The Workbrew Installer requires Apple's Command Line Tools for Xcode (CLT) to be installed before it can be. Install them with the Bootstrap feature, the supplied code on the Workspace edit page, the .pkg on the Apple Developer site or run xcode-select --install from a Terminal.

The Bootstrap feature will have also installed Workbrew on your Device.

Otherwise, run the the preinstall script on your Workspace page and then download the latest Workbrew Installer .pkg for macOS (or .sh for Linux/WSL (in beta)) and install it on your device.

The Workbrew Installer is automatically and periodically upgraded. If you wish to upgrade manually, download the latest Workbrew Installer .pkg for macOS (or .sh for Linux/WSL (in beta)) and install it on your device.

The Workbrew Agent on Devices will send information to and run commands from the Workbrew Console every 15 minutes (assuming they are awake and connected to the internet).

Workbrew supports three access modes that define the expected level of brew access per device or device group. These modes are configured in the Workbrew Console and enforced by the Workbrew Agent. Workbrew does not modify or elevate the underlying macOS user permissions — it only reports whether the device is compliant with the configured policy (for setting brew access on devices see: 'Which users can run brew on a Device?').

You can set a desired access mode for your workspace in your Workspace Settings, and override it per group in Device Groups.

Sudo:

• End-users can self-install any allowed formulae or casks.
• Because they are in the admin group, they can also use sudo to modify Homebrew or override policies (even if temporarily).
• The Workbrew Console reports devices as “Sudo” if the end-user is in the admin group.
• Workbrew does not grant or escalate privileges — it assumes the user already has sudo access.

Standard:

• End-users can self-install formulae.
• End-users can self-install casks only if they are explicitly listed in a Cask Allowlist policy (Enterprise plan only).
• All other cask self-installs are blocked by the HOMEBREW_FORBID_CASKS environment variable or must be provisioned by an admin via Default Packages.
• Formulae self-installs can also be blocked via Forbidden Formulae or Forbidden License policies.
• The Workbrew Console reports devices as “Standard” if the end-user is in the workbrew_users group (and not in admin).

Restricted:

• End-users cannot run brew at all.
• All formulae and casks must be provisioned via Default Packages. Default Packages.
• The end-user is not in the admin group and not in the workbrew_users group.

There's also a "hidden" mode, mainly for our own use building Workbrew and Homebrew, that we include for full transparency:

• "Homebrew Maintainer or Contributor": end-users that need full modification access to Homebrew to maintain or contribute to Homebrew so are added to the workbrew group. They can modify Homebrew without using sudo. This permission model is only for Homebrew's maintainers and contributors.

When Workbrew is deployed, the brew CLI is available to all users in the admin or workbrew_users groups.

To add a user to the workbrew_users group (reporting them as “Standard” in the Workbrew Console), run the following command or deploy via MDM:

dseditgroup -o edit -a "$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')" -t user workbrew_users`

Please note: This will only succeed if there is a user currently logged in to the Mac. MDMs tend to operate differently in this area. If your MDM provides a way to inject the user account associated with a device into a script, you can use something like this instead, where USERNAME should match whatever variable your MDM injects into the script environment: dseditgroup -o edit -a "${USERNAME}" -t user workbrew_users.

Devices configured with an API key will automatically add (and re-add) themselves to the Workbrew Console's Devices page. Devices not configured with an API key will use the Workbrew improved security configuration (e.g. multiple users) but cannot communicate with the Workbrew Console.

The /etc/sudoers.d/workbrew file is used to allow Workbrew to run Brew Commands that require non-interactive sudo escalation on your Devices. These are never Homebrew formulae but some casks, which require sudo to install, require this so it is installed by the Workbrew Installer. This sudo access is only available for the _workbrewd user running the background daemon Workbrew Agent process.

We continually add support for more MDM providers. Please contact us to let us know which MDM integration you need.

Workbrew's Homebrew installation is modifiable to all users in the workbrew groups. You can add a user to a group with e.g. sudo dseditgroup -o edit -a "${USERNAME}" -t user workbrew. This functionality is only intended for Workbrew users who are also Homebrew maintainers or contributors.

Run the uninstaller by executing sudo /opt/workbrew/sbin/uninstall from a Terminal.

Please see the Contact page.