Workbrew Blog - Secure software delivery platform

"They're taking my brew away": A practical guide to managing Homebrew

Kitty Shephard — Mon, 18 May 2026 00:00:00 GMT

[Homebrew](https://workbrew.com/homebrew) used to be an engineering team problem. It isn't anymore. AI-assisted development has turned marketing analysts, ops teams, and product managers into people who install packages. Most of them have no idea what [Homebrew](https://workbrew.com/homebrew) actually is, or that it's now sitting on their machine. The attack surface that used to stop at your engineering floor now runs through the whole organisation, and open source supply chain attacks are accelerating. This is a practical guide for the IT admin who has to do something about it without breaking everything in the process. **TL;DR:** Start with visibility, not policy. Meet developers in the tool they already love. Workbrew's free plan gets you full fleet visibility in minutes. No developer disruption, no policy decisions required upfront. [Start for free.](https://workbrew.com/free) ### **Start with visibility, not policy** The instinct when faced with a policy problem is to write the policy first. That's the wrong order here. Before restricting anything, understanding what's actually installed across the fleet changes the conversation significantly. It gives IT concrete data rather than hypothetical exposure to bring to security. It surfaces the actual scope of the problem, which is frequently larger than expected and makes the case for action more clearly than any threat report. And it lets you open the conversation with everyone else, including engineers, as "we're adding visibility without disruption" rather than "we're introducing restrictions." Most people don't have strong feelings about being visible. They do have strong feelings about being blocked. Workbrew's free plan is a useful starting point here. It gives IT fleet-wide visibility into what's installed across every machine. No policy decisions required, no impact to developers so you can understand the actual scope before deciding what to do about it. ### **How to unite the teams** Developers make the most noise when something changes in their workflow, and they're usually right to. [Homebrew](https://workbrew.com/homebrew) is where a significant portion of their daily work happens: installing dependencies, managing versions, keeping local environments running. Any change that introduces friction there gets felt immediately and loudly. The framing that works is meeting them in the tool they already use. Imagine your developers being able to self-serve package requests directly through brew. No ticket, no waiting, no workaround, with IT having visibility into what gets installed and the ability to set guardrails where they actually matter. That's a different conversation than "we're managing your package manager." It's closer to "your workflow gets better and we get the oversight we need." > "Our engineers need immediate access to the latest tools, but we couldn't afford chaos with unchecked installs. Workbrew provided the perfect solution, blending the flexibility our team loves from Homebrew with essential oversight." > > **Frode Lundgren, CTO, [Vespa.ai](http://Vespa.ai)** Security gets the audit trail they need to answer compliance questions and respond to incidents. Leadership gets a credible answer for the auditor. Developers get to stay in the tool they love, with fewer restrictions than before because IT can now demonstrate the fleet is under control rather than asking security to take their word for it. ## **Being an empowered connector** When the security team asks what's running on developer machines and you can pull up a full report rather than shrug, the dynamic of that conversation changes completely. You're no longer in the dark or scrambling for data. It becomes a fluid, of the moment update which unites teams to act appropriately. Getting fleet visibility before being asked for it puts you in a position to bring the answer rather than react to the problem. You can walk into the security conversation with data, the developer conversation with reassurance, and the leadership conversation with evidence. The IT team stops being the people who slow things down and becomes the team that connects everyone's needs without making anyone change the way they work. ### **Tooling that meets everyone where they are** Most existing approaches to this problem break down because they were designed for a narrower one. Approval queues and blocked installs work poorly enough with engineering teams who understand the trade-offs. Applied to a broader population of people who just want their pipeline to run, they generate confusion rather than compliance. Workbrew is built around a different premise. Developers keep using brew exactly as they always have — same command, same output, same Brewfiles. Non-engineers who don’t know they installed [Homebrew](https://workbrew.com/homebrew) for a specific tool don't notice anything different but are kept safe. Fleet visibility and policy enforcement happen beneath the workflow, which means IT gets what it needs without becoming the team that broke everyone's machine. When a CVE drops, affected machines across the whole fleet are identifiable immediately. When an auditor asks what's running on developer machines, there's a real answer. When security asks for a report, it exists. The IT teams that get ahead of this are the ones who can walk into any room and say with confidence: we know what's running, we know where, and we didn't have to break anything to find out. Workbrew's [free plan](https://workbrew.com/free) gets you fleet visibility from day one. No developer disruption, no policy decisions required upfront.

