Getting Started
Reference

Frequently asked questions

Luke Hefson & Joe Nash

How can I install Workbrew on my Device?

See the guide on how to manually install Workbrew on a Device. For MDM-based deployments, see the deployment guides.

How do you upgrade the Workbrew Installer?

The Workbrew Installer is automatically and periodically upgraded. If you wish to upgrade manually, download the latest Workbrew Installer .pkg for macOS (or .sh for Linux/Windows Subsystem for Linux (in beta)) and install it on your Device.

How often do Devices send information and run commands?

The Workbrew Agent on Devices will send information to and run commands from the Workbrew Console every 15 minutes (assuming they're awake and connected to the internet). You can force a Device to check in by running brew update or sudo launchctl kickstart -k system/com.workbrew.workbrew-agent.

Which users can run brew on a Device?

After Workbrew deployment, the brew CLI is available to all users in the admin or workbrew_users groups.

Users with administrator privileges (the admin group) implicitly have brew CLI access. The Workbrew Console reports this as "Granted via Sudo".

We recommend granting brew CLI access to all Standard Users on your Devices. This can be done through Managed brew access in the Workbrew Console, which automatically identifies Human User Accounts and adds them to the workbrew_users group, or by adding users to the workbrew_users group via MDM. The Workbrew Console reports this as "Granted via Workbrew".

Users with brew access can self-install formulae and casks, subject to any Policies. Policies are enforced universally for all users, regardless of whether they are in the admin or workbrew_users group. Administrators can restrict or block cask self-installs and provision casks via Default Packages.

Users not in either group cannot run brew and are reported as "Access Denied" in the Workbrew Console.

What happens if Workbrew is installed on a Device but not added as on the Devices page?

Devices configured with an API key will automatically add (and re-add) themselves to the Workbrew Console's Devices page. Devices not configured with an API key will use the Workbrew improved security configuration (for example multiple users) but can't communicate with the Workbrew Console.

Why does Workbrew need to add a /etc/sudoers.d/workbrew file?

Some casks (never formulae) installed via Homebrew require sudo access to complete their installation. Since sudo normally prompts end-users for a password, that doesn’t work well for installs that are centrally managed via Workbrew. To handle this securely and non-interactively:

  • Workbrew adds a config file at /etc/sudoers.d/workbrew
  • This file grants passwordless sudo access, but only to a specific system user: _workbrewd
  • _workbrewd is the user account that runs the Workbrew Agent, which is a background daemon
  • This limited sudo access allows Workbrew to safely and silently install those packages without giving broader root privileges to end-users and maintain the principle of least privilege

How can I uninstall Workbrew?

Run the uninstaller by executing sudo /opt/workbrew/sbin/uninstall from a Terminal. This will bring the Device back to ‘vanilla’ Homebrew (e.g. /opt/homebrew/bin/brew).

How do I contact Workbrew?

Please see the Contact page.

We use cookies to analyze traffic and improve your experience. You can accept all cookies or decline non-essential ones. Read our Privacy Policy for details.