Webinar: Managing Macs with Intune: security, scale, & the modern enterprise fleet
Register to attend
Security and Compliance
Guide

How to block cask self-installs for Standard users

Petros Amoiridis

By default, Standard users can self-install casks the same way they would with vanilla Homebrew. If your organization needs to restrict which casks Standard users can install, or block cask self-installs entirely, follow the steps for your plan below.

Enterprise: create a Cask Allowlist

A Cask Allowlist Policy lets you define exactly which casks Standard users are permitted to self-install. Any cask not on the list is blocked. This only applies to device-user-invoked commands. Brew Commands pushed from the Workbrew Console are not affected.

Allow specific casks only

  1. Go to Policies in the sidebar
  2. Click New Brew Policy > Casks Allowlist
  3. Search for and add the casks you want to permit (for example visual-studio-code, zoom, slack)
  4. Choose the Device Group to target (or All Devices)
  5. Click Create Brew policy

Standard users on targeted Devices can now only self-install casks that appear on this list. All other cask self-installs are blocked.

Block all cask self-installs

To forbid all cask self-installs for Standard users, create a Cask Allowlist with no casks:

  1. Go to Policies in the sidebar
  2. Click New Brew Policy > Casks Allowlist
  3. Do not add any casks to the list
  4. Choose the Device Group to target (or All Devices)
  5. Click Create Brew policy

An empty Cask Allowlist blocks all cask self-installs for the targeted Standard users. You can still provision casks to these users via Default Packages or Brew Commands from the Workbrew Console.

Pro: create a Brew Configuration

Pro plans do not have access to Cask Allowlist Policies. Instead, you can create a Brew Configuration that sets the HOMEBREW_FORBID_CASKS environment variable.

  1. Go to Brew Configurations in the sidebar
  2. Click New Brew Configuration
  3. Set the variable name to HOMEBREW_FORBID_CASKS and the value to 1
  4. Choose the Device Group to target (or All Devices)
  5. Click Create Brew Configuration

This blocks all cask self-installs for Standard users on targeted Devices.

Note that unlike a Cask Allowlist, this Brew Configuration is global: it also blocks cask installs and upgrades pushed from the Workbrew Console. If you need to install or upgrade a specific cask via the Workbrew Console, temporarily remove the Brew Configuration for that Device or Device Group first.

Free plan

Free plans do not have access to Cask Allowlist Policies or Brew Configurations. Standard users on Free Workspaces can self-install any cask.

If you need cask restrictions, consider upgrading to Pro or Enterprise. See workbrew.com/pricing for details.