Managed Brew Access

Joe Nash — Thu, 07 May 2026 00:00:00 GMT

A common pattern on managed macOS fleets looks something like this: developers run as Standard users, [Homebrew](https://workbrew.com/homebrew) needs elevated privileges for parts of its installation and maintenance workflow, and IT teams end up stitching together temporary admin access through MDM scripts or a PAM solution. That arrangement usually works, but it has a few awkward edges. Admin elevation flows are often broader than they need to be, local admin membership tends to linger longer than intended, and troubleshooting becomes harder because the system managing brew access is disconnected from the system managing the rest of the device. Workbrew already improved parts of this flow by allowing [Homebrew](https://workbrew.com/homebrew) CLI access for Standard users, without granting full local admin privileges. In practice though, enabling that access still required administrators to find and add users to the `workbrew_users` group through MDM scripts. Managed Brew Access closes that gap. It moves `brew` access management into Workbrew itself, so the Console state and the device state are describing the same thing. ## The old workflow Before Managed Brew Access, granting `brew` access in a Workbrew-managed environment usually meant coordinating two separate systems. Workbrew handled package management, Brewfiles, telemetry, and policy enforcement. Separately, an MDM script managed the local `workbrew_users` group to determine which users could actually use the brew CLI. A device could appear correctly configured in the Console while still lacking functional `brew` access locally. A newly enrolled machine might receive Workbrew immediately, but not receive the correct local group membership until another script is executed later. Different MDM platforms handled this differently, which meant support and onboarding behaviour varied between environments. The configuration itself was also easy to drift. Many teams ended up with shell scripts containing commands such as: ``` dseditgroup -o edit -a "$USER" -t user workbrew_users ``` Over time those scripts accumulated exceptions for shared devices, temporary contractors, migration scenarios, or local account naming inconsistencies. None of that logic was visible from the Workbrew Console, even though the outcome directly affected whether Workbrew actually worked for the user sitting at the machine. ## What Managed Brew Access changes Managed Brew Access moves user access management into Workbrew's device configuration model. Instead of separately managing `workbrew_users`, administrators can now configure brew access policies directly through Workbrew. Devices enforce those policies locally, and the Console reflects the state that is actually intended to exist on the machine. This changes the system behaviour in a few useful ways. First, deployment becomes simpler. Once Workbrew is installed, `brew` access can be managed without additional MDM scripting glue. The access model becomes part of the Workbrew configuration itself rather than an adjacent provisioning workflow. Second, the Console stops representing a partially enforced state. Previously, an administrator could configure a desired mode in Workbrew while relying on external scripts to make the device match that configuration. Managed Brew Access removes that split responsibility. Third, access management becomes narrower in scope. Teams no longer need to temporarily elevate users into local admin groups simply to allow [Homebrew](https://workbrew.com/homebrew) usage. The device can permit brew operations without broadening privileges elsewhere on the system. ### How it works on the device Under the hood, Workbrew continues to rely on the `workbrew_users` group locally. But now, the Workbrew agent reconciles access policy from the Console and updates local membership automatically. Devices periodically converge toward the configured state in the same way they already do for package state and Brewfile enforcement. That convergence model is important operationally because it means brew access behaves consistently with the rest of the Workbrew platform. Administrators are no longer maintaining a second synchronization mechanism through custom scripts. In practice this also improves troubleshooting. If a user reports that `brew install` fails unexpectedly, administrators can inspect the device state directly through Workbrew rather than tracing through MDM execution history or trying to determine whether a provisioning script actually ran. ### Standard users and Homebrew Many organizations intentionally avoid permanent local admin access because it widens the blast radius for accidental system modification and credential misuse. At the same time, developers and technical users still need package management tools that behave predictably during day-to-day work. That tension pushes many teams toward temporary admin elevation workflows. A developer needs to update a formula, the system prompts for escalation, an admin token gets issued briefly, and then hopefully revoked later. Managed Brew Access keeps the operational model narrower. Users can interact with [Homebrew](https://workbrew.com/homebrew) without receiving broader local administrative privileges that extend beyond package management itself. For teams already standardizing on Workbrew, that also means fewer moving parts around onboarding. Devices that receive Workbrew configuration can receive `brew` access through the same control plane, rather than requiring separate enrollment logic to make the CLI usable. ### Simplified deployments For teams already using Workbrew, enabling Managed Brew Access means simplifying infrastructure rather than adding more. Existing MDM scripts that manipulate `workbrew_users` can often be removed entirely. Temporary admin workflows built specifically around [Homebrew](https://workbrew.com/homebrew) access become less necessary. New device enrollment paths get shorter because fewer systems are coordinating access behind the scenes. The resulting setup is simpler mostly because the responsibilities are more clearly separated. MDM remains responsible for device enrollment and baseline management. Workbrew becomes responsible for [Homebrew](https://workbrew.com/homebrew) access and package state. The system enforcing `brew` policy is now the same system presenting brew policy to administrators. Whether you're managing a handful of Macs or an entire fleet, Managed Brew Access is included on every plan, even free. [Create your Free Workspace](https://workbrew.com/free) and hit the ground running with our [documentation.](https://workbrew.com/docs)

