Rapid Response
The Rapid Response tool deploys a LaunchDaemon on a Mac that continuously monitors for a specific Managed Preference file (plist) deployed via Jamf Pro. As soon as the plist is detected, Rapid Response quickly executes a shell script defined within it—bypassing the usual Jamf check-in schedule. This rapid execution is especially useful for running critical security tasks with minimal delay.
To deploy Rapid Response and load the associated LaunchDaemon, run:
rocketman RapidResponse \
--plistName tech.rocketman.rapidresponse \
--action loadThis command will:
- Create (or load) the LaunchDaemon at
/Library/LaunchDaemons/tech.rocketman.rapidresponse.plist. - Monitor for the managed plist at
/Library/Managed Preferences/tech.rocketman.rapidresponse.plist. - Execute the shell script specified in the plist as soon as it is detected.
Note
“Background Items Added” Notification
After loading the Rapid Response LaunchDaemon, the system may display a “Background Items Added” alert referencing “Rocketman Management LLC.” (see the screenshot below). This is normal behavior and indicates that the LaunchDaemon is now running in the background.
Specifies the name of the managed plist to monitor.
-
Default:
tech.rocketman.rapidresponse -
Example:
--plistName tech.rocketman.rapidresponse
Note
The value provided here will also determine the name of the LaunchDaemon that gets created.
For example, if you set --plistName custom.response, the corresponding LaunchDaemon will be named:
/Library/LaunchDaemons/custom.response.plist
Defines the action to perform on the LaunchDaemon.
-
Default:
load -
Options:
- load: Creates the LaunchDaemon if it does not exist, or loads it if it is not running.
- unload: Unloads the LaunchDaemon if it is currently running.
- delete: Unloads and then deletes the LaunchDaemon.
- execute: Execute script from Managed Plist deployed via a Jamf Pro Configuration Profile.
- status: Checks the status of the launch daemon
-
Example:
--action unload
Rapid Response relies on a managed plist—deployed via a Jamf Pro Configuration Profile—to know when and what script to execute.
-
Frequency (Default: once)
- Specifies how often the script should run while the managed plist remains deployed.
-
Options:
-
once: Execute the script one time per computer. -
hourly: Execute every hour. -
daily: Execute every day. -
weekly: Execute every week. -
monthly: Execute every month.
-
-
Script
- The shell command to be executed as soon as the plist is detected (e.g.,
jamf policy).
- The shell command to be executed as soon as the plist is detected (e.g.,
Deploy this file to /Library/Managed Preferences/tech.rocketman.rapidresponse.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>frequency</key>
<string>once</string>
<key>script</key>
<string>echo 'Executed once'</string>
</dict>
</plist>Rapid Response operates through the following process:
-
Deployment:
A LaunchDaemon is installed in/Library/LaunchDaemons(using the name specified by--plistName, defaulting totech.rocketman.rapidresponse). -
Monitoring:
The LaunchDaemon continuously checks for the existence of the managed plist, defaulting to/Library/Managed Preferences/tech.rocketman.rapidresponse.plist. -
Execution:
When the managed plist is detected, Rapid Response:- Reads the values:
defaults read /Library/Managed\ Preferences/tech.rocketman.rapidresponse frequency defaults read /Library/Managed\ Preferences/tech.rocketman.rapidresponse script
- Immediately executes the shell script defined in the plist.
- Sets itself up to run again after the next interval as determined by the
frequencyoption.
- Reads the values:
-
Resetting:
If the managed plist is removed (for example, by unscoping it via Jamf), the LaunchDaemon resets its schedule and waits for the plist to reappear—allowing administrators to force an immediate re-run by simply toggling the configuration.
Note:
It is possible to deploy multiple Rapid Response workflows concurrently, each monitoring a different plist. However, configuring multiple workflows to monitor the same plist may lead to conflicts.
