CLI Approvals

Commander Approvals

Commander Method for Automated Approvals

Keeper Commander, our CLI and SDK platform is capable of performing Admin Device Approvals for automated approval without having to login to the Admin Console. Admin approvals can be configured on any computer that is able to run Keeper Commander (Mac, PC or Linux).

This method does not require inbound connections from the Keeper cloud, so it could be preferred for environments where ingress ports cannot be opened. This method uses a polling mechanism (outbound connections only).

Install Keeper Commander

Please see the Installation Instructions here: https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup You can install the binary versions for Mac/PC/Linux or use pip3.

Use CLI for Device Approvals

Enter the Commander CLI using the "keeper shell" command. Or if you installed the Commander binary, just run it from your computer.

$ keeper shell
  _  __
 | |/ /___ ___ _ __  ___ _ _
 | ' </ -_) -_) '_ \/ -_) '_|
 |_|\_\___\___| .__/\___|_|
              |_|

 password manager & digital vault   

Use the "login" command to login as the Keeper Admin with the permission to approve devices. Commander supports SSO, Master Password and 2FA. For the purpose of automation, we recommend creating a dedicated Keeper Admin service account that is specifically used for device approvals. This ensures that any changes made to the user account (such as policy enforcements) don't break the Commander process.

My Vault> login my_service_user@acme-demo.com
Password: *******

Type "device-approve" to list all devices:

My Vault> device-approve
Email               Device ID           Device Name       Client Version
------------------  ------------------  ----------------  ----------------
demo@acme-demo.com  f68de375aacdff3846  Web Vault Chrome  w15.0.4
demo@acme-demo.com  41sffcb44187222bcc  Web Vault Chrome  w15.0.4

To manually approve a specific device, use this command:

My Vault> device-approve --approve <device ID>

To approve all devices that come from IPs that are recognized as successfully logged in for the user previously, use this command:

My Vault> device-approve --approve --trusted-ip

To approve all devices regardless of IP address, use this command:

My Vault> device-approve --approve

To deny a specific device request, use the "deny" command:

My Vault> device-approve --deny <device ID>

To deny all approvals, remove the Device ID parameter:

My Vault> device-approve --deny

To reload the latest device approvals without having to exit the shell, use the "reload" command:

My Vault> device-approve --reload

Automatically Approving Devices every X seconds

Commander supports an automation mode that will run approvals every X number of seconds. To set this up, modify the config.json file that is auto-created. This file is located in the OS User's folder under the .keeper folder. For example: C:\Users\Administrator\.keeper\config.json on Windows or /home/user/.keeper/config.json on Mac/Linux.

Leave the existing data in the file and add the following lines :

"commands":["enterprise-down","device-approve --approve"],
"timedelay":30

JSON files need a comma after every line EXCEPT the last one.

Now when you open Commander (or run "keeper shell"), Commander will run the commands every time period specified. Example:

$ keeper shell
Executing [enterprise-down]...
Password: 
Logging in...
Syncing...

Executing [enterprise-down]...

Email               Device ID           Device Name       Client Version
------------------  ------------------  ----------------  ----------------
user@acme-demo.com  f68de375aacdff3846  Web Vault Chrome  w15.0.4

Executing [device-approve --approve]...
2020/09/20 21:59:47 Waiting for 30 seconds
Executing [enterprise-down]...
There are no pending devices to approve
.
.
.

Automatically Approving Teams and Users

Similar to the example above, Commander can automatically approve Team and User assignments that are created from SCIM providers such as Azure, Okta and JumpCloud.

To set this up, simply add one more command team-approve to the JSON config file. For example:

{
    "user": "my_service_user@acme-demo.com",
    "commands": [
        "enterprise-down",
        "device-approve --approve",
        "team-approve"
    ],
    "timedelay": 60
}

Persistent Sessions

Keeper Commander supports "persistent login" sessions which can run without having to login with a Master Password or hard-code the Master Password into the configuration file.

Commands to enable persistent login on a device for 30 days (max):

My Vault> this-device register
My Vault> this-device persistent-login on
My Vault> this-device ip-auto-approve on
My Vault> this-device timeout 30d
My Vault> quit

You can use seconds as the value (e.g. 60 for 60 seconds) or numbers and letters (e.g. 1m for one minute, 5h for 5 hours, and 7d for 7 days).

Also note that typing "logout" will invalidate the session. Just "quit" the Commander session to exit.

Once persistent login is set up on a device, the config.json in the local folder will look something like this:

{
    "private_key": "8n0OqFi9o80xGh06bPzxTV1yLeKa5BdWc7f7CffZRQ",
    "device_token": "R2O5wkajo5UjVmbTmvWnwzf7DK1g_Yf-zZ3dWIbKPOng",
    "clone_code": "retObD9F0-WDABaUUGhP0Q",
    "user": "my_service_user@acme-demo.com",
    "server": "keepersecurity.com"
}

Additional information about persistent login sessions and various options is available at this link.

There are many ways to customize, automate and process automated commands with Keeper Commander. To explore the full capabilities see the Commander documentation.

Last updated