Workbrew 1.8 release notes

Luke Hefson — Fri, 24 Apr 2026 00:00:00 GMT

Workbrew 1.8 is about closing the gap between oversight and autonomy. Admins get sharper tools: a smarter package catalog, a more actionable dashboard, and a new MDM integration. Developers get a path forward when they hit a wall. ## Package Requests ![](/content/blog/1.7-release-notes/package-requests.gif) When a Standard user tries to install an app blocked by a Cask allowlist policy, running `brew workbrew request ` sends a request directly to their admin — no need to context-switch to Slack or Jira to file a ticket. The request is triggered right in the Terminal, where developers are already working. Admins pick it up in the Console, approve or deny with a single action, and choose whether the approval applies to a device group or the whole workspace. Every request, approval, and denial lands in the Activity Log, so there’s a full audit trail from request to resolution. [There’s a lot more to it, read the feature deep-dive on our blog.](https://workbrew.com/blog/package-requests) **For Admins**: - Review and action all pending package requests in one place - Approve to a specific device group or workspace-wide - Every request, approval, and denial recorded in the Activity Log **For Your Team**: - Request apps from the Terminal without context-switching to Slack or Jira - Get notified on next agent check-in when a request is approved or denied **Package requests** are now available on Enterprise plans. ## Package Tags ![](/content/blog/1.8-release-notes/package-tags.gif) The official Homebrew taps have tens of thousands of packages that serve many different needs. When a new package request comes in, or you’re building out a policy, you have to ask: is this a developer tool? A security scanner? A database client? Until now, the answer required going off and doing research on each and every package. Workbrew now automatically tags every formula and cask in the catalog, synced directly into the Console. The catalog is fully searchable and sortable by tag. Click into a category and you can filter by all packages in that category, or narrow it down to just the ones installed across your fleet, with device counts so you know exactly how widely something is deployed. Click into any individual package and you’ll see every tag it’s been assigned, giving you the full picture before you make a call. Package Tags give admins the context to make better allow, disallow, and block decisions, without having to go digging. **For Admins**: - Browse and search the full Homebrew catalog by category - Filter any category to see only packages installed in your fleet, with per-device counts - Understand what a package does before deciding how to handle it in policy - Build allowlists and policies at the category level, not just package by package **Package Tags** are now available on Pro and Enterprise plans. ## A More Actionable Dashboard ![](/content/blog/1.8-release-notes/dashboard-redesign.gif) The [Workbrew dashboard](https://workbrew.com/blog/dashboard-redesign) has been rebuilt from the ground up. Read the full story of the redesign in Emil’s post on our blog. The summary tiles are gone. In their place: focused tabs for Recent Activity (pulling directly from the Activity Log) pending Package Requests, Policy Violations, Outdated Package and Outdated Devices. Act on violating packages quicker, with direct actions to uninstall packages from affected devices. **For Admins**: - See which recent events need your attention - Act on policy violations directly without having to navigate to a separate page - Outdated packages are ranked by fleet-wide impact, not alphabetically Dashboard widgets are gated depending on the features available on your plan. ## Mosyle and Hexnode MDM Integrations ![](/content/blog/1.8-release-notes/image1.png) Workbrew now integrates with [Mosyle](https://workbrew.com/works-with/mosyle) and [Hexnode](https://workbrew.com/works-with/hexnode). Connect either account and Workbrew syncs your device inventory and device groups automatically, keeping your fleet organized without manual upkeep. **For Admins**: - Connect Mosyle or Hexnode as your MDM provider - Sync device groups from your MDM into Workbrew - Manage Homebrew software across your managed fleet without MDM scripting Available on all plans. [Deployment guides](https://workbrew.com/docs/deployment-guides) available. ## Quality of Life Improvements ### Workspace Owner ![](/content/blog/1.8-release-notes/image2.png) Workspaces now have a designated owner, shown with a badge on the Members page. The owner is the only person who can delete the workspace or modify the subscription, creating a separation between account ownership and day-to-day administrative access. ## Better Brew Wrapper Guidance When brew’s wrapper check fails — usually because the Workbrew agent isn’t running or brew access isn’t configured — users now see a link to the relevant help article instead of a bare error. Less head-scratching, faster resolution. ## What's next? That’s Workbrew 1.8. As always, we’d love your feedback. [Reach out](https://workbrew.com/contact) and let us know what you think. Not on our mailing list yet? [Subscribe here](https://workbrew.com/subscribe) to get release notes delivered to your inbox.

