Webinar "Unlocking Developer Productivity" on 17 April
Register to Attend →
← Back to all documentation
Deployment Guide

Workbrew Deployment Guide: Kandji

Workbrew streamlines secure, automated Homebrew package deployment for macOS, integrating seamlessly with Kandji to give IT teams centralized device management. Homebrew is the de-factor package manager on macOS, installed on tens of millions of devices and offering more than 15,000 packages. With zero-touch deployment, policy enforcement, and real-time monitoring, Workbrew lets you leverage the power of Homebrew, whilst ensuring compliance and eliminating security risks.

Table of Contents

Outcomes

By the end of this deployment guide you will:

  • Understand the available mechanisms to deploy Workbrew through Kandji,
  • Configure Kandji to allow Workbrew to manage your fleet’s Homebrew installations,
  • Be ready to deploy Workbrew to your devices.
Download PDF Version

Pre-requisites

Before you begin following this guide, you should:

  • Have access to a Kandji instance,  
    • with user privileges to:
      • Create an API token and manage token permissions,
      • Manage Library Items,
      • Manage Blueprints.
  • A Workbrew workspace:
  • Be aware of the system requirements for Workbrew (and Homebrew):
    • Everything Homebrew requires:
      • An Apple Silicon CPU or 64-bit Intel CPU.
      • macOS Ventura (13) (or higher) installed on officially supported hardware.
      • The Bourne-again shell for installation (i.e. bash).
      • Don’t worry about the Command Line Tools (CLT) for Xcode requirement, Xcode CLT will be installed as part of deployment.
    • Device enrolled in Kandji.
    • User account in the `admin` group or in the `workbrew_users` group

Quickstart

Are you an experienced Kandji administrator? These steps will get you up and going quickly. Read on for more detailed explanations.

  1. In Kandji, create an API Token with “Device ID” and “Device list” permissions.
  2. In the Workbrew console, enter the workspace settings and select Kandji as the MDM Type. Enter your Kandji API token, and then save the Workbrew Workspace API key and installation script.
  3. In Kandji, add the Workbrew .pkg as a new Custom App. Add the Workbrew Workspace API key and installation script as a pre-installation script.
  4. In Kandji, create a new Assignment Map Blueprint.
  5. In the Workbrew console, after deployment to a device, check Devices to ensure the expected device appears (please be aware that device inventory is updated periodically, not in real time).
  6. If needed, check the Troubleshooting guide and FAQ or contact us for support.

Deployment Overview

Workbrew is installed using a signed .pkg file, which installs several components:

  • The Workbrew agent.
  • The Secure Workbrew CLI, a wrapper around the standard Homebrew CLI.

In addition to installing the Workbrew .pkg on each device, you must run a (bash) script which connects the Workbrew agent to your Workbrew Console. The script also installs Command Line Tools for Xcode if your devices do not already have it. The Workbrew Console connection wizard will guide you through customization to your install script.

You can deploy the Workbrew .pkg as a Custom App with a pre-installation script for the setup script, using the Assignment Map Blueprint detailed in the following. You can use the Assignment Map to deploy Workbrew to your enrolled devices, or enable Self Service on the Custom App to allow users to install at their leisure.

In brief, you will perform these steps to ready Workbrew for deployment:

  • Create a Kandji API Token,
  • Complete the Workbrew Console connection wizard, adding the API Token in the process,
  • Add the Workbrew Package and setup script to Kandji,
  • Create an Assignment Map for Workbrew to install the Custom App,
  • Optionally, make the Custom App available for self service.

Connecting Workbrew

Creating an API Token in Kandji

To populate your Workbrew Console with information about your devices and users, Workbrew requires Read-Only API access to your Kandji instance. In this section, you will create an API Token with sufficient permissions and retain the credentials for input into Workbrew.

To complete this step, follow the instructions in the Kandji Documentation to Generate an API Token until you reach the following numbered steps:

  • 4. Enter “Workbrew Console API Token” as the token’s name.
  • 7. Ensure you copy your token and save it for later.
  • 8. Add both “Device ID” and “Device list” permissions to the token.
  • 10. Copy and save your API URL for later.

Add Kandji to your Workbrew workspace

The API Token created in the previous step will allow Workbrew to read from your Kandji instance using the API. In this section, you will register Kandji as your MDM of choice within Workbrew.

  • From the Workbrew Console, select MDM.
  • Under MDM Type, select “Kandji”.
  • Under Kandji Host, enter the API URL and port number (if applicable) for your Kandji instance.
  • In the Kandji API Token field, enter the Kandji API Token generated in the previous section.
  • Click Update Workspace.
  • Open Workbrew Workspace API key and installation script, copy the script, and store it for later. This script will run as a pre-installation script in the Custom App.

Preparing the deployment artifacts

Add the package

The Workbrew .pkg installs Workbrew, including the agent, CLI, and Homebrew. In this section, you will add the package to Kandji so that it can be distributed as part of the Workbrew installation Assignment Map Blueprint. It can also optionally be made available via self service.

Download the package, and then follow the instructions under Add an App to your Kandji library until you reach the following numbered step:

  • 5:
    • Custom App Name: Enter “Workbrew installation package and script”.
    • Skip “Give the Custom App an Assignment of one or many Blueprints” for now, we will create an Assignment Map in the next step.
    • Execution Frequency: Choose your desired installation frequency based on your internal policies.
    • Choose Package Type: Select “Installer Package”.
    • Pre-install Script: Insert the Workbrew Workspace API key and installation script saved in the previous step.
    • Upload Installer: Select the downloaded Workbrew .pkg.
    • Restart after successful install: Restarting after install is not necessary.

On this page,  you can also enable users to install the app through self service by toggling the control in the top right of the “Self Service” pane. This may be useful if your Execution Frequency is any option other than enforced, e.g. if selecting “Install once per device”, a user who removes Workbrew from their device can later reinstall it via Self Service if their needs change.

Deployment

The Custom App will be deployed through an Assignment Map Blueprint. In this step, you will create an Assignment Map and add the Workbrew Custom App to it.

Follow the steps in Creating an Assignment Map until you reach the following numbered step:

  • 5. Name your Assignment Map “Workbrew installation”.

Next, follow the steps in Adding Library Items to an Assignment Map until you reach the following numbered step:

  • 4. Add the Workbrew installation package and script Custom App created earlier.

You can now assign or enroll devices to this Assignment Map from the Devices tab. Once Workbrew has been deployed to a device, it will appear on the Workbrew Console.

Support

Learn More

Workbrew "Works With" SimpleMDM, Jamf, Kandji & Fleet

Workbrew simplifies large-scale device management through integrations with MDM provders SimpleMDM, Jamf, Kandji, and Fleet.

Read More