Jamf Nation Community

During a recent internal audit, we were asked to provide a list of Jamf Pro administrators who have rights to view a computer's FileVault Recovery Key.

If you have more than a few Jamf Pro admins, this task can prove tedious.

Hats off to @dacschumacher for the following SQL queries (some of which were written with extremely little real-world data).

Jamf Pro Administrators with "View Disk Encryption Recovery Key" privilege

SELECT username 
FROM   users 
WHERE  user_id IN (SELECT user_id 
                   FROM   user_roles 
                   WHERE  privilege = 'View Disk Encryption Recovery Key');

Jamf Pro Groups with "View Disk Encryption Recovery Key" privilege

SELECT group_name 
FROM   user_groups 
WHERE  group_id IN (SELECT group_id 
                    FROM   user_group_roles 
                    WHERE  privilege = 'View Disk Encryption Recovery Key');

Jamf Pro Administrators who have viewed a computer's Disk Encryption Recovery Key

(My personal favorite)

SELECT From_unixtime(ja.audit_when DIV 1000) AS 'DateStamp', 
       ja.audit_who                          AS 'User Name', 
       c.computer_name                       AS 'Computer Name', 
       ja.child_object_id                    AS 'Computer ID' 
FROM   jss_audit AS ja 
       JOIN computers AS c 
         ON c.computer_id = ja.child_object_id 
WHERE  ja.audit_what_class_name = 'FileVault2ComputerKey' 
ORDER  BY datestamp ASC;