Common Actions
Some common use cases easily handled by Keeper Commander. Check out the examples below.

Commander Repeating Command Functionality

Example: Auto-Approve SSO Cloud Devices

By utilizing a configuration file with the commands field set, Commander can approve SSO Cloud pending devices at a set cadence.

1. Create Configuration file

The easiest way to create a new Commander configuration file, is to log into Commander and pass it a new file name. Commander will create the new configuration file automatically.
keeper shell --config <NEW FILE PATH>
in this example, we'll use the file name 'approve-devices.json' which will be created in the current directory.
keeper shell --config approve-devices.json
When Commander starts, login and complete 2FA if prompted.

2. Set Persistent Login

While logged in, we want to configure Commander to not logout while the approve commands are being rerun.
First enable persistent login with the following command:
this-device persistent-login true
Then, set the timeout to a significant timeframe. The max is 30 days
this-device timeout 30d
After a max of 30 days, you will need to log back in to Commander to continue the automatic approval process.
After setting the persistent login and timeout settings, using the this-device should show settings similar to this:
If Persistent Login shows 'ON' and timeout shows '30 days' (or your preferred timeout setting) then you are ready for the next step

3. Add Commands to Configuration

Log out of Commander and open the configuration file created for this exercise. In this example 'approve-devices.json'
To this file, we need to add two fields: "commands" and "timedelay"
The commands field takes an array of any commands that Commander will run at startup.
In this case we want to add three commands: debug, device-approve --reload and device-approve --approve
  • debug tells Commander to print all debug statements during its run. This can help give more information during the approval, but is optional
  • device-approval --reload loads the pending device approval requests to Commander
  • device-approval --approve approves the loaded requests
Any Commander commands can be added to the commands field
The timedelay field tells Commander to rerun the commands every X seconds. In this example, we will use 60 seconds to run the approval every minute.
Once the changes have been made, the configuration file will look similar the following. Secret tokens have been replaced with 'XXXX' in this example.
approve-devices.json
1
{
2
"private_key": "XXXX",
3
"device_token": "XXXX",
4
"clone_code": "XXXX",
5
"user": "youremailaddress",
6
"commands": [
7
"debug",
8
"device-approve --reload",
9
"device-approve --approve"
10
],
11
"timedelay": 60
12
}
Copied!
You may need to set the server field if accessing Keeper outside the US. See the Logging In section for more information.

4. Run Commander with Pre-Defined Configuration

Run Commander again with the configuration file
1
$ keeper shell --config approve-devices.json
Copied!
Commander may ask you to log in, and completed 2FA. Then Commander will run the configured commands every 60 seconds.
Example output:
1
$ keeper shell --config approve-devices.json
2
3
Executing [device-approve --reload]...
4
Logging in to Keeper Commander
5
Enter password for <YOUR ACCOUNT>
6
Password: *******
7
8
There are no pending devices to approve
9
10
Executing [device-approve --trusted-ip --approve]...
11
There are no pending devices to approve
12
13
2021/07/16 15:12:34 Waiting for 60 seconds
14
Executing [device-approve --reload]...
15
16
....
Copied!
For more information on the device-approvecommand see the documentation

5. Stop Commander

To stop commander use Ctrl+c

Example: Automatic Team and Team User Assignments

Similar to the example above, Commander can automatically approve Team and User assignments that are created from SCIM providers such as Azure, Okta and JumpCloud.
To set this up, simply add one more command team-approve to the JSON config file:
1
{
2
"user": "youremailaddress",
3
"commands": [
4
"debug",
5
"device-approve --reload",
6
"device-approve --approve",
7
"team-approve"
8
],
9
"timedelay": 60
10
}
Copied!

Bulk Record Permission Changes

In this example, we will recursively change the record permissions in a Shared Folder.

1. Identify Shared Folder UID

On Commander, you can use the "ls -l" command, similar to a Bash shell.
On the Vault user interface, you can click on the info dialog to get the Shared Folder UID.

2. Validate Record Permissions Change with Commander

With Commander, execute the record-permission command with the --dry-run option to simulate the command. In this example, the Shared Folder UID is "-FHdesR_GSERHUwBg4vTXw". The command is below:
record-permission --dry-run --recursive --action grant --can-edit -- -FHdesR_GSERHUwBg4vTXw
Because the Shared Folder UID beings with '-' in this example, '--' must be added before the identifier
Running this command produces the following output:
The "SKIP" section is saying that the current user on Commander cannot make those requested changes, because we are not the owner of the record. The "GRANT" section indicates the changes that will be allowed.
For more information on the record-permission command see the documentation

3. Execute Permissions Change Command with Commander

To execute the command, we remove the "--dry-run" portion:
Now, on the Vault UI, the permission of those affected records has been changed to "Can Edit".

Shared Folders With Multiple Record Owners

If you are in a situation with many record owners in the same shared folder that require update, each of those users can simply run the above Commander action to change the permissions of their respective records.

Create Shared Records Report

Method 1: Manual Report

To manually create a report of shared records, use the share-report command, once logged into Keeper Commander.
The example below will create a basic shared records report in a table format.
1
My Vault> share-report
Copied!
This command can be altered to report on a single record, records belonging to a specific user or team, or output the report to a file. For more information see documentation.

Method 2: Automated Report

The Commander configuration file can be used to automatically create a shared records report.

1. Create Configuration file

Create a file with the following fields: (make sure to replace the user value with your account)
share-report.json
1
{
2
"user": "youremailaddress",
3
"commands": [
4
"share-report --format csv --output share_report.csv",
5
"q"
6
]
7
}
Copied!
You may need to set the server field if accessing Keeper outside the US. See the Logging In section for more information.
Copy the above into a file named share-report.json or download the file below:
share-report.json
138B
Binary
share-report.json
Save the configuration file in an accessible directory on your machine.

2. Run Commander with Configuration

In a shell, run commander with the --config flag to use the configuration file created above.
1
$ keeper --config ~/.keeper/share-report.json
Copied!
In this example the configuration file is saved in the ~/.keeper folder
On Windows this file is located at: C:\Users\<username>\.keeper

3. Share Report File Created

When Commander is started, you will first be asked to login (unless you are using persistent login). Once approved, Commander will run the commands provided in the configuration file, and create a shared records report output to a file named "share_report.csv"
Example Output:
share_report.csv
1
#,Shared to,Records
5
Copied!
The output format can be changed using the --format option of the share-report command. See documentation for details.
Because the second command in the configuration is "q" Commander will immediately quit after creating the report.
Last modified 30d ago