Rapid Response - Rocketman-Tech/rcc GitHub Wiki

The Rapid Response tool deploys a LaunchDaemon on a Mac that continuously monitors for a specific Managed Preference file (plist) deployed via Jamf Pro. As soon as the plist is detected, Rapid Response quickly executes a shell script defined within it—bypassing the usual Jamf check-in schedule. This rapid execution is especially useful for running critical security tasks with minimal delay.

Quick Start

To deploy Rapid Response and load the associated LaunchDaemon, run:

rocketman RapidResponse \
  --plistName tech.rocketman.rapidresponse \
  --action load

This command will:

  1. Create (or load) the LaunchDaemon at /Library/LaunchDaemons/tech.rocketman.rapidresponse.plist.
  2. Monitor for the managed plist at /Library/Managed Preferences/tech.rocketman.rapidresponse.plist.
  3. Execute the shell script specified in the plist as soon as it is detected.

Note

“Background Items Added” Notification
After loading the Rapid Response LaunchDaemon, the system may display a “Background Items Added” alert referencing “Rocketman Management LLC.” (see the screenshot below). This is normal behavior and indicates that the LaunchDaemon is now running in the background.

Command Options

Primary Parameters

--plistName [string]

Specifies the name of the managed plist to monitor.

  • Default: tech.rocketman.rapidresponse
  • Example: 
    --plistName tech.rocketman.rapidresponse

Note

The value provided here will also determine the name of the LaunchDaemon that gets created.
For example, if you set --plistName custom.response, the corresponding LaunchDaemon will be named:
/Library/LaunchDaemons/custom.response.plist

--action [load | unload | delete]

Defines the action to perform on the LaunchDaemon.

  • Default: load
  • Options:
    • load: Creates the LaunchDaemon if it does not exist, or loads it if it is not running.
    • unload: Unloads the LaunchDaemon if it is currently running.
    • delete: Unloads and then deletes the LaunchDaemon.
  • Example: 
    --action unload

Managed Plist Format

Rapid Response relies on a managed plist—deployed via a Jamf Pro Configuration Profile—to know when and what script to execute.

Key Options

  • Frequency (Default: once)
    • Specifies how often the script should run while the managed plist remains deployed.
    • Options:
      • once: Execute the script one time per computer.
      • hourly: Execute every hour.
      • daily: Execute every day.
      • weekly: Execute every week.
      • monthly: Execute every month.
  • Script
    • The shell command to be executed as soon as the plist is detected (e.g., jamf policy).

Example Managed Plist

Deploy this file to /Library/Managed Preferences/tech.rocketman.rapidresponse.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>frequency</key>
    <string>once</string>
    <key>script</key>
    <string>echo 'Executed once'</string>
  </dict>
</plist>

Workflow

Rapid Response operates through the following process:

  1. Deployment:
    A LaunchDaemon is installed in /Library/LaunchDaemons (using the name specified by --plistName, defaulting to tech.rocketman.rapidresponse).

  2. Monitoring:
    The LaunchDaemon continuously checks for the existence of the managed plist, defaulting to /Library/Managed Preferences/tech.rocketman.rapidresponse.plist.

  3. Execution:
    When the managed plist is detected, Rapid Response:

    • Reads the values: 
      defaults read /Library/Managed\ Preferences/tech.rocketman.rapidresponse frequency

defaults read /Library/Managed\ Preferences/tech.rocketman.rapidresponse script
    • Immediately executes the shell script defined in the plist.
    • Sets itself up to run again after the next interval as determined by the frequency option.

  4. Resetting:
    If the managed plist is removed (for example, by unscoping it via Jamf), the LaunchDaemon resets its schedule and waits for the plist to reappear—allowing administrators to force an immediate re-run by simply toggling the configuration.

Note:
It is possible to deploy multiple Rapid Response workflows concurrently, each monitoring a different plist. However, configuring multiple workflows to monitor the same plist may lead to conflicts.

Extension Attribute: RapidResponseStatus

To monitor the status of Rapid Response on each inventory update, use the RapidResponseStatus tool via an extension attribute. When executed, it outputs:

LD Status: | PLIST Status: | Last Run Time: | Next Run Time:

Status Definitions

  • LD Status:
    • Watching: The LaunchDaemon is loaded.
    • Unloaded: The LaunchDaemon is not running.
    • Absent: The LaunchDaemon does not exist.
    • Error: An issue was detected with the LaunchDaemon.
  • PLIST Status:
    • Detected: The managed plist is present.
    • Undetected: The managed plist is absent.
    • Error: An error occurred while checking the plist.
  • Last Run Time:
    Displays the timestamp of the last execution in YYYY-MMM-DD HH:MM UTC format, or Never if it hasn’t run.
  • Next Run Time:
    Shows the scheduled time for the next execution. If the managed plist is undetected, it indicates Immediately.

Examples

  • If the script has run at least once: 
    LD Status: Watching | PLIST Status: Detected | Last Run Time: 2025-Feb-02 16:32 UTC | Next Run Time: 2025-Feb-10 16:32 UTC
  • If the script has not yet run: 
    LD Status: Watching | PLIST Status: Undetected | Last Run Time: Never | Next Run Time: Immediately
  • If the LaunchDaemon is missing: 
    LD Status: Absent | PLIST Status: | Last Run Time: | Next Run Time:

To run the status check:

rocketman RapidResponseStatus --plistName tech.rocketman.rapidresponse

RapidResponseExecution

The RapidResponseExecution tool allows you to immediately execute the shell script specified in the managed plist.

Parameter

  • --plistName [string]
    • Identifies the managed plist to reference.
    • Default: tech.rocketman.rapidresponse
  • Example: 
    rocketman RapidResponseExecution --plistName tech.rocketman.rapidresponse

Validations

After deploying Rapid Response, verify its proper operation using these checks:

  • LaunchDaemon File:
    Confirm the file exists at /Library/LaunchDaemons/tech.rocketman.rapidresponse.plist.
  • LaunchDaemon Status:
    Run: 
    sudo launchctl list | grep tech.rocketman.rapidresponse
    to ensure the LaunchDaemon is loaded.
  • Managed Plist:
    Ensure /Library/Managed Preferences/tech.rocketman.rapidresponse.plist is present.
  • Status Plist:
    Verify /Library/Preferences/tech.rocketman.rapidresponse.plist contains the frequency, next run time, and last run time information.
  • Log Files:
    Monitor these logs for troubleshooting:
    • Main log: 
      tail -f /var/log/rocketman.log
    • Execution log: 
      tail -f /var/log/tech.rocketman.rapidresponse.log
    • Error log: 
      tail -f /var/log/tech.rocketman.rapidresponse_error.log

Warning

Rapid Response supports running multiple workflows independently, allowing you to deploy multiple instances of the tool, each monitoring a different managed plist. However, keep these points in mind:

  • Each LaunchDaemon must be uniquely named and assigned to a distinct plist to function properly.
  • If multiple workflows are configured to monitor the same plist, they will likely interfere with each other, potentially causing unpredictable behavior.
  • This setup is entirely within the user's control—Rapid Response does not prevent multiple workflows from referencing the same plist. Ensure your configurations are distinct to avoid conflicts.

Tip

Professional setup, custom integrations, and SLA-backed support are available.
➡️ Learn more

⚠️ **GitHub.com Fallback** ⚠️