Workbrew 1.3 Release Notes

Jun 23, 2025
Luke Hefson

Workbrew 1.3 brings precision and visibility to IT teams at scale. This release strengthens device access controls, improves default software rollout, enhances policy notifications, and streamlines the Console experience.

Enforce Access Modes with Confidence

Workbrew 1.3 enforces access mode boundaries precisely, alerting admins when devices no longer meet standards.

Protect against self-installs on Standard devices

In this fix, devices in Standard mode cannot self-install casks. In 1.3 users can no longer install GUI apps via ​​brew install --cask [app_name] without admin involvement.

Alerts for access mode violations

Workbrew flags devices whose actual permissions don’t match the expected access mode. If a device is behaving like it’s in Sudo mode when it shouldn’t be, you’ll be alerted of access mode violations in the dashboard, and weekly email reports.

Access modes per device group

Workbrew enables admins to assign access modes (Sudo, Standard, and Restricted) to different device groups. For example, your DevOps team might need Sudo access while all other developers remain restricted.

If a device in your fleet exhibits behavior that’s a deviation from policy, this new feature will alert admins in the console.

For Admins:

  • Configure fleet-wide or group-specific access mode expectations.
  • Get alerted when enforcement doesn’t match reality.

For Your Team:

  • Developers stay within approved boundaries but can still use brew where permitted.

Console Access Modes and Alerting is now available on all plans.

Dynamically-Targeted Policies

If teams within your company have different needs, Workbrew now enables multiple policies that apply to specific device groups or individual devices.

Targeted enforcement

Whether you’re managing a small set of machines for internal tooling, or enforcing strict controls on production systems, you can now tailor policies to your exact use case.

For Admins:

  • Apply different rules to different teams, roles, or device types.
  • Use tighter controls where needed without affecting the rest of your fleet.

For Your Team:

  • Developers get the freedom they need within appropriate boundaries.

Dynamically-Targeted Policies are now available on Pro and Enterprise plans.

Streamlined Control for Default Packages

New features for Default Packages in the Workbrew Console eliminate duplication of effort and boost efficiency for admins and users.

“Brew Adopt” for existing apps

If a device already has an app installed and it matches a Default Package, Workbrew converts it into a managed cask automatically. No duplicate installs, no disruption.

Reduced friction around quarantine prompts

Casks installed via Default Packages now skip macOS quarantine warnings. End users won’t see “Are you sure you want to open this app?” for apps installed by IT.

For Admins:

  • Keep all desktop apps in your fleet centrally managed with brew
  • Reduce re-installs and duplication when deploying software.

For Your Team:

  • Apps show up ready to use, with no prompts or duplicate versions.

Brew Adopt & No Quarantine Prompts for Default Packages are now available on all plans.

Scannable and Actionable Policy Management

These new features provide easy-to-parse information for admins in real-time.

Daily policy violation digests

Receive a daily summary of policy violations for forbidden packages. Each alert includes links to affected devices, contextual information on the package, and quick actions to resolve issues.

Alerts with emoji tagging

Notifications now use a clear noun + verb emoji pattern in email subject lines and slack/webhook notifications (like ‘🏃⛔’ for a run failure)-to help you triage at a glance. Use them to configure notification filters wherever you receive those.

Multi-destination notifications

You can now set multiple user emails or webhook destinations for alerts.

Actionable CVE Alerts: Smarter, Faster, Safer

In the 1.3 release, CVE alerts include links to affected devices, public CVE records, package details, and one-click upgrade actions.

For Admins:

  • Get more useful alerts with better filtering and clearer actions.
  • Route notifications to the right people, not just a shared inbox.

For Your Team:

  • Less noise, more clarity-and faster security response when it counts.

Policy Violation Digests and More Actionable CVE alerts are now available on Pro and Enterprise plans.

Multi-destination Notifications and Emoji Notifications are available on all plans.

A Sleek, Speedy Workbrew Console

The Workbrew Console gets a glow up in 1.3-engineered for speed, clarity, and confidence.

Visual Brewfile editor

  • Edit default packages effortlessly with a drag-and-drop interface
  • Use autocomplete for formulae, casks, and taps to eliminate guesswork
  • No deep brew expertise required-just point, click, and customize

Quickly add multiple packages to any list

Search for a category of packages and add all matching results to a policy or default packages list with one click.

It’s especially helpful when setting policies by type. For example, you could forbid all VPN tools in one go, rather than selecting each one manually.

Table filters and search

Tailored Reporting, simplified. Pages for Packages, Taps, Licenses, Vulnerabilities, and Device Groups now support sorting and filtering across columns.

Quickly explore your data to answer questions like:

  • Which packages are the least used across my fleet?
  • How many critical vulnerabilities are active?
  • Which device groups have elevated privileges like Sudo?