Building support at Workbrew

Petros Amoiridis & Joe Nash — Tue, 14 Apr 2026 00:00:00 GMT

If you run a technical product for long enough, the support inbox becomes one of the most useful sources of information about the product itself. It is where the environments you did not expect show up, where assumptions break down, and where you discover how people are actually using the product. No product manager could predict every variation in device fleets, policies and security tooling used by real organizations, and Workbrew is blessed with *very* creative customers that push the product in new and exciting directions. The support conversations we have with customers are therefore not just about fixing individual issues: they are the fastest way to understanding the real challenges that IT admins of MacOS fleets face, and what tools Workbrew gives them to overcome them. Most importantly, they may reveal tools that Workbrew could give them in the future. Workbrew needed someone that could craft and drive a support organization that could make the most of that challenge, both solving customer issues, but also distilling the requirements and identifying product and documentation opportunities. Enter Petros. ### From programming to support [Petros](https://www.linkedin.com/in/petrolidas/) came to support from engineering, having spent the first twelve years of his career working as a programmer and technical lead. Much of that time involved talking directly with customers about the systems he was building, an experience that shaped how he approaches customer problems. Petros eventually moved into support full time when he joined GitHub. At the time the company was growing quickly and the support team was expanding along with it. Over the next nine years he worked in technical support and later managed the team, eventually becoming Director of Support Engineering. The role involved helping the organisation handle a rapidly increasing number of users while still keeping support conversations useful and technical. After GitHub he joined GitBook as Head of Support, where his role transformed again. Instead of working inside an established organisation he was responsible for building the support function itself. That meant deciding how requests should be handled, how the team should communicate with product and engineering, and what kind of information needed to flow between those groups. Workbrew is earlier in its life than either of those companies were, which is part of what makes the role interesting. At a young company the line between support and product is still fairly thin. When a customer reports a problem, the person investigating it may also be able to help remove the underlying issue entirely. ### What support conversations reveal In support, customers rarely contact you with neat, isolated questions. Most messages contain several problems at once, mixed together with the context that led up to them. This can result in a frustrating experience for the customer, who feels they have written a detailed message explaining what happened, and who often receives a reply that answers part of it but not all of it. It is rarely intentional, but it happens often enough that people learn to expect it. Petros tries to avoid that pattern by reading messages carefully before responding. If someone took the time to explain their situation, the least we can do is make sure the reply actually addresses what they wrote. It’s not always possible to provide an answer or solution to every problem right away, but by at least acknowledging each part of the email, the customer knows they are heard and that their queries are being handled. Keeping conversations moving even when the answer is not immediately clear is something Petros considers a hallmark of good support. Many support issues require some investigation, and in those situations the worst outcome for the customer is usually silence. A short update explaining what is being checked is often enough to reassure someone that their issue has not disappeared into a queue. ### Handling support requests Support conversations also tend to begin when something has already gone wrong. The customer may be trying to complete a task under time pressure, or they may have encountered behaviour that does not match what they expected. In those situations even routine diagnostic questions can feel frustrating. Products like Workbrew often require quite a bit of context before an issue becomes clear. Logs, configuration details, and the steps that led to the problem all help narrow down what actually happened. Asking for that information is sometimes unavoidable, but explaining why it matters usually makes the process easier to work through. Over time those conversations start to reveal patterns. Certain workflows turn out to be confusing. Certain pieces of documentation assume more prior knowledge than they should. Occasionally a feature behaves in a way that made sense when it was implemented but causes problems in real deployments. Those signals are valuable because they point to improvements that benefit everyone using the product. ### Fixing the underlying problem The best outcome for a support issue is often not the resolution of a single ticket but the removal of the problem entirely. Sometimes that means fixing a bug, or improving documentation so that the next person encountering the same situation can solve it themselves. Startups have an advantage here. The distance between a support conversation and a product change is often short. When a pattern appears it is usually possible to bring it directly to engineering or product discussions and adjust the system before it becomes a recurring problem. Support therefore becomes a useful source of product feedback rather than just a queue of requests. ### Helping us help you Customers can help with this process as well. One of the most common challenges in support is the message that simply says something does not work. It is an understandable starting point, but it leaves a lot of questions unanswered. The most helpful requests usually include a short description of what someone was trying to do, what they expected to happen, and what actually happened instead. Screenshots, logs, and the steps that led to the issue make it much easier to recreate the situation and understand what went wrong. Even when a problem eventually needs to be escalated to engineering, that context helps us present the issue clearly so it can be investigated quickly. Workbrew’s customers also come from a wide range of backgrounds. Some of the people contacting us manage large fleets of devices and have spent years working with macOS administration tools. Others are interacting with a Workbrew managed device as part of their normal work and may not think of themselves as technical users at all. Good support means adapting explanations so that each person gets the information they need without unnecessary complexity. ### Building support early One of the advantages of building support early in a company’s life is that these conversations can influence how the product grows. The goal is not just to respond to problems but to learn from them. Over time that feedback loop tends to produce clearer documentation, better workflows, and fewer surprises for the people using the product. That process is already underway at Workbrew, and it is one of the areas where Petros’ experience helps the most. Support conversations often reveal where the product needs to become clearer or more resilient. When those signals are fed back into engineering and product work quickly, many of the issues that first appear in the inbox never need to appear there again.

