Adding Users to the workbrew_users Group via MDM
Petros Amoiridis
After deploying the Workbrew Agent, the brew CLI is available to all users in the admin or workbrew_users groups. This guide explains how to deploy a script via your Mobile Device Management (MDM) platform to add users to the workbrew_users group. These users appear as "Standard" in the Workbrew Console.
Summary
| MDM | User Variable Available | Recommended Approach |
|---|---|---|
| Jamf Pro | $3 (login policies only) | Dynamic detection with stat |
| Kandji | None | Dynamic detection with stat |
| Fleet | None for scripts | Dynamic detection with stat |
| JumpCloud | None | Dynamic detection with scutil |
| Intune | None | Dynamic detection with stat |
All MDMs can reliably use the dynamic detection approach, which determines the logged-in user at script execution time using macOS system commands.
Overview
The core command to add a user to the workbrew_users group is:
dseditgroup -o edit -a "USERNAME" -t user workbrew_users
The challenge is determining the correct username to add. There are two approaches:
-
Dynamic detection: Detect the currently logged-in user at script execution time
-
MDM variable substitution: Use your MDM's variable system to inject the username
Each MDM handles this differently. This guide provides specific instructions for supported MDM platforms. Having trouble with your MDM, or have you found an issue in the instructions? Let us know.
Jamf Pro
Jamf provides the $3 parameter containing the current username, but this only works reliably during login/logout policies or Self Service execution. For broader reliability, detect the logged-in user dynamically.
Option 1: Script with dynamic user detection (recommended)
This approach works regardless of when the policy runs.
Step 1: Create the script
-
Navigate to Settings > Computer Management > Scripts
-
Click New
-
Configure:
-
Display Name:
Add User to workbrew_users Group -
Category: (optional) Select an appropriate category
-
-
In the Script tab, paste:
#!/bin/bash
# Get the currently logged-in user
CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console)
# Verify a user is logged in (not loginwindow or root)
if [ "$CURRENT_USER" = "loginwindow" ] || [ "$CURRENT_USER" = "root" ] || [ -z "$CURRENT_USER" ]; then
echo "No user currently logged in. Exiting."
exit 1
fi
# Add the user to workbrew_users group
/usr/sbin/dseditgroup -o edit -a "$CURRENT_USER" -t user workbrew_users
if [ $? -eq 0 ]; then
echo "Successfully added $CURRENT_USER to workbrew_users group"
else
echo "Failed to add $CURRENT_USER to workbrew_users group"
exit 1
fi
- Click Save
Step 2: Create a policy
-
Navigate to Computers > Policies
-
Click New
-
Configure:
-
Display Name:
Add User to Workbrew Users Group -
Trigger: Select appropriate triggers:
-
Login - runs when users log in
-
Recurring Check-in - runs periodically
-
Enrollment Complete - runs after device enrollment
-
-
Execution Frequency:
Once per computerorOnce per user
-
-
In the Scripts payload, add the script you created in Step 1
-
Scope: Select the target computers or smart groups
-
Click Save
Option 2: Using the $3 parameter (login policies only)
If you only need to run this during login, you can use Jamf's built-in $3 parameter:
#!/bin/bash
# $3 is populated by Jamf with the username during login policies
USERNAME="$3"
if [ -z "$USERNAME" ]; then
echo "Username not provided. Exiting."
exit 1
fi
/usr/sbin/dseditgroup -o edit -a "$USERNAME" -t user workbrew_users
Note: The
$3parameter is only reliably populated during login/logout triggers and Self Service executions.
Kandji
Kandji doesn't provide built-in user variables for custom scripts. Scripts must detect the logged-in user dynamically using macOS system commands.
