Webinar: Cask Vulnerability Reporting: Closing the Mac Fleet Security Gap
Register now
Tutorial

Allow installation of packages from third party Taps

Joe Nash

Taps are how Homebrew organizes and distributes packages. The official Taps, Homebrew/core and Homebrew/cask, follow strict guidelines that reduce the risk of malicious or unmaintained software. Any other Tap is a third-party Tap.

Workbrew does not restrict which Taps Device users can install from by default. The practical limit comes from Homebrew's tap trust: from Homebrew 6 onward, packages from a third-party Tap are ignored until that Tap is trusted, and Standard users cannot grant that trust themselves. So a Device user who taps a third-party Tap may find its packages ignored as untrusted:

Warning: The following taps are not trusted:
  acme/tap

Homebrew is currently ignoring formulae, casks and commands from these taps because tap trust is required.

Creating an Allowed Taps policy addresses both sides at once: it permits installs from the Taps you list and trusts them across the targeted Devices, so Device users can install from them without running brew trust. For background, see How Workbrew handles Homebrew Tap trust.

CAUTION: Only allow third-party taps from trusted sources. Third-party taps don't meet the same strict guidelines as Homebrew/core and Homebrew/cask and may increase your risk of running malicious or unmaintained software. For guidance on vetting a tap's owner before allowing it, see Choosing which Taps to allow.

  1. Navigate to the Policies page in the console
  2. Click on New Brew Policy
  3. Select Allowed Taps
  4. Select taps to add
  5. Click the Device Group dropdown to target a Device Group, or all Devices
  6. Click Create Brew policy

We use cookies to analyze traffic and improve your experience. You can accept all cookies or decline non-essential ones. Read our Privacy Policy for details.