Managed brew access

Managed brew access grants Standard Users on managed Macs access to the brew CLI without requiring administrator privileges. Access can be configured via your MDM or through the Workbrew Console setting. When enabled, the Workbrew Agent identifies Human User Accounts on each Device at every check-in and adds them to the workbrew_users group. This feature is macOS-only.

How Human User Accounts are identified#

The Workbrew Agent queries Directory Services to enumerate all user accounts on the Device, then excludes:

• Accounts whose username starts with _ (system service accounts such as _spotlight)
• Accounts marked as hidden in Directory Services
• The nobody account
• Accounts with a UID of 500 or below

From the remaining accounts, only those with a Secure Token are added to workbrew_users. Secure Token is a macOS concept that gates FileVault and certain administrative operations. It is present on accounts used for interactive login, making it a reliable proxy for identifying Human User Accounts.

Edge cases#

• Accounts without a Secure Token do not receive access, even if they belong to a real person.
• Service or shared accounts that have a Secure Token may be included unexpectedly.

Operational notes#

• Disabling the setting does not revoke existing access from users who currently have it. Access can be revoked via your MDM.
• Changes take effect on the next Device check-in.
• Accounts already in the admin group have brew access independently of this setting and appear as "Granted via Sudo" in the Console.

Related docs#

• Adding Users to the workbrew_users Group via MDM - alternative approach using MDM scripts
• Frequently asked questions - granting brew access and other common questions
• Getting started with Workbrew - Workspace setup and Device onboarding
• Troubleshooting - common post-installation issues