Step 1: Create a custom script
-
Navigate to Library in the left sidebar
-
Click Add new and select Custom Script
-
Configure:
-
Name:
Add User to workbrew_users Group -
Audit Script (leave empty or use for verification)
-
Remediation Script: Paste the script below
-
Execution Frequency: Select
Run once per deviceor as needed
-
#!/bin/zsh
# Get the currently logged-in user
CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console)
# Verify a user is logged in
if [[ "$CURRENT_USER" == "loginwindow" ]] || [[ "$CURRENT_USER" == "root" ]] || [[ -z "$CURRENT_USER" ]]; then
echo "No user currently logged in. Exiting."
exit 1
fi
# Add the user to workbrew_users group
/usr/sbin/dseditgroup -o edit -a "$CURRENT_USER" -t user workbrew_users
if [[ $? -eq 0 ]]; then
echo "Successfully added $CURRENT_USER to workbrew_users group"
exit 0
else
echo "Failed to add $CURRENT_USER to workbrew_users group"
exit 1
fi
- Click Save
Step 2: Assign to blueprints
-
Go to Blueprints in the left sidebar
-
Select the Blueprints where you want to deploy the script
-
Click Add Library Item
-
Search for and select
Add User to workbrew_users Group -
Click Add
The script will run automatically on devices assigned to the Blueprint.
Optional: Audit script for compliance checking
You can add an audit script to verify users are in the group:
#!/bin/zsh
CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console)
if [[ "$CURRENT_USER" == "loginwindow" ]] || [[ -z "$CURRENT_USER" ]]; then
exit 0 # No user logged in, skip check
fi
# Check if user is in workbrew_users group
if /usr/sbin/dseditgroup -o checkmember -m "$CURRENT_USER" workbrew_users &>/dev/null; then
echo "$CURRENT_USER is already in workbrew_users group"
exit 0
else
echo "$CURRENT_USER is not in workbrew_users group"
exit 1 # Triggers remediation script
fi
Fleet
Fleet supports script execution on macOS devices. You can deploy the script through the Fleet web interface or via GitOps.
Option 1: Via the Fleet web interface
-
Navigate to Controls > Scripts
-
Click Add script
-
Upload a script file or paste the following:
#!/bin/bash
# Get the currently logged-in user
CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console)
# Verify a user is logged in
if [ "$CURRENT_USER" = "loginwindow" ] || [ "$CURRENT_USER" = "root" ] || [ -z "$CURRENT_USER" ]; then
echo "No user currently logged in. Exiting."
exit 1
fi
# Add the user to workbrew_users group
/usr/sbin/dseditgroup -o edit -a "$CURRENT_USER" -t user workbrew_users
if [ $? -eq 0 ]; then
echo "Successfully added $CURRENT_USER to workbrew_users group"
else
echo "Failed to add $CURRENT_USER to workbrew_users group"
exit 1
fi
-
Name the script
add-user-to-workbrew-users.sh -
Click Save
Running the script
To run the script on devices:
-
Navigate to Hosts and select the target hosts
-
Click Actions > Run script
-
Select
add-user-to-workbrew-users.sh -
Click Run
Or run on multiple hosts using fleetctl:
fleetctl run-script --script-path ./add-user-to-workbrew-users.sh --hosts "host1,host2"
Option 2: Via GitOps
Add the script to your Fleet GitOps repository:
-
Create
scripts/add-user-to-workbrew-users.shwith the script content from Option 1 -
Reference it in your
default.ymlor team YAML file:
controls:
scripts:
- path: scripts/add-user-to-workbrew-users.sh
- Commit and push. The script will be available in Fleet after synchronization.
JumpCloud
JumpCloud executes macOS commands as root by default. You can add users to the workbrew_users group using a Command.
Step 1: Create a command
-
Navigate to Device Management > Commands
-
Click + to create a new command
-
Configure:
-
Name:
Add User to workbrew_users Group -
Command Type: Select Mac
-
Run As: Select root
-
-
In the Command field, paste:
#!/bin/bash
# Get the currently logged-in user
CURRENT_USER=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')
# Verify a user is logged in
if [ -z "$CURRENT_USER" ] || [ "$CURRENT_USER" = "loginwindow" ]; then
echo "No user currently logged in. Exiting."
