Iru Plugin for Steampipe
Use SQL to query devices, users, blueprints, threats, library items, and more from Iru (formerly Kandji), the Apple endpoint management platform.
- Get started -
- Community: Join #steampipe on Slack -
- Get involved: Issues
Quick start
Install
Install the plugin with Steampipe:
Configure
Copy the sample config and set your API credentials:
Edit ~/.steampipe/config/iru.spc:
plugin = "ghcr.io/vthiery/iru"
# The full API URL for your Iru tenant.
# US tenants: https://
# EU tenants: https://
url = "https://acme.api.eu.kandji.io"
# API token generated in Settings > Access > API Token.
token = "YOUR_API_TOKEN"
}
Run a query
List all enrolled Mac devices on an outdated OS:
device_name,
serial_number,
os_version,
last_check_in
from
iru_device
where
platform = 'Mac'
and os_version < '14.0';
Tables
Device inventory
| Table | Description |
|---|---|
| iru_device | All devices enrolled in your Iru tenant. |
| iru_device_detail | Rich per-device details: MDM, FileVault, hardware, Kandji agent, activation lock, and ADE status. |
| iru_device_app | Applications installed on each managed device. |
| iru_device_library_item | Per-device library item assignment and compliance status. |
| iru_device_parameter | Per-device MDM parameter compliance status. |
Users, blueprints & tags
| Table | Description |
|---|---|
| iru_user | Users in your Iru tenant. |
| iru_blueprint | Blueprints configured in your Iru tenant. |
| iru_tag | Tags configured in your Iru tenant. |
Library, threats & audit
| Table | Description |
|---|---|
| iru_library_item | Custom app library items in your Iru tenant. |
| iru_threat | Threat events detected on managed devices. |
| iru_audit_log | Audit log events from your Iru tenant. |
Prism telemetry
These tables require a Prism-enabled API token (enabled separately in Iru Settings - Access).
| Table | Description |
|---|---|
| iru_prism_app | Cross-fleet application inventory from the Prism telemetry endpoint. |
| iru_prism_certificate | Cross-fleet certificate inventory from the Prism telemetry endpoint. |
| iru_prism_filevault | Cross-fleet FileVault encryption status from the Prism telemetry endpoint. |
Self Service
| Table | Description |
|---|---|
| iru_self_service_category | Categories defined in the Iru Self Service catalog. |
Vulnerability Management
These tables require the Vulnerability Management add-on to be enabled on your Iru tenant. The endpoints return 404 without the add-on.
| Table | Description |
|---|---|
| iru_vulnerability | CVE-grouped vulnerabilities detected across the tenant. |
| iru_vulnerability_detail | Full CVE detail (description, EPSS score, publish dates) for a specific CVE ID. |
Note -- untested tables: Several tables could not be fully tested because the API token used during development lacks the required permission scopes. These tables are correctly implemented against the Iru API documentation and will work once the appropriate scopes are enabled on your token:
iru_blueprint,iru_tag-- requires the Blueprints / Tags API scopeiru_library_item,iru_threat,iru_audit_log-- requires the respective Library Items / Threats / Audit Log scopesiru_device_library_item,iru_device_parameter-- requires the Device Information scopeiru_prism_app,iru_prism_certificate,iru_prism_filevault-- requires a Prism-enabled API tokeniru_self_service_category-- requires the Self Service API scopeiru_vulnerability,iru_vulnerability_detail-- requires the Vulnerability Management add-on (401 without the add-on)The following tables are confirmed working with real data:
iru_device,iru_device_detail,iru_device_app,iru_user.
Development
Prerequisites
Build and Install
Configure the plugin:
vi ~/.steampipe/config/iru.spc
Testing
Run a smoke query against every table:
The test script (scripts/test_tables.sh) builds the plugin, queries each table, and reports pass/fail/skip.