To monitor the status of Rapid Response on each inventory update, use the RapidResponseStatus tool via an extension attribute. When executed, it outputs:
LD Status: | PLIST Status: | Last Run Time: | Next Run Time:
-
LD Status:
- Watching: The LaunchDaemon is loaded.
- Unloaded: The LaunchDaemon is not running.
- Absent: The LaunchDaemon does not exist.
- Error: An issue was detected with the LaunchDaemon.
-
PLIST Status:
- Detected: The managed plist is present.
- Undetected: The managed plist is absent.
- Error: An error occurred while checking the plist.
-
Last Run Time:
Displays the timestamp of the last execution inYYYY-MMM-DD HH:MM UTCformat, orNeverif it hasn’t run. -
Next Run Time:
Shows the scheduled time for the next execution. If the managed plist is undetected, it indicatesImmediately.
- If the script has run at least once:
LD Status: Watching | PLIST Status: Detected | Last Run Time: 2025-Feb-02 16:32 UTC | Next Run Time: 2025-Feb-10 16:32 UTC - If the script has not yet run:
LD Status: Watching | PLIST Status: Undetected | Last Run Time: Never | Next Run Time: Immediately - If the LaunchDaemon is missing:
LD Status: Absent | PLIST Status: | Last Run Time: | Next Run Time:
#!/bin/zsh
# Define the plist name
PlistName="tech.rocketman.rapidresponse"
# Check if rocketman (RCC) is installed
if ! command -v rocketman &>/dev/null; then
echo "<result>RCC Not Installed</result>"
exit 0
fi
# Get rapid response plist file status
RapidResponseLog=$(rocketman RapidResponse --action status --plistName $PlistName 2>/dev/null)
exitCode=$?
RapidResponseStatus=$(echo "$RapidResponseLog" | tail -n2 | head -n1)
# Evaluate the result
if [[ $exitCode -eq 0 && -n "$RapidResponseStatus" ]]; then
echo "<result>$RapidResponseStatus</result>"
elif [[ $exitCode -eq 1 ]]; then
echo "<result>Not found tech.rocketman.rapidresponse plist file</result>"
else
# Any other non-zero exit code is considered an unknown error
echo "<result>Other Error Occurred</result>"
fiTo run the status check:
rocketman RapidResponse --plistName tech.rocketman.rapidresponse --action statusThe RapidResponse tool allows you to immediately execute the shell script specified in the managed plist.
-
Example:
rocketman RapidResponse --plistName tech.rocketman.rapidresponse --action execute
After deploying Rapid Response, verify its proper operation using these checks:
-
LaunchDaemon File:
Confirm the file exists at/Library/LaunchDaemons/tech.rocketman.rapidresponse.plist. -
LaunchDaemon Status:
Run:to ensure the LaunchDaemon is loaded.sudo launchctl list | grep tech.rocketman.rapidresponse -
Managed Plist:
Ensure/Library/Managed Preferences/tech.rocketman.rapidresponse.plistis present. -
Status Plist:
Verify/Library/Preferences/tech.rocketman.rapidresponse.plistcontains the frequency, next run time, and last run time information. -
Log Files:
Monitor these logs for troubleshooting:- Main log:
tail -f /var/log/rocketman.log
- Execution log:
tail -f /var/log/tech.rocketman.rapidresponse.log
- Error log:
tail -f /var/log/tech.rocketman.rapidresponse_error.log
- Main log:
Warning
Rapid Response supports running multiple workflows independently, allowing you to deploy multiple instances of the tool, each monitoring a different managed plist. However, keep these points in mind:
- Each LaunchDaemon must be uniquely named and assigned to a distinct plist to function properly.
- If multiple workflows are configured to monitor the same plist, they will likely interfere with each other, potentially causing unpredictable behavior.
- This setup is entirely within the user's control—Rapid Response does not prevent multiple workflows from referencing the same plist. Ensure your configurations are distinct to avoid conflicts.