Taming IT Sprawl: Common practices for using Homebrew in the enterprise

Homebrew is ubiquitous among developer teams on macOS. With 13,000 packages, a large number of 3rd-party package repositories (“taps”), and tens of millions of users, it’s almost certain that your team depends on it every day.

In our discussions with IT managers, MacAdmins, and as contributors to Homebrew ourselves, we’ve noticed a number of strategies companies use with regards to Homebrew. The most common use cases are:

• Software developers running macOS
• Continuous integration on macOS and Linux
• Privately distributing internal tools

When it comes to managing Homebrew across organizations, we’ve noticed three core patterns, each with their own benefits and drawbacks.

1: Do nothing

Whether it’s due to overtaxed IT teams, budget constraints, or simply a lack of internal knowledge about Homebrew, this strategy is a bit “Wild West” where anyone who has a Mac can install Homebrew, and use it however they like.

This self-service approach gives developers total freedom to use the tools they want to, but it’s not formally supported by IT. Developers might come to the IT department with a ticket related to Homebrew, but that developer has to figure it out for themselves.

This strategy goes horribly wrong when there’s a major vulnerability like Heartbleed for OpenSSL that requires the entire fleet of devices to be updated to a non-vulnerable version quickly.

Pros:

• Total developer freedom
• No upfront cost / effort

Cons:

• Zero visibility
• No way to remediate security issues
• Gets unwieldy as you grow, no consistency across the team

2: Informed trust

The second strategy we’ve seen IT teams with Homebrew in their fleet take is a kind of “Informed Trust” strategy, where there may be some unenforced rules prohibiting certain packages, or recommendations about vetting packages before you install them. Perhaps the IT team will help you set up Homebrew for the first time, but if something goes wrong, there isn’t necessarily a standard operating procedure to support them.

Pros:

• Relatively simple to implement
• Lots of freedom for end users
• Low upfront cost

Cons:

• Low visibility: Unable to ensure policies are followed
• Not compliant with regulated industries - finance, healthcare and others can’t do this because of regulation
• If something goes wrong, it could go undetected (and be a very significant)

3: Roll your own

This is the most sophisticated strategy we’ve observed. We’ve seen companies use tools like Installomater or scripts from GitHub that help manage deployment, or get some basic observability about which packages are installed on specific machines. Generally this approach has some level of “glue code” that IT teams have to create and maintain that is difficult to manage. Most MDM tools run scripts as `root` and, as Homebrew refuses to be run as `root`, this adds additional complexity to any scripts created.

Pros:

• Bespoke solution
• Integration with other custom / internal tooling
• Roadmap ownership

Cons:

• Costly in terms of time, money, and expertise
• Ongoing maintenance, siloed tech knowledge
• Not a core competency, so it will never be complete with all the features you want (or need)

4:  Use Workbrew

Workbrew provides the best parts of all the 3 options above. We provide a managed tool to reduce load for IT, provide developers with unfettered access to Homebrew with only the enforcements your organization requires, rules enforced fleet-wide and the ability to quickly respond to security vulnerabilities by updating the entire fleet in hours, not days.

Pros:

• Provides control over developer systems to IT teams
• Provides improved Homebrew security
• Provides an identical Homebrew experience for developers

Workbrew Free simplifies installing brew with zero-touch deployment, and gives IT and security teams full visibility into the packages and versions being used across your organization.

Workbrew Pro brings remote management capabilities, custom configurations, and access controls to improve your endpoint security posture.

Workbrew Enterprise is built for organizations with sophisticated security and compliance requirements, especially companies in regulated industries like finance, healthcare, insurance, and government.