Workbrew dashboard redesign: less noise, more actionable insights

Emil Nikov — Tue, 31 Mar 2026 00:00:00 GMT

Dashboards tend to accumulate information over time, each new metric, additional status column, and alert category made sense when it was added. The cumulative effect is a dashboard that requires a lot of interpretation before anything useful happens. You end up with IT admins triaging noise instead of responding to real problems, and security teams reconstructing a picture of fleet health from a dozen separate views. ### Where teams ran into friction When we looked at how teams were actually using the console, a few patterns stood out. IT admins were navigating between views to answer questions that should have been answerable from a single place. Security practitioners were pulling data into external tools to get the compliance overview they needed. The information architecture wasn't built to serve any of them particularly well. ### Built for how your teams actually work The redesign centres on navigation and information hierarchy rather than adding new functionality. The most relevant information is now surfaced at the top level, without requiring a drill-down to find it. ![](/content/blog/1.8-release-notes/dashboard-redesign.gif) For IT admins, fleet status is visible at a glance. Devices that need attention are grouped and prioritised, so the first thing you see when you open the console is what requires your time, rather than a complete inventory of everything running. For security teams, compliance posture is now a first-class view rather than something assembled from separate reports. Policy status, package versions, and risk indicators are consolidated to support both day-to-day monitoring and the point-in-time snapshots that audit processes require. For engineers, the console stays out of the way. Package access and environment status are visible without competing with operational information that isn't relevant to their workflow. ### Less coordination, more getting things done The [friction between these groups](https://workbrew.com/blog/brewfile-syncing) often comes from the same place: everyone working from incomplete information, assembled through a process that takes time and introduces gaps. A security team with a consolidated view of fleet risk can respond to issues faster and document remediation more easily. IT admins spend less time building a picture of fleet health manually. Engineers keep building with the tools they love. ### Keep the feedback coming Quality of life improvements in the console are the foundation for a more connected view of fleet health. Take a look at what's changed and [send us a message](https://workbrew.com/contact) about what's working and what isn't.