exit 1
fi
# Add the user to workbrew_users group
/usr/sbin/dseditgroup -o edit -a "$CURRENT_USER" -t user workbrew_users
if [ $? -eq 0 ]; then
echo "Successfully added $CURRENT_USER to workbrew_users group"
else
echo "Failed to add $CURRENT_USER to workbrew_users group"
exit 1
fi
- Click Save
Step 2: Assign devices
-
In the command configuration, go to the Devices tab
-
Select the devices or device groups where you want to run the command
-
Click Save
Step 3: Run the command
You can run the command:
-
Manually: Click Run to execute immediately on assigned devices
-
On a schedule: Configure a schedule in the command settings under Schedule
-
Via trigger: Set up event-based triggers if available
Verifying execution
After running the command:
-
Go to Commands > select your command
-
Click Results to view execution status and output for each device
Microsoft Intune
Intune supports shell script deployment on macOS devices. The script runs via the Microsoft Intune management agent.
Prerequisites
-
Devices must run macOS 12.0 or later
-
Devices must have the Microsoft Intune management agent installed
-
Devices must have Intune enrollment completed
Step 1: Create the script file
Create a file named add-user-to-workbrew-users.sh with the following content:
#!/bin/bash
# Get the currently logged-in user
CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console)
# Verify a user is logged in
if [ "$CURRENT_USER" = "loginwindow" ] || [ "$CURRENT_USER" = "root" ] || [ -z "$CURRENT_USER" ]; then
echo "No user currently logged in. Exiting."
exit 1
fi
# Add the user to workbrew_users group
/usr/sbin/dseditgroup -o edit -a "$CURRENT_USER" -t user workbrew_users
if [ $? -eq 0 ]; then
echo "Successfully added $CURRENT_USER to workbrew_users group"
exit 0
else
echo "Failed to add $CURRENT_USER to workbrew_users group"
exit 1
fi
Step 2: Deploy via Intune
-
Sign in to the Microsoft Intune admin center
-
Navigate to Devices > macOS > Shell scripts
-
Click Add
-
Configure the Basics tab:
-
Name:
Add User to workbrew_users Group -
Description: (optional)
Adds the logged-in user to the workbrew_users group for Workbrew access
-
-
In the Script settings tab:
-
Upload script: Upload
add-user-to-workbrew-users.sh -
Run script as signed-in user: No (script needs root to modify group membership)
-
Hide script notifications on devices: Yes (optional)
-
Script frequency: Select appropriate frequency:
-
Not configured - runs once
-
Every 1 day/week - for ongoing enforcement
-
-
Max number of times to retry if script fails:
3
-
-
In the Assignments tab:
-
Click Add groups and select the device groups to target
-
Or use Add all users / Add all devices as appropriate
-
-
Review and click Create
Monitoring deployment
-
Navigate to Devices > macOS > Shell scripts
-
Select your script
-
Click Device status or User status to view execution results
-
Check for success/failure status and troubleshoot as needed
Troubleshooting
If the script fails:
-
Verify that the device has the Microsoft Intune management agent installed
-
Check that a user has logged in when the script runs
-
Review the Intune management extension logs on the device:
/Library/Logs/Microsoft/Intune/
Troubleshooting
Common Issues
"No user currently logged in" error
The script requires a user to have logged in at the Mac's login window. If the script runs before a user logs in (for example, during initial enrollment), it will fail. Solutions:
-
Configure the script to run at login trigger (Jamf)
-
Schedule the script to run after enrollment completes
-
Use a retry mechanism or recurring schedule
User not added to group
Verify the group exists by running on the device:
dseditgroup -o read workbrew_users
If the group doesn't exist, the Workbrew Agent installation may have failed.
Checking group membership
To verify that the script added a user successfully:
dseditgroup -o checkmember -m "username" workbrew_users
Or list all members:
dscl . -read /Groups/workbrew_users GroupMembership
Script variations
If you need to add a specific user (not the currently logged-in user), you can modify the script to accept a username parameter or hardcode it:
#!/bin/bash
USERNAME="specific_username"
/usr/sbin/dseditgroup -o edit -a "$USERNAME" -t user workbrew_users