What is Workbrew?

Workbrew is a secure software delivery platform — a control center for all of the software packages installed on the endpoints at your organization. It’s also the best way for teams familiar with Homebrew to deploy, manage, and secure brew at scale.

How It Works

Workbrew has four main components:

• Homebrew

• Workbrew Installer

• Workbrew Agent

• Workbrew Console

Homebrew

Workbrew sits on top of Homebrew, so to understand Workbrew you need to first understand Homebrew.

Homebrew is an open-source package manager with an extensive library of official packages. It’s installed on tens of millions of devices and it’s nearly ubiquitous on macOS. Homebrew is also supported on Linux and Windows Subsystem for Linux (WSL), although these users are less common. For our purposes, it’s useful to focus on two primary components: 

1. brew, the command-line interface (CLI) for managing packages.

2. Taps, the repositories where packages are defined.

brew

The brew CLI provides the underlying infrastructure for installing packages onto the target system. It has a variety of useful subcommands and configuration options, you can read more about how to use brew in the official documentation.

Taps

Taps provide the underlying definitions and instructions for installing specific software packages onto the system. Homebrew has two official Taps: homebrew/homebrew-core and homebrew/homebrew-cask. In addition to the official Taps, it’s possible to use unofficial third-party Taps and even to create your own.

Read more in our post “What is Homebrew”.

Workbrew Installer

Workbrew is distributed for installation as a signed PKG file. It can be installed interactively or via an MDM tool. This allows Workbrew to deliver a zero-touch installation experience.

Whenever you buy a new device from Apple, Workbrew will be installed by default as part of the device MDM enrollment experience with no further intervention from your IT team.

Workbrew’s secure CLI is a wrapper around the standard brew CLI that allows Workbrew to run security and compliance checks on every command before it is executed. 

Our CLI looks and behaves identically to the standard brew CLI interface, so even though it adds an extra layer of security and compliance, there is no difference for end users, preserving the experience they are already accustomed to.

For users with an existing Homebrew installation, Workbrew completes the same installation and enrollment processes without any disruption. All existing packages stay in place and the user is seamlessly upgraded to Workbrew.

Isolated brew installation

Another key benefit of the Workbrew Installer is how it makes the secure brew CLI available. Workbrew is installed in an isolated and tamper-resistant environment.

With this isolated brew installation it’s possible set and enforce various policies according to one of three access control models: restricted, managed, and guided. 

Restricted

The restricted access model is the default for anyone who is a standard user in macOS settings.

Under this model, administrators manage all software installation. Even though brew is installed, the end user has no access to it. An end user can use software installed with brew, but cannot install their own or interact with the secure brew CLI.

Managed

With the managed access model, users with a standard user account in macOS have access to the Workbrew secure CLI. As long as their commands are compliant with the configured policies, these users can run commands in brew.

To assign a user to the managed access model, all you need to do is add them to the workbrew_users group.

Guided

The guided access model is the default access model for anyone who is a member of the admin group.

Users with guided access can use sudo, which gives the user extra security privileges. As such, they will still be subject to Workbrew’s policies, but because of their membership in the admin group these users do have the ability to override the configured policies.

Workbrew Agent

The Workbrew Agent is a lightweight background process that is the conduit for communication between your devices and the Workbrew Console. It runs on a schedule to perform these routine tasks:

• Retrieve metadata about the state of the device and send it to the Workbrew Console, where Workspace administrators can review and analyze the data.

• Receive Brew Configurations from the Workbrew Console and set those settings on the affected device.

• Receive Brew Commands from the Workbrew Console and ensure they are successfully executed on the device while reporting logs and results.

In addition, the Workbrew Agent handles local brew commands received through the secure CLI. Most policy checks are performed directly on the device. To ensure consistent operation, Workbrew uses a single code path for brew locally and from the Console.

Workbrew Console

The Workbrew Console is a cloud-based web application designed for IT managers and security professionals. It provides a unified platform for managing brew across your organization, offering features such as analytics and observability, remote management, and robust security and compliance tools.

The top-level organizational unit in Workbrew is a Workspace. This is where you control your team’s access, configure your MDM tool, and manage your account settings, including billing.

As you install Workbrew on your devices, they will automatically appear in your Workspace and if you configure your MDM integration it will match your device inventory and link devices to your company directory.

