An end-to-end guide on getting the most from Workbrew - whether you're an organization aiming to improve developer productivity while staying compliant, or a developer managing configurations across your work and personal devices.

To start using Workbrew, follow these steps:

1. Sign up at console.workbrew.com
2. Follow the onboarding tutorial to confirm you username and create a workspace
3. Follow the manual device connection steps on the Devices page to manually connect your own device

Once your first device is set up, you’re ready to add more.

Zero-Touch Deployment via MDM:

• Use Workbrew for zero-touch provisioning, allowing devices to automatically configure and connect to Workbrew at time-of-enrollment via an MDM
• For more details on zero-touch provisioning, see our handy guides for deploying via your chosen MDM

Connect your MDM to automatically sync your managed device inventory into Workbrew. This gives you full visibility across your fleet without requiring each Device to be connected manually.

Group devices based on team, department, or specific requirements using Device Groups. Device Groups make it easy to apply remote management configurations and commands to a subsets of devices – streamlining fleet management.

Creating Device Groups:

1. Click on the Devices tab in the sidebar to view all of your Workspace's devices
2. Search for and select more than one device
3. Click Add to groups and then Create a new group from the dropdown
4. Give your group a name and select Create Device group

View and Manage Device Groups:

• Click on Device Groups in the sidebar to view all your Device Groups
• Click on the number of devices in a group to view them filtered on the Devices page
• Add more devices to an existing group by using the Add to groups dropdown

Syncing Device Groups from MDM:

If you’ve connected your MDM, existing device groups will automatically sync into Workbrew. Synced groups are marked as Managed by… your MDM and update automatically as their membership changes in your MDM.

The Dashboard, Vulnerabilities, Analytics, Packages, Taps and Licenses pages in the Workbrew Console provide insight into software usage, trends, and vulnerabilities across your devices.

Dashboard:

• Get a high-level view of your connected devices. Drill down to review specific details about installed packages, usage history, and configurations

Vulnerabilities:

• Identify and click-to-view CVEs for known vulnerabilities across brew packages on all connected devices
• See CVE vulnerability scores at a glance
• Isolate effected devices and run remote commands to remediate on just those devices

Analytics:

• Search for, view and filter across devices to get insight into how users have run brew on which Workspace devices, when

Packages:

• View and filter by all Formulae and Casks installed across all connected devices
• See which groups of devices are running which packages and whether or not they are up-to-date with the latest versions

Taps:

• View all of the Taps that are hosting package definitions across all your connected devices
• See which groups of devices are accessing Taps and how many packages a tap can install

Licenses:

• Identify and learn more about the open source licenses that installed packages across your connected devices are using

Use Policies to define high-level security and compliance rules for your fleet.

Before setting up policies, configure the administrator name and contact message that end-users will see in the CLI when an install is blocked:

1. Go to Policies in the sidebar
   
2. Edit the Workbrew administrator name and Contact details fields
   
3. Click Save

A common baseline setup for organizations operating within a highly regulated industry is:

• Only allow official Homebrew taps and any connected private taps (no third-party taps)
  
• Create a denylist for risky formulae and licenses
  
• Maintain a controlled allowlist of casks
  
• Automatically upgrade vulnerable packages and uninstall forbidden ones

To do this:

1. Go to Policies in the sidebar
   
2. Click New Brew Policy → Allowed Taps
   
   • By default, only homebrew/homebrew-core, homebrew/homebrew-cask, and any connected private taps will be set
     
   • Choose All Devices and click Create Brew policy
3. Click New Brew Policy → Forbidden Formulae
   
   • Add any formulae you want to block (e.g. proxytunnel)
     
   • Choose All Devices and click Create Brew policy
4. Click New Brew Policy → Forbidden Licenses
   
   • Select any licenses that should not be allowed (e.g. AGPL-3.0-only, AGPL-3.0-or-later)
     
   • Choose All Devices and click Create Brew policy
5. Click New Brew Policy → Casks Allowlist
   
   • Add a set of approved casks (e.g. visual-studio-code, zoom, slack)
     
   • Choose All Devices and click Create Brew policy
6. Click New Brew Policy → Automatic Upgrades and Uninstalls
   
   • Enable Automatically upgrade Vulnerable Formulae when detected
     
   • Enable Automatically uninstall forbidden packages
     
   • Choose All Devices and click Create Brew policy

These policies immediately apply to matching devices and are enforced at the CLI level. Blocked installs return clear error messages pointing users to your designated administrator contact.

Workbrew’s Brew Commands feature enables you to manage software remotely, executing brew commands across multiple workspace devices from the Console.

Run Commands Remotely:

• Execute any Homebrew command, such as brew install, brew update, or brew upgrade, across one or more devices in your fleet
• Commands can be created by either manually writing and running a Brew Command argument (see example usage below), or by clicking on any of the quick-action 'Run' buttons throughout the Console to pre-fill a Brew Command ready to be created and run
• New commands can be run immediately after creation or scheduled for a specific date and time

Track Status and Logs:

• Every Brew Command is logged in the Console, allowing you to track the status, view execution details, and troubleshoot issues as needed

To upgrade VS Code once a week on just your developer's devices (and include any new devices added to the group).

1. Create a Device Group called 'Developers' – adding all of your development team's devices to the group
2. Go to Brew Commands in the sidebar and click New Brew command
3. Add brew upgrade --cask visual-studio-code as an argument
4. From the Run on Devices dropdown select Developers
5. Ensure that Run on new Devices added to the Device Group is checked
6. Select Weekly from the Schedule dropdown
7. Click Create Brew Command to create the command AND run it now on all devices in the group

Use Default Packages to ensure essential software is consistently installed across your devices.

Define Lists of Essential Packages:

• Create Brewfiles by listing essential packages for different devices, then install them all with a single command

View and Manage All Your Default Packages:

• See all your Default Packages at a glace and know which lists of packages target which groups

Monitor Deployment:

• Track installation logs and status on the Brew Commands page to verify successful deployment across targeted devices

To get your whole team started with a list of pertinent default packages:

1. Click Default Packages in the sidebar
2. Click the New Brewfile button
3. List a combination of essential packages in the Brewfile text field that you'd like installed by default on all devices across your fleet (e.g. brew "git", brew "openssl")
4. Add a label such as 'Essentials-for-Everyone' to descibe the goal and denote that this list of default packages will be installed on every existing and new device in the fleet (as opposed to a label that might denote packages targeted at just a specifc team)
5. Ensure that Run on new Devices added to the Device Group is checked – so that these packages will automatically be run on all new devices added to your fleet
6. Click Create Brewfile to create the command AND install all of the packages across your fleet