An attacker [— or your co-worker whose account is a Standard User —] could add malicious code to $HOME/.zshenv and it may be executed when the app is installed.
During a recent internal audit, we were asked to provide a list of Jamf Pro administrators who have rights to view a computer’s FileVault Recovery Key.…
With thanks to @ted.johnsen, the following SQL query will output a .CSV of all DEP-assigned, un-enrolled devices.