Self-service app requests from the Terminal

Luke Hefson — Tue, 17 Mar 2026 00:00:00 GMT

[Casks Allowlists](https://workbrew.com/blog/casks-allowlist) keep macOS app installs predictable for fleets with Standard devices by letting admins choose which apps can be installed from the brew CLI. That gives teams a safe, auditable way to let developers install GUI apps without handing out sudo. The tradeoff is a common friction: a developer needs an app that is not on the allowlist and the only option is to go and file a ticket elsewhere and wait for an admin to see it, approve and update the allowlist. Package Requests closes that gap. It adds a self service flow so developers can ask from the terminal, admins stay in control in the Console, and every decision is recorded for future reference. Why this matters: * Developers can request software without leaving the CLI, which reduces ticket churn and context switching. * Admins stay in charge: they approve or deny requests, choose who the approval applies to, and add a short reason. * The workspace gets an auditable trail of approvals so future decisions are easier. ### How it works for developers 1. Try to install a cask the usual way, for example `brew install brave-browser.` 2. If the cask is not allowed the CLI explains why and suggests a one-line request command, for example: `Error: The following casks are not allowed: brave-browser Run brew workbrew request brave-browser to ask your admin to allow it.` 3. Run `brew workbrew request brave-browser`. Workbrew queues the request and sends it to the Console. The CLI confirms the request has been submitted. Once an admin approves the request the developer can `run brew install brave-browser` again and the install will go through. ![](/content/blog/1.7-release-notes/package-requests.gif) ### How it works for admins #### Requests Admins review incoming requests from the Package Requests page in the Console. Each request page shows package details, the requesting device and timestamps, the cask version and tap, and a short package description. From the review view an admin can Approve or Deny a request. #### Approval scope Approving a request adds the cask to the appropriate Casks Allowlist policy, targeting whichever approval scope the admin chooses. The dropdown is grouped to make common decisions fast: * All Devices, which makes the app available workspace-wide. * Device’s groups, which lists groups the requesting device _already belongs to_. Choose one of these to grant the requester access via a group they’re already in * Other groups, which lists every other device group in the workspace. Choose one of these to allow the app for a different group that does not include the requesting device. #### After a decision * Approvals add the app to the allowlist at the chosen scope, and the requester can `brew install` the app immediately. There is no extra work for the developer after approval. * Denials require a reason. Denied requests are visible in the Denied view and include the decision reason. Users may submit a new request if circumstances change. * The Console records a full history in the [Activity Log](https://workbrew.com/blog/workbrew-1-7#activity-log), so admins can see who approved what, when, and why. To enable Package Requests for your team today, reach out to your Workbrew account team for setup and best practices. _Package Requests require Cask Allowlist and are now available on the_ [_Enterprise plan_](https://workbrew.com/pricing) _only_

Why Homebrew Remains in the Shadow (And What to Do About It)

