Webinar: Managing Macs with Intune: security, scale, & the modern enterprise fleet
Register to attend
Deployment Guides
Hexnode

Workbrew Deployment Guide: Hexnode

Workbrew streamlines secure, automated Homebrew package deployment for macOS, integrating seamlessly with Hexnode UEM to give IT teams centralized device management. Homebrew is the de-factor package manager on macOS, installed on tens of millions of devices and offering more than 15,000 packages. With zero-touch deployment, policy enforcement, and real-time monitoring, Workbrew lets you leverage the power of Homebrew, whilst ensuring compliance and eliminating security risks.

Outcomes

By the end of this deployment guide you will:

  • Understand the available mechanisms to deploy Workbrew through Hexnode UEM,

  • Configure Hexnode UEM to allow Workbrew to manage your fleet's Homebrew installations,

  • Be ready to deploy Workbrew to your devices.

Pre-requisites

Before you begin following this guide, you should:

  • Have access to a Hexnode UEM instance,

    • with user privileges to:

      • Access API settings (Admin > API),

      • Add enterprise apps,

      • Create and manage policies,

      • Manage device group assignments.

  • A Workbrew workspace:

  • Be aware of the system requirements for Workbrew (and Homebrew):

    • Everything Homebrew requires:

      • An Apple Silicon CPU or 64-bit Intel CPU.

      • macOS Ventura (13) (or higher) installed on officially supported hardware.

      • The Bourne-again shell for installation (i.e. bash).

      • Don't worry about the Command Line Tools (CLT) for Xcode requirement, Xcode CLT will be installed as part of deployment.

    • Device enrolled in Hexnode UEM.

    • User account in the admin group or in the workbrew_users group

Quickstart

Are you an experienced Hexnode administrator? These steps will get you up and going quickly. Read on for more detailed explanations.

  1. In Hexnode, navigate to Admin > API and copy your API key from the Configure API section.

  2. In the Workbrew console, enter the workspace settings and select Hexnode as the MDM Type. Enter your Hexnode Host and API Key, and then save the Workbrew Workspace API key and installation script.

  3. In Hexnode, add the Workbrew .pkg as a new Enterprise App for macOS.

  4. In Hexnode, create a new Device Policy with a Required Apps configuration for macOS. Add the Workbrew app and configure the Workbrew Workspace API key and installation script as a pre-install script. Assign the policy to your target devices or device groups.

  5. In the Workbrew console, after deployment to a device, check Devices to ensure the expected device appears (please be aware that device inventory is updated periodically, not in real time).

  6. If needed, check the Troubleshooting guide and FAQ or contact us for support.

Deployment Overview

Workbrew is installed using a signed .pkg file, which installs several components:

  • The Workbrew agent.

  • The Secure Workbrew CLI, a wrapper around the standard Homebrew CLI.

In addition to installing the Workbrew .pkg on each device, you must run a (bash) script which connects the Workbrew agent to your Workbrew Console. The script also installs Command Line Tools for Xcode if your devices do not already have it. The Workbrew Console connection wizard will guide you through customization to your install script.

You can deploy the Workbrew .pkg as an Enterprise App with a pre-install script for the setup script, using a Required Apps policy to deploy it to your enrolled devices.

In brief, you will perform these steps to ready Workbrew for deployment:

  • Create a Hexnode API key,

  • Complete the Workbrew Console connection wizard, adding the API key in the process,

  • Add the Workbrew Package as an Enterprise App in Hexnode,

  • Create a Required Apps policy with a pre-install script and assign it to your target devices.

Connecting Workbrew

Creating an API Key in Hexnode

To populate your Workbrew Console with information about your devices and users, Workbrew requires Read-Only API access to your Hexnode UEM instance. In this section, you will create an API key with sufficient permissions and retain the credentials for input into Workbrew.

In Hexnode:

  • 1. Navigate to the Admin tab.

  • 2. Select API from the left sidebar.

  • 3. Under Configure API, click the lock icon next to Your API key to reveal the key.

  • 4. Copy and securely save the API key. You will enter this into Workbrew to connect it to Hexnode.

Add Hexnode to your Workbrew workspace

The API key created in the previous step will allow Workbrew to read from your Hexnode instance using the API. In this section, you will register Hexnode as your MDM of choice within Workbrew.

  • From the Workbrew Console, select Settings. Ensure you are in the Workspace tab.

  • Under MDM Type, select "Hexnode".

  • Under Hexnode Host, enter the hostname for your Hexnode instance (e.g., workbrew.hexnodemdm.com).

  • In the Hexnode API Key field, enter the API key generated in the previous section.

  • Click Update Workspace.

  • Open Workbrew Workspace API key and installation script, copy the script, and store it for later. This script will run as a pre-install script in the Required Apps policy.

Preparing the deployment artifacts

Add the package

The Workbrew .pkg installs Workbrew, including the agent, CLI, and Homebrew. In this section, you will add the package to Hexnode as an Enterprise App so that it can be distributed through a policy.

Download the package, and then in Hexnode:

  • 1. Navigate to the Apps tab.

  • 2. Click +Add Apps, then select Enterprise App.

  • 3. Select macOS as the platform (the laptop icon).

  • 4. Enter "Workbrew" as the App Name.

  • 5. Upload the downloaded Workbrew .pkg.

  • 6. Set a Category and Description for the app (both are required).

  • 7. Click Add.

Create a Required Apps policy with the pre-install script

The Workbrew Workspace API key and installation script saved earlier prepares the device for a Workbrew installation, setting environment variables for workspace directories and the Workbrew Workspace API key. It also installs a Homebrew dependency, Command Line Tools for Xcode, using MacOS's softwareupdate utility. In this section, you will create a policy that deploys the Workbrew .pkg with the setup script as a pre-install script.

In Hexnode:

  • 1. Navigate to the Policies tab.

  • 2. Click Create under Device Policies, then select Create a fully custom policy.

  • 3. Name the policy "Deploy Workbrew".

  • 4. Navigate to macOS > App Management > Required Apps.

  • 5. Click Configure, then click +Add and select Add App.

  • 6. Choose the Workbrew enterprise app from the list and add it.

  • 7. Click the Configure button next to the Workbrew app (under the Scripts column) to open the script configuration window.

  • 8. Under Pre-install script, save the Workbrew Workspace API key and installation script to a .sh file on your computer and upload it. Set the Binary path to /bin/bash.

  • 9. Click Save on the script configuration window.

  • 10. Under Policy Targets, click +Add Devices (or select Device Groups from the left pane) to assign the policy to your target devices.

  • 11. Click Save.

Deployment

Once the policy is saved and assigned, Hexnode will deploy the pre-install script and Workbrew .pkg to the target devices. The pre-install script runs before the package is installed, ensuring the device is configured to connect to your Workbrew workspace.

You may want to deploy to one or more test devices first to verify the deployment and ensure devices connect to Workbrew and are visible in the console. Workbrew devices check-in on a periodic basis, so it may take a little while for a new device to appear in your console.

For ongoing management, you can assign additional devices or device groups to the policy from the Policies tab in Hexnode.

Support

Have suggestions or feedback? Submit a general inquiry here.