Within the Workbrew Console there is a wealth of valuable information. It’s easy to drill down on individual devices for troubleshooting and incident response. It’s also straightforward to look at aggregate information from across your organization like popular packages and versions. The Console also exposes reports on software licenses and third-party tap (Homebrew package repository) usage.

The Workbrew Console provides a comprehensive report of known security vulnerabilities impacting your fleet. Workbrew cross-references the inventory of installed packages and versions with several distinct vulnerability databases and provides a straightforward way to understand any known vulnerabilities and provides a single-click path to remediation. It is possible to configure automated notifications when new vulnerabilities are discovered.

There are two types of remote management action you can take in the console; you can do configuration setting or run commands.

In addition to the visibility afforded by the Workbrew Console, it serves as the gateway to two fundamental remote management features: Brew Configurations and Brew Commands.

Brew Configurations

Homebrew has nearly one hundred different configuration options. It’s quick and easy to set and enforce these options across your entire fleet from the Workbrew Console using Brew Configurations.

An example policy that many of our customers choose to set and enforce using Brew Configurations is to limit the installation of packages to those that are included in the official Homebrew Taps (homebrew/homebrew-core and homebrew/homebrew-cask):

# Allow officially Homebrew Taps only
HOMEBREW_ALLOWED_TAPS

Some other commonly used Brew Configurations are as follows:

# Ensure all artifacts are downloaded from the specified domain
# Airgap `brew` ensuring packages are not downloaded from the internet 
HOMEBREW_ARTIFACT_DOMAIN=artifacts.example.com
HOMEBREW_ARTIFACT_DOMAIN_NO_FALLBACK=1

# Verify cryptographic attestations of build provenance
# for bottles from homebrew-core
HOMEBREW_VERIFY_ATTESTATIONS=1

# Block specified Casks, Formulae, Licenses, and Taps
HOMEBREW_FORBIDDEN_CASKS=[cask]
HOMEBREW_FORBIDDEN_FORMULAE=[formula]
HOMEBREW_FORBIDDEN_LICENSES=[license]
HOMEBREW_FORBIDDEN_TAPS

# Provide users an escalation path
# Used when an action is forbidden by policy
HOMEBREW_FORBIDDEN_OWNER=Corporate IT
HOMEBREW_FORBIDDEN_OWNER_CONTACT

Brew Commands

Brew Commands are an extremely powerful and fundamental component of Workbrew. The more familiar you are with Homebrew, the more useful they will be.

With Brew Commands, you can do anything brew can do with a package: install, uninstall, upgrade, pin, or unpin on a specific device or across your entire fleet. Brew Commands aren’t limited to package operations, you can also take other actions like: tap, untap, update, and cleanup.

The power is in the flexibility, you can use Brew Commands to install standard tools for your developers like brew install --cask vscode or to apply a critical security patch like brew upgrade xz.

Each command is mapped to the targeted devices through a number of Runs. A Run is a specific instance of a Command that was executed on a particular Device at the specified time. Workbrew automatically tracks the exit status of Runs and makes logs available in a central location.

Who Is Workbrew For?

This all adds up to secure software delivery platform that:

• Has zero-touch installation and enrollment, which allows you to remotely set up all of your organization's devices to a standard profile.

• Enables your developers with the tools that they know and love, while maintaining security and compliance.

• Eliminates the learning curve. Your developers already know it, and nobody else ever needs to touch it.

So then, Workbrew is for any business or organization that wants to:

• bulk manage their fleet’s software use, or

• let their developers use brew while remaining secure and compliant, or

• automate remote device setup, even on brand new fresh-from-Apple devices, or

• any combination of the three.

Within an organization, Workbrew adds value for everyone. 

For developers, Workbrew drives productivity. They don’t need to learn a new tool and they don’t need to spend time working around corporate security measures.

For IT professionals, Workbrew reduces workload. Workbrew automates a large portion of device setup, and drastically reduces touchpoints for the remainder.

For security professionals, Workbrew is peace of mind. With Workbrew’s ability to remotely manage policies on their entire fleet, they can easily do preventative maintenance and are able to quickly respond to situations.

For everyone else, Workbrew is seamless and invisible. It automates maintenance for software, security, and compliance. They can just keep on doing their thing while Workbrew works its magic to keep their software secure and up to date.