Apply filters, sort by what matters, and export exactly what you see-perfect for generating focused, custom reports without extra cleanup.

Tools for large fleets: Only show ‘leaf’ packages by default

The Packages page now defaults to showing only explicitly-installed formulae in the ‘Formulae’ tab. This hides automatic dependencies for a cleaner, more actionable view. Or, switch to the ‘Formulae with Dependencies' tab if you want to see all formulae.

Dependency removal warnings

Workbrew warns you when you try to forbid a formula that other packages depend on. You’ll know what’s at risk before you break anything.

Full Device Visibility for Every Package

Package-level insights now include a detailed list of all devices where the package is installed.

From this view, you can take direct action-including setting uninstall policies across all listed devices with a single click.

For Admins:

  • Act faster with filters, warnings, and quick actions that prevent missteps.
  • Spend less time navigating, more time resolving.

For Your Team:

  • Fewer surprises, smoother installs, and quicker fixes when things need changing.

These Console UX Improvements are available on all plans.

Workbrew 1.3 gives teams greater control without slowing anyone down. From access mode enforcement to smart software adoption and faster admin workflows, this release helps you manage complexity at scale.

Have questions or ideas? Get in touch-we’d love to hear from you.

Code Block

#!/bin/bash
# Check for Homebrew in supported installation paths.

if [[ -x "/opt/homebrew/bin/brew" ]] ||
   [[ -x "/usr/local/bin/brew" ]] ||
   [[ -x "/home/linuxbrew/.linuxbrew/bin/brew" ]]
then
  echo "Homebrew is installed."
  exit 0
else
  echo "Homebrew is not installed."
  exit 1
fi

Workbrew 1.3 brings precision and visibility to IT teams at scale. This release strengthens device access controls, improves default software rollout, enhances policy notifications, and streamlines the Console experience.

Enforce Access Modes with Confidence

Workbrew 1.3 enforces access mode boundaries precisely, alerting admins when devices no longer meet standards.

Protect against self-installs on Standard devices

In this fix, devices in Standard mode cannot self-install casks. In 1.3 users can no longer install GUI apps via ​​brew install --cask [app_name] without admin involvement.

Alerts for access mode violations

Workbrew flags devices whose actual permissions don’t match the expected access mode. If a device is behaving like it’s in Sudo mode when it shouldn’t be, you’ll be alerted of access mode violations in the dashboard, and weekly email reports.

Access modes per device group

Workbrew enables admins to assign access modes (Sudo, Standard, and Restricted) to different device groups. For example, your DevOps team might need Sudo access while all other developers remain restricted.

If a device in your fleet exhibits behavior that’s a deviation from policy, this new feature will alert admins in the console.

For Admins:

  • Configure fleet-wide or group-specific access mode expectations.
  • Get alerted when enforcement doesn’t match reality.

For Your Team:

  • Developers stay within approved boundaries but can still use brew where permitted.

Console Access Modes and Alerting is now available on all plans.

Dynamically-Targeted Policies

If teams within your company have different needs, Workbrew now enables multiple policies that apply to specific device groups or individual devices.

Targeted enforcement

Whether you’re managing a small set of machines for internal tooling, or enforcing strict controls on production systems, you can now tailor policies to your exact use case.

For Admins:

  • Apply different rules to different teams, roles, or device types.
  • Use tighter controls where needed without affecting the rest of your fleet.

For Your Team:

  • Developers get the freedom they need within appropriate boundaries.

Dynamically-Targeted Policies are now available on Pro and Enterprise plans.

Streamlined Control for Default Packages

New features for Default Packages in the Workbrew Console eliminate duplication of effort and boost efficiency for admins and users.

“Brew Adopt” for existing apps

If a device already has an app installed and it matches a Default Package, Workbrew converts it into a managed cask automatically. No duplicate installs, no disruption.

Reduced friction around quarantine prompts

Casks installed via Default Packages now skip macOS quarantine warnings. End users won’t see “Are you sure you want to open this app?” for apps installed by IT.

For Admins:

  • Keep all desktop apps in your fleet centrally managed with brew
  • Reduce re-installs and duplication when deploying software.

For Your Team:

  • Apps show up ready to use, with no prompts or duplicate versions.

Brew Adopt & No Quarantine Prompts for Default Packages are now available on all plans.

Scannable and Actionable Policy Management

These new features provide easy-to-parse information for admins in real-time.

Daily policy violation digests

Receive a daily summary of policy violations for forbidden packages. Each alert includes links to affected devices, contextual information on the package, and quick actions to resolve issues.

Alerts with emoji tagging

Notifications now use a clear noun + verb emoji pattern in email subject lines and slack/webhook notifications (like ‘🏃⛔’ for a run failure)-to help you triage at a glance. Use them to configure notification filters wherever you receive those.

