Use SQL to query devices, users, blueprints, threats, library items, and more from Iru (formerly Kandji), the Apple endpoint management platform.
- Get started →
- Community: Join #steampipe on Slack →
- Get involved: Issues
Install the plugin with Steampipe:
steampipe plugin install ghcr.io/vthiery/iruCopy the sample config and set your API credentials:
cp config/iru.spc ~/.steampipe/config/iru.spcEdit ~/.steampipe/config/iru.spc:
connection "iru" {
plugin = "ghcr.io/vthiery/iru"
# The full API URL for your Iru tenant.
# US tenants: https://<subdomain>.api.kandji.io
# EU tenants: https://<subdomain>.api.eu.kandji.io
url = "https://acme.api.eu.kandji.io"
# API token generated in Settings > Access > API Token.
token = "YOUR_API_TOKEN"
}steampipe queryList all enrolled Mac devices on an outdated OS:
select
device_name,
serial_number,
os_version,
last_check_in
from
iru_device
where
platform = 'Mac'
and os_version < '14.0';| Table | Description |
|---|---|
| iru_device | All devices enrolled in your Iru tenant. |
| iru_device_detail | Rich per-device details: MDM, FileVault, hardware, Kandji agent, activation lock, and ADE status. |
| iru_device_app | Applications installed on each managed device. |
| iru_device_library_item | Per-device library item assignment and compliance status. |
| iru_device_parameter | Per-device MDM parameter compliance status. |
| Table | Description |
|---|---|
| iru_user | Users in your Iru tenant. |
| iru_blueprint | Blueprints configured in your Iru tenant. |
| iru_tag | Tags configured in your Iru tenant. |
| Table | Description |
|---|---|
| iru_library_item | Custom app library items in your Iru tenant. |
| iru_threat | Threat events detected on managed devices. |
| iru_audit_log | Audit log events from your Iru tenant. |
These tables require a Prism-enabled API token (enabled separately in Iru Settings → Access).
| Table | Description |
|---|---|
| iru_prism_app | Cross-fleet application inventory from the Prism telemetry endpoint. |
| iru_prism_certificate | Cross-fleet certificate inventory from the Prism telemetry endpoint. |
| iru_prism_filevault | Cross-fleet FileVault encryption status from the Prism telemetry endpoint. |
| Table | Description |
|---|---|
| iru_self_service_category | Categories defined in the Iru Self Service catalog. |
These tables require the Vulnerability Management add-on to be enabled on your Iru tenant. The endpoints return 404 without the add-on.
| Table | Description |
|---|---|
| iru_vulnerability | CVE-grouped vulnerabilities detected across the tenant. |
| iru_vulnerability_detail | Full CVE detail (description, EPSS score, publish dates) for a specific CVE ID. |
Note — untested tables: Several tables could not be fully tested because the API token used during development lacks the required permission scopes. These tables are correctly implemented against the Iru API documentation and will work once the appropriate scopes are enabled on your token:
iru_blueprint,iru_tag— requires the Blueprints / Tags API scopeiru_library_item,iru_threat,iru_audit_log— requires the respective Library Items / Threats / Audit Log scopesiru_device_library_item,iru_device_parameter— requires the Device Information scopeiru_prism_app,iru_prism_certificate,iru_prism_filevault— requires a Prism-enabled API tokeniru_self_service_category— requires the Self Service API scopeiru_vulnerability,iru_vulnerability_detail— requires the Vulnerability Management add-on (401 without the add-on)The following tables are confirmed working with real data:
iru_device,iru_device_detail,iru_device_app,iru_user.
make installConfigure the plugin:
cp config/iru.spc ~/.steampipe/config/iru.spc
vi ~/.steampipe/config/iru.spcRun a smoke query against every table:
make testThe test script (scripts/test_tables.sh) builds the plugin, queries each table, and reports pass/fail/skip.