The Workbrew Installer requires Apple's Command Line Tools for Xcode (CLT) to be installed before it can be. Install them with the Bootstrap feature, the supplied code on the Workspace edit page, the .pkg on the Apple Developer site or run xcode-select --install from a Terminal.

The Bootstrap feature will have also installed Workbrew on your Device.

Otherwise, run the the preinstall script on your Workspace page and then download the latest Workbrew Installer .pkg for macOS (or .sh for Linux/WSL (in beta)) and install it on your device.

The Workbrew Installer is automatically and periodically upgraded. If you wish to upgrade manually, download the latest Workbrew Installer .pkg for macOS (or .sh for Linux/WSL (in beta)) and install it on your device.

The Workbrew Agent on Devices will send information to and run commands from the Workbrew Console every 15 minutes (assuming they are awake and connected to the internet).

Workbrew has three permission models for end users:

• "Restricted": end-users cannot run brew on their Device, Homebrew is managed entirely via the Workbrew Console.
• "Standard": end-users are not administrators (i.e. not in the admin group) so cannot run sudo or brew by default. They are manually added to the workbrew_users group to securely run brew to install formulae on their device with policy enforcement through Brew Configurations and Policies. As they do not have sudo access, most of Homebrew's casks will not work. Therefore, as of Workbrew 1.2.2, casks are instead managed via the Workbrew Console.
• "Sudo": end-users are administrators (i.e. in the admin group) and can run brew by default. They can securely run brew but, due to sudo access, can use sudo to modify Homebrew or, temporarily, Brew Configurations and Policies.

There's also a "hidden" mode, mainly for our own use building Workbrew and Homebrew, that we include for full transparency:

• "Homebrew Maintainer or Contributor": end-users that need full modification access to Homebrew to maintain or contribute to Homebrew so are added to the workbrew group. They can modify Homebrew without using sudo. This permission model is only for Homebrew's maintainers and contributors.

Workbrew is available to all users in the admin or workbrew_users groups. You can add a user to the workbrew_users group with e.g. sudo dseditgroup -o edit -a "${USERNAME}" -t user workbrew_users.

Devices configured with an API key will automatically add (and re-add) themselves to the Workbrew Console's Devices page. Devices not configured with an API key will use the Workbrew improved security configuration (e.g. multiple users) but cannot communicate with the Workbrew Console.

The /etc/sudoers.d/workbrew file is used to allow Workbrew to run Brew Commands that require non-interactive sudo escalation on your Devices. These are never Homebrew formulae but some casks, which require sudo to install, require this so it is installed by the Workbrew Installer. This sudo access is only available for the _workbrewd user running the background daemon Workbrew Agent process.

We continually add support for more MDM providers. Please contact us to let us know which MDM integration you need.

Workbrew's Homebrew installation is modifiable to all users in the workbrew groups. You can add a user to a group with e.g. sudo dseditgroup -o edit -a "${USERNAME}" -t user workbrew. This functionality is only intended for Workbrew users who are also Homebrew maintainers or contributors.

Run the uninstaller by executing sudo /opt/workbrew/sbin/uninstall from a Terminal.

Please see the Contact page.