Webinar: Your First Homebrew Package: Simplifying Internal Software Delivery
Register to attend
Security and Compliance
Tutorial

Declare policies to block software packages

Petros Amoiridis

Workbrew uses declarative policies to define which software device users can or can't install with Homebrew.

You can define policies to block installation of packages by forbidding associated casks, formulae, and software licenses.

Once you have defined a policy, you have the option to automatically uninstall any existing installed packages across your fleet that are in violation of your policy.

In the future, if an end user tries to install a forbidden package, they will encounter a message with information on how to contact you when a policy keeps them from installing software they need:

$ brew install [package]
...
Error: The installation of [package] was forbidden by your Workbrew administrator
in `HOMEBREW_FORBIDDEN_FORMULAE`.
Reach out to john.doe@example.com for assistance..

Once escalated, you can then work with the developer to figure out next steps.

Forbid Casks

Casks are the packages in Homebrew that install binaries from elsewhere (that is not open-source software built by Homebrew). These are most commonly used for installing desktop applications. You can use casks to install things like 1Password, Google Chrome or Visual Studio Code, or many other Mac desktop apps.

You can forbid casks for your fleet:

  1. Navigate to the Policies page in the console
  2. Scroll to Policies
  3. Click on New Brew Policy
  4. Select Forbidden Casks
  5. Search for specific casks or keywords (like 'VPN') and click Select all items to add them to the policy
  6. Click the Device Group dropdown to target a device groups or all devices
  7. Click Create Brew policy

Forbid Formulae

Formulae are build instructions for packages installed by Homebrew. You can forbid specific packages for your fleet:

  1. Navigate to the Policies page in the console.
  2. Scroll to Policies
  3. Click on New Brew Policy
  4. Select Forbidden Formulae
  5. Add one or more formulae
  6. Click the Device Group dropdown to target a device groups or all devices
  7. Click Create Brew policy

Forbid Licenses

Workbrew lets you define policies that balance developer productivity with security and compliance by letting you limit the packages developers can install based on the packages’ licenses:

  1. Navigate to the Policies page in the console
  2. Scroll to Policies
  3. Click on New Brew Policy
  4. Select Forbidden Licenses
  5. Add one or more licenses
  6. Click the Device Group dropdown to target a device groups or all devices
  7. Click Create Brew policy

Update policies

You can update or destroy your policy at any time:

  1. Navigate to the Policies page in the console
  2. Scroll to Policies
  3. Click on the policy you want to update or destroy