Billy McGee — Mon, 09 Mar 2026 00:00:00 GMT

Homebrew shows up in enterprise macOS with Bose headphones under a pulled-up hoodie. It’s the missing package manager for MacOS, the open source darling built on radical self-reliance and decentralized governance. Nobody can stop it from walking in. Everyone knows it's here to get work done. Yet, it operates in the shadows just outside the purview of your MDM. If you're reading this, you've had the conversation. Engineering needs it to ship code without being slowed down. Security wants to review it, scan it or ban it. Compliance needs a complete inventory with documented approvals. In the end, IT is caught in the middle, building custom scripts to get some visibility to herd the cats and keep the guard dogs at bay. If you're evaluating how to establish policy around Homebrew without breaking it, then you're solving the right problem. You're acknowledging that Homebrew is valuable and worth preserving while also recognizing that your organization needs to level up the game. So let’s explore the best way forward for all concerned. ### Homebrew Was Built by Developers for Developers Homebrew prioritizes speed, local control, and autonomy. It assumes one person, one machine, and the freedom to decide what's "safe enough" in context. That's a beautiful model when it works, and in the open-source community, it works remarkably well. Trust through the ability to verify, build, and understand the code yourself. The tension appears when Homebrew enters a regulated enterprise. Because Homebrew's assumptions are fundamentally different from yours. You're thinking multi-team, compliance, auditability, and continuity. Homebrew is thinking: _Can the developer get what they need now?_ Both are valid. They're just at odds unless you find a workable compromise. ### Why macOS Makes Visibility So Hard (It's Not Just Homebrew) Homebrew typically runs in user space, not through a centralized system repository. It doesn't register with the OS the way App Store apps or signed system packages do. Most MDM tools report what they _install_, or what the OS exposes through standard APIs. They're excellent at tracking applications, profiles, and extensions. But a Homebrew package? From the operating system's perspective, it's just files in directories. So you end up in a situation many of you know well: * **Homebrew knows what's installed.** (Because Homebrew installed it.) * **The developer's machine knows what's installed.** (They can run brew list anytime.) * **IT may or may not know what's installed.** (Because it never registered anywhere your tools look.) This is a consequence of how macOS and developer tooling evolved over time. And if you want to understand why Homebrew became this way, check out Workbrew's article "[Understanding Homebrew's History](https://workbrew.com/blog/understanding-homebrews-history)." It walks through the evolution from package managers built for Linux distributions (designed for teams and systems) to Homebrew (designed for individual developers on macOS). ### What Homebrew Actually Is (And Isn't) Have you ever noticed how Homebrew feels designed for the developer, and not for an IT team? Think about Homebrew as a single-player game where the developer decides what's safe, what they need, and how fast to move. It's a beautiful model when you're working alone or in small groups where everyone trusts everyone else. But when you’re a space program or a bank or health technology, the regulators are calling the shots. You're in a multi-player game with a single-player tool. Suddenly the governance questions appear: * What software packages are being used across the fleet? * Who approved this tool and this version? * Is it still acceptable under our current risk profile? * Are all packages updated for the latest CVEs? * Why are two engineers on the same team running different versions? These are multi-player systems questions that matter in environments where software decisions are inherited, audited, and sometimes regulated. But Homebrew was never designed for the enterprise. ### Why can't Homebrew just add policy features for the enterprise? Homebrew is a volunteer-driven open-source project. The maintainers (mostly unpaid contributors working on code they find useful) make decisions through community contribution and consensus. They're focused on a clear mission: making package installation simple, reliable and (reasonably) safe for individual users. A built-in policy layer would have to answer questions that change from company to company: * Which taps are allowed? * Which versions meet your internal standards? * Do different teams operate under different rules? * What happens when someone deviates? Those decisions belong to _your_ organization based on your regulatory needs and risk appetite, not to an open-source project trying to serve developers worldwide. If Homebrew added enterprise policy features, it wouldn't be Homebrew anymore. It would be something else (something more complex, slower, more opinionated). The thing that makes Homebrew valuable to your developers is precisely what makes it incompatible with enterprise governance. The maintainers understand this. They're protecting Homebrew’s integrity by staying in their lane. ### What Governance Actually Requires So what _can_ you do? Governance, in a Homebrew environment, is about defining expectations clearly and checking whether reality matches them. Sometimes security teams approach this with strict allow-lists and command blockers. That works, technically. But it also breaks the thing that made Homebrew valuable in the first place. A better approach starts with different questions: * Which taps do we consider acceptable? * What does "approved" mean for our organization today? * Do different teams operate under different rules? * When reality diverges from those expectations, how do we detect it? How do we respond? Homebrew installs what developers request. Most device management tools report what's already installed. Both are useful. But neither defines what you _expect_ or continuously compares behavior to it. What's missing is a layer that can express organizational policy alongside Homebrew (modeling allowed sources, tracking versions across your fleet, detecting drift from your declared expectations, and producing audit records) while preserving the developer experience that made Homebrew valuable in the first place. This is _our_ mission. ### Where Workbrew Fits Workbrew was built around the need for Homebrew to work in regulated environments. It doesn't replace Homebrew or repackage it. Instead, we added an organizational layer _around_ it. You define which taps are acceptable, model team-level rules, detect when reality drifts from your expectations, and generate the audit records compliance requires. All while developers continue using the familiar brew workflow they love. For your developers, it's still just Homebrew. The workflow feels the same. For IT and security, it's the visibility and control you've been missing. Integration with your MDM tools. Zero-touch deployment with real-time audit trails of every brew command, every install, every CVE and every fix. We complete your MDM by offering fleet-wide insights into what's installed, where, and why. The goal is to maintain development velocity and even go faster, because you can meet your security and compliance requirements without turning it into a manual exercise. ### The Actual Problem You're Solving If you're evaluating how to establish policy around Homebrew without breaking it, then you're solving the right problem. You're acknowledging that Homebrew is doing something valuable (something worth preserving) while also recognizing that your organization needs something it was never designed to provide. Homebrew and Workbrew are complementary layers solving two different problems. Homebrew gives developers the speed and autonomy they need to use open source tools. Workbrew gives you the governance and visibility you need. Both working together is how you stop having that conversation. The one where you're wondering why your fleet is invisible, and developers are wondering why you keep asking them to use something worse. Workbrew lets Homebrew do what it does best, with the management controls that let you do your best.

