Sep 10, 2024
John Britton
Homebrew is ubiquitous among developer teams on macOS. With 13,000 packages, a large number of 3rd-party package repositories (“taps”), and tens of millions of users, it’s almost certain that your team depends on it every day.
In our discussions with IT managers, MacAdmins, and as contributors to Homebrew ourselves, we’ve noticed a number of strategies companies use with regards to Homebrew. The most common use cases are:
Software developers running macOS
Continuous integration on macOS and Linux
Privately distributing internal tools
When it comes to managing Homebrew across organizations, we’ve noticed three core patterns, each with their own benefits and drawbacks.
1: Do nothing
Whether it’s due to overtaxed IT teams, budget constraints, or simply a lack of internal knowledge about Homebrew, this strategy is a bit “Wild West” where anyone who has a Mac can install Homebrew, and use it however they like.
This self-service approach gives developers total freedom to use the tools they want to, but it’s not formally supported by IT. Developers might come to the IT department with a ticket related to Homebrew, but that developer has to figure it out for themselves.
This strategy goes horribly wrong when there’s a major vulnerability like Heartbleed for OpenSSL that requires the entire fleet of devices to be updated to a non-vulnerable version quickly.
Pros:
Total developer freedom
No upfront cost / effort
Cons:
Zero visibility
No way to remediate security issues
Gets unwieldy as you grow, no consistency across the team
2: Informed trust
The second strategy we’ve seen IT teams with Homebrew in their fleet take is a kind of “Informed Trust” strategy, where there may be some unenforced rules prohibiting certain packages, or recommendations about vetting packages before you install them. Perhaps the IT team will help you set up Homebrew for the first time, but if something goes wrong, there isn’t necessarily a standard operating procedure to support them.
Pros:
Relatively simple to implement
Lots of freedom for end users
Low upfront cost
Cons:
Low visibility: Unable to ensure policies are followed
Not compliant with regulated industries - finance, healthcare and others can’t do this because of regulation
If something goes wrong, it could go undetected (and be a very significant)
3: Roll your own
This is the most sophisticated strategy we’ve observed. We’ve seen companies use tools like Installomater or scripts from GitHub that help manage deployment, or get some basic observability about which packages are installed on specific machines. Generally this approach has some level of “glue code” that IT teams have to create and maintain that is difficult to manage. Most MDM tools run scripts as `root` and, as Homebrew refuses to be run as `root`, this adds additional complexity to any scripts created.
Pros:
Bespoke solution
Integration with other custom / internal tooling
Roadmap ownership
Cons:
Costly in terms of time, money, and expertise
Ongoing maintenance, siloed tech knowledge
Not a core competency, so it will never be complete with all the features you want (or need)
4: Use Workbrew
Workbrew provides the best parts of all the 3 options above. We provide a managed tool to reduce load for IT, provide developers with unfettered access to Homebrew with only the enforcements your organization requires, rules enforced fleet-wide and the ability to quickly respond to security vulnerabilities by updating the entire fleet in hours, not days.
Pros:
Provides control over developer systems to IT teams
Provides improved Homebrew security
Provides an identical Homebrew experience for developers
Workbrew Free simplifies installing brew
with zero-touch deployment, and gives IT and security teams full visibility into the packages and versions being used across your organization.
Workbrew Pro brings remote management capabilities, custom configurations, and access controls to improve your endpoint security posture.
Workbrew Enterprise is built for organizations with sophisticated security and compliance requirements, especially companies in regulated industries like finance, healthcare, insurance, and government.