Simplify App Distribution with Casks Allowlists
Anup Narkhede
Casks are Homebrew packages that install binaries, often graphical apps, such as Slack, Zoom, or Chrome. Expanding the reach of brew beyond CLI tools, Casks are incredibly powerful not only for developers who are already comfortable with Homebrew, but admins looking to serve more diverse teams and software needs. This post introduces a new feature to Workbrew that streamlines Cask administration, making it easier to maintain a list of allowed Casks, whilst minimizing the impact to endpoint users.
The Cask permissions challenge
With Workbrew, admins can manage policies around Homebrew usage with Access Modes: Sudo, Standard, and Restricted. Standard is the usual choice for users who shouldn’t have admin access, but it also blocks user installation of Casks, as without sudo, apps can’t be installed into /Applications. This is a useful security and compliance stopgap preventing the installation of unapproved packages, but it requires end-users to seek admin intervention for key apps in their everyday workflows.
Previously, admins may have dealt with this by using another Workbrew feature such as Default Packages to push the desired Cask-distributed apps to a group. But this can cause apps to be pushed to users who didn’t need those apps, and who may be surprised to find them on their machine. Extra device storage usage and another application to keep up to date, for a user who won’t use the app, just to work around a permissions issue.
Introducing Casks Allowlist
We heard from admins that many end-users are used to a self-service model. If you’ve seen an MDM “app catalog,” you know the experience: there’s a set of approved software, and you pick what you want, when you want it. No unwanted packages. No clutter. Just choice within secure boundaries.
That’s the rationale behind Casks Allowlist. Casks Allowlist lets admins specify allowed Casks, and when a non-admin user, attempts to install that Cask, the installation is delegated to the Workbrew daemon and will install successfully.
The daemon handles the elevated install, and the output streams back to your terminal. It feels like Homebrew always did, but with the right safeguards in place. If there’s no allowlist, nothing changes and all installs remain blocked.
This change keeps control where it belongs, with the admins, while giving end-users the freedom to install what’s useful to them. No surprises with unwanted software. No storage wasted on apps that never get opened. Just a simpler, more predictable way to manage casks in Standard mode.