Dan K. SnelsonDuring a recent internal audit, we were asked to provide a list of Jamf Pro administrators who have rights to view a computer’s FileVault Recovery Key.
If you have more than a few Jamf Pro admins, this task can prove tedious.
Hats off to @dacschumacher for the following SQL queries (some of which were written with extremely little real-world data).
Jamf Pro Administrators with “View Disk Encryption Recovery Key” privilege
SELECT username
FROM users
WHERE user_id IN (SELECT user_id
FROM user_roles
WHERE privilege = 'View Disk Encryption Recovery Key');
Jamf Pro Groups with “View Disk Encryption Recovery Key” privilege
SELECT group_name
FROM user_groups
WHERE group_id IN (SELECT group_id
FROM user_group_roles
WHERE privilege = 'View Disk Encryption Recovery Key');
Jamf Pro Administrators who have viewed a computer’s Disk Encryption Recovery Key
(My personal favorite)
SELECT From_unixtime(ja.audit_when DIV 1000) AS 'DateStamp',
ja.audit_who AS 'User Name',
c.computer_name AS 'Computer Name',
ja.child_object_id AS 'Computer ID'
FROM jss_audit AS ja
JOIN computers AS c
ON c.computer_id = ja.child_object_id
WHERE ja.audit_what_class_name = 'FileVault2ComputerKey'
ORDER BY datestamp ASC;
