Workbrew streamlines secure, automated Homebrew package deployment for macOS, integrating seamlessly with Fleet to give IT teams centralized device management. Homebrew is the de-factor package manager on macOS, installed on tens of millions of devices and offering more than 15,000 packages. With zero-touch deployment, policy enforcement, and real-time monitoring, Workbrew lets you leverage the power of Homebrew, whilst ensuring compliance and eliminating security risks.
By the end of this deployment guide you will:
Before you begin following this guide, you should:
Are you an experienced Fleet administrator? These steps will get you up and going quickly. Read on for more detailed explanations.
Workbrew is installed using a signed .pkg file, which installs several components:
In addition to installing the Workbrew .pkg on each device, you must run a (bash) script which connects the Workbrew agent to your Workbrew Console. The script also installs Command Line Tools for Xcode if your devices do not already have it. The Workbrew Console connection wizard will guide you through customization to your install script.
You can deploy the Workbrew .pkg as a custom package, with the setup script appended to the default installation script. When creating the package, you can choose the hosts to deploy Workbrew through setting a target, and can optionally enable both self-service and automatic installation.
In brief, you will perform these steps to ready Workbrew for deployment:
To populate your Workbrew Console with information about your devices and users, Workbrew requires Read-Only API access to your Fleet instance. In Fleet, API tokens belong to user accounts, and tokens for regular users expire. API-only user tokens do not expire, and allow for more secure management of tokens, so recommend always using an API-only user for token generation.
Follow the instructions in the Fleet Documentation to Create an API-only user. Save the resulting token for the next step.
The API token created in the previous step will allow Workbrew to read from your Fleet instance using the API. In this section, you will register Fleet as your MDM of choice within Workbrew.
The Workbrew .pkg installs Workbrew, including the agent, CLI, and Homebrew. In this section, you will add the package to Fleet so that it can be distributed to your selected hosts. It can also optionally be made available via self service.
Download the package, and then follow the instructions under Add a custom package, stopping once you reach “To customize installer behavior, click on “Advanced options.”.
At this point, expand Advanced options. Edit the install script and append the Workbrew setup script you saved in the previous step, after the existing content. Both the contents of the install script box and the Workbrew setup script begin with `#!/bin/bash`: when pasting in the Workbrew setup script, remove the `#!/bin/bash` so that only one `#!/bin/bash` remains in the first line of the install script box.
Click Add software to complete the process and add Workbrew to Fleet.
Workbrew will be distributed to the hosts chosen in target when setting up the custom package. If you skipped that step or need to add assignments in the future, you can access the package through Software and edit it to add additional targets. Once Workbrew has been deployed to a device, it will appear on the Workbrew Console.
Workbrew simplifies large-scale device management through integrations with MDM provders SimpleMDM, Jamf, Kandji, and Fleet.
Read More