During a recent internal audit, we were asked to provide a list of Jamf Pro administrators who have rights to view a computer's FileVault Recovery Key.
If you have more than a few Jamf Pro admins, this task can prove tedious.
Hats off to @dacschumacher for the following SQL queries (some of which were written with extremely little real-world data).
SELECT username FROM users WHERE user_id IN (SELECT user_id FROM user_roles WHERE privilege = 'View Disk Encryption Recovery Key');
SELECT group_name FROM user_groups WHERE group_id IN (SELECT group_id FROM user_group_roles WHERE privilege = 'View Disk Encryption Recovery Key');
(My personal favorite)
SELECT From_unixtime(ja.audit_when DIV 1000) AS 'DateStamp', ja.audit_who AS 'User Name', c.computer_name AS 'Computer Name', ja.child_object_id AS 'Computer ID' FROM jss_audit AS ja JOIN computers AS c ON c.computer_id = ja.child_object_id WHERE ja.audit_what_class_name = 'FileVault2ComputerKey' ORDER BY datestamp ASC;