System.keychain -
Example:
--keyChain "/Library/Keychains/Custom.keychain"
Only applicable when using --passMethod custom
-
--minLower [integer]: Minimum number of lowercase characters. (Default: 1) -
--minUpper [integer]: Minimum number of uppercase characters. (Default: 1) -
--minDigit [integer]: Minimum number of digits. (Default: 1) -
--minSpecial [integer]: Minimum number of special characters. (Default: 1)
Note
These parameters are provided only for advanced configurations (typically when migrating from older LAPS methods). It is strongly recommended to use local storage exclusively for improved security and stability.
Jamf Pro API Client ID for remote storage configurations.
-
Usage: Required only when
--storageis set toremoteorbothas part of a legacy setup. -
Example:
--clientId ABCD1234
Jamf Pro API Client Secret for remote storage configurations.
-
Usage: Required only when
--storageis set toremoteorbothas part of a legacy setup. -
Example:
--clientSecret XYZ7890
Specifies the name of the Jamf Pro Extension Attribute used to store the password when using remote or both storage.
-
Default:
RCC: Breakglass Admin Password - Commander -
Example:
--extAttr "RCC: Breakglass Admin Password - Commander"
Specifies the domain for setting options in local or managed plists.
- Type: string
-
Default:
tech.rocketman.breakglass -
Example:
--domain "tech.rocketman.customdomain"
When saving the backdoor admin password locally, it is saved in the keychain defined by the parameter (--keyChain) with the name defined by the parameter (--extAttr) for the Account defined by the parameter (--shortName). These fields must be defined in the plist /Library/Managed Preferences/tech.rocketman.breakglass.plist so that the GetBackdoorAdminPasswordFromKeychain tool can retrieve it and insert it into the Extension Attribute jamf defined in the parameter (--extAttr). By default --keyChain is /Library/Keychains/System.keychain, --extAttr is BreakGlass Admin Password and --shortName is commander
- For details on setting up the Jamf Pro Extension Attribute with local keychain storage, visit:
Get Backdoor Admin Password From Keychain