The Workbrew Installer requires Apple's Command Line Tools for Xcode (CLT) to be installed before it can be. Install them with the Bootstrap feature, the supplied code on the Workspace edit page, the .pkg on the Apple Developer site or run xcode-select --install from a Terminal.

The Bootstrap feature will have also installed Workbrew on your Device.

Otherwise, run the the preinstall script on your Workspace page and then download the latest Workbrew Installer .pkg for macOS (or .sh for Linux/WSL (in beta)) and install it on your device.

The Workbrew Installer is automatically and periodically upgraded. If you wish to upgrade manually, download the latest Workbrew Installer .pkg for macOS (or .sh for Linux/WSL (in beta)) and install it on your device.

The Workbrew Agent on Devices will send information to and run commands from the Workbrew Console every 15 minutes (assuming they are awake and connected to the internet).

Workbrew supports three access modes that define the expected level of brew access per device or device group. These modes are configured in the Workbrew Console and enforced by the Workbrew Agent. Workbrew does not modify or elevate the underlying macOS user permissions — it only reports whether the device is compliant with the configured policy.

You can set a default access mode for your workspace in your Workspace Settings, and override it per group in Device Groups.

Sudo:

• End-users can install any allowed formulae or casks — securely running brew but, due to their admin rights, they can also use sudo to directly modify Homebrew or override Brew Configurations and Policies (even if temporarily).
• The end-user is in the admin group on their device.
• Workbrew does not grant or escalate privileges — it assumes the user already has sudo access.

Standard:

• End-users can install allowed formulae only.
• Casks are managed by Workbrew Console admins via Default Packages and cannot be self-installed.
• Suitable for end-users who do not need to manage apps or GUI packages but still need to manage open source dependencies.
• The end-user is not in the admin group and is a member of the workbrew_users group (see which users can run brew).

Restricted:

• No self-installation is allowed — the end-user cannot run brew at all.
• All formulae and casks must be provisioned by a Workbrew Console admin through Default Packages.
• The end-user is not in the admin group and not in the workbrew_users group.

There's also a "hidden" mode, mainly for our own use building Workbrew and Homebrew, that we include for full transparency:

• "Homebrew Maintainer or Contributor": end-users that need full modification access to Homebrew to maintain or contribute to Homebrew so are added to the workbrew group. They can modify Homebrew without using sudo. This permission model is only for Homebrew's maintainers and contributors.

Workbrew is available to all users in the admin or workbrew_users groups. You can add a user to the workbrew_users group with e.g. sudo dseditgroup -o edit -a "${USERNAME}" -t user workbrew_users.

Devices configured with an API key will automatically add (and re-add) themselves to the Workbrew Console's Devices page. Devices not configured with an API key will use the Workbrew improved security configuration (e.g. multiple users) but cannot communicate with the Workbrew Console.

The /etc/sudoers.d/workbrew file is used to allow Workbrew to run Brew Commands that require non-interactive sudo escalation on your Devices. These are never Homebrew formulae but some casks, which require sudo to install, require this so it is installed by the Workbrew Installer. This sudo access is only available for the _workbrewd user running the background daemon Workbrew Agent process.

We continually add support for more MDM providers. Please contact us to let us know which MDM integration you need.

Workbrew's Homebrew installation is modifiable to all users in the workbrew groups. You can add a user to a group with e.g. sudo dseditgroup -o edit -a "${USERNAME}" -t user workbrew. This functionality is only intended for Workbrew users who are also Homebrew maintainers or contributors.

Run the uninstaller by executing sudo /opt/workbrew/sbin/uninstall from a Terminal.

Please see the Contact page.