Multi-destination notifications

You can now set multiple user emails or webhook destinations for alerts.

Actionable CVE Alerts: Smarter, Faster, Safer

In the 1.3 release, CVE alerts include links to affected devices, public CVE records, package details, and one-click upgrade actions.

For Admins:

  • Get more useful alerts with better filtering and clearer actions.
  • Route notifications to the right people, not just a shared inbox.

For Your Team:

  • Less noise, more clarity-and faster security response when it counts.

Policy Violation Digests and More Actionable CVE alerts are now available on Pro and Enterprise plans.

Multi-destination Notifications and Emoji Notifications are available on all plans.

A Sleek, Speedy Workbrew Console

The Workbrew Console gets a glow up in 1.3-engineered for speed, clarity, and confidence.

Visual Brewfile editor

  • Edit default packages effortlessly with a drag-and-drop interface
  • Use autocomplete for formulae, casks, and taps to eliminate guesswork
  • No deep brew expertise required-just point, click, and customize

Quickly add multiple packages to any list

Search for a category of packages and add all matching results to a policy or default packages list with one click.

It’s especially helpful when setting policies by type. For example, you could forbid all VPN tools in one go, rather than selecting each one manually.

Table filters and search

Tailored Reporting, simplified. Pages for Packages, Taps, Licenses, Vulnerabilities, and Device Groups now support sorting and filtering across columns.

Quickly explore your data to answer questions like:

  • Which packages are the least used across my fleet?
  • How many critical vulnerabilities are active?
  • Which device groups have elevated privileges like Sudo?

Apply filters, sort by what matters, and export exactly what you see-perfect for generating focused, custom reports without extra cleanup.

Tools for large fleets: Only show ‘leaf’ packages by default

The Packages page now defaults to showing only explicitly-installed formulae in the ‘Formulae’ tab. This hides automatic dependencies for a cleaner, more actionable view. Or, switch to the ‘Formulae with Dependencies' tab if you want to see all formulae.

Dependency removal warnings

Workbrew warns you when you try to forbid a formula that other packages depend on. You’ll know what’s at risk before you break anything.

Full Device Visibility for Every Package

Package-level insights now include a detailed list of all devices where the package is installed.

From this view, you can take direct action-including setting uninstall policies across all listed devices with a single click.

For Admins:

  • Act faster with filters, warnings, and quick actions that prevent missteps.
  • Spend less time navigating, more time resolving.

For Your Team:

  • Fewer surprises, smoother installs, and quicker fixes when things need changing.

These Console UX Improvements are available on all plans.

Workbrew 1.3 gives teams greater control without slowing anyone down. From access mode enforcement to smart software adoption and faster admin workflows, this release helps you manage complexity at scale.

Have questions or ideas? Get in touch-we’d love to hear from you.

3. IT Admins have questions. We weren’t sure what to expect, but so many folks had specific implementation queries. Others were curious about what Workbrew is up to. It was a non-stop flow of awesome conversations, and we ran out of Homebrew Cheat Sheets and Implementation Guides.

4. MacAd.UK has great bean bag chairs – the Chill-Out Zone was a super comfortable place to talk about CVEs.

5. The wonderful MacAdmins Foundation offers grants for folks who want to attend but aren’t in a position to fund the trip. For those looking to attend MacAdmins PSU, their applications are open.    

A big thank you to the MacAD.UK team and we’re excited to be back next year.

If you missed it, check out Brandon’s talk on Balancing the Needs of IT, Security, & Engineering Teams at Scale

3. IT Admins have questions. We weren’t sure what to expect, but so many folks had specific implementation queries. Others were curious about what Workbrew is up to. It was a non-stop flow of awesome conversations, and we ran out of Homebrew Cheat Sheets and Implementation Guides.

4. MacAD.UK has great bean bag chairs – the Chill-Out Zone was a super comfortable place to talk about CVEs.

5. The wonderful MacAdmins Foundation offers grants for folks who want to attend but aren’t in a position to fund the trip. For those looking to attend MacAdmins PSU, their applications are open.    

A big thank you to the MacAD.UK team and we’re excited to be back next year.

If you missed it, check out my talk on Balancing the Needs of IT, Security, & Engineering Teams at Scale

Code Block

#!/bin/bash
# Check for Homebrew in supported installation paths.

if [[ -x "/opt/homebrew/bin/brew" ]] ||
   [[ -x "/usr/local/bin/brew" ]] ||
   [[ -x "/home/linuxbrew/.linuxbrew/bin/brew" ]]
then
  echo "Homebrew is installed."
  exit 0
else
  echo "Homebrew is not installed."
  exit 1
fi
Never miss an update

Subscribe for the latest blogs, events, and exclusive content—delivered to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.