Women in Tech: career advice from the Mac Admins community

Kitty Shephard — Sun, 08 Mar 2026 00:00:00 GMT

In any technology job across industries there’s an evident gender gap. As a young professional I was fortunate enough to find role models who shared their tips on claiming a seat at the table, which helped me overcome imposter syndrome. When I think about “[men’s overrepresentation](https://www.forbes.com/sites/kimelsesser/2025/01/06/too-many-men-or-too-few-women-why-framing-the-gender-gap-matters/)” in technology, I’m always reminded that community and networking is one of the most powerful tools to make your mark. To celebrate International Women's Day, I connected with leaders I admire in the Mac Admins space about the moments which defined their career, the advice that spurred them on to pursue their dreams, and the big wins defining their career so far. ### [Kim Trojanowski](https://www.linkedin.com/in/ktrojanowski/) _Systems Administrator II -_ [_School District of Waukesha_](https://sdw.waukesha.k12.wi.us) _& Admin -_ [_Women in Tech Apple Admins Jamf Group_](https://community.jamf.com/groups/women-in-tech-apple-admins-175) **The “oh no” moment:** It was my first day at a new job and I was shadowing my new co-worker. He stepped out of the room and a monitor that wasn’t placed on a desk properly slid off and fell onto the floor. I was on the other side of the room when it happened and thought that’s it I’m getting fired on my first day. A few minutes later, he came back into the room, I kept my composure, explained what happened, and he said “My fault, I shouldn’t have set the monitor there.” I was so relieved that I wasn’t getting fired, but also that I didn’t have to defend myself for something that wasn’t my fault. **Advice you wish you’d gotten sooner:** You don’t have to be perfect. **The mic-drop moment:** This happened when my boss at the time announced his retirement and I was asked by multiple people if I was going to apply for the job. It was then that I realized if colleagues thought I was qualified to be a CIO then I must be acing my current job. ### [Rebecca Latimer](https://www.linkedin.com/in/rebecca-latimer-446259b6/) _Senior IT Systems Engineer,_ [_Thumbtack_](https://www.thumbtack.com/) _& Board Secretary,_ [_Mac Admins Foundation_](https://www.macadmins.org/about-the-mac-admins-foundation) **The “oh no” moment:** Believe it or not, starting to work with Apple products. I went to school for networking and was very much on the CCNA/Sysadmin/Linux career track, or so I thought. I got a job right after graduation with the local school district and everything was Apple. I had no clue what I was doing. I didn’t even know how to turn on an iPad...which was a problem because my first task was using Configurator to set up 2000 iPads. I had to learn everything really quickly. **Advice you wish you’d gotten sooner:** The world can benefit from you sharing your knowledge, no matter where you are in life! I guarantee that even if you are a beginner, there is someone out there even more beginner than you. **The mic-drop moment:** The first time I was asked to be on the Mac Admins podcast. Not because I had all the answers, but because my perspective mattered. In a few years, I went from googling “how does Configurator work” to being someone the community wanted to hear from. That moment changed how I saw myself in the field. ### [Selina Ali](https://www.linkedin.com/in/selina-ali-604b645b/) _Senior Product Manager,_ [_Addigy_](https://addigy.com/) _&_ _Host,_ [_Mac Admins Podcast_](https://podcast.macadmins.org/) **The “oh no” moment:** Early in my career as a tier-1 support agent at Jamf, I got a call from someone in California who was frantic. A wildfire was cresting over the hill near their server room. The fire department was yelling for them to evacuate, but they wanted to grab a database backup first so they wouldn’t lose everything. My first instinct was “none of this matters, leave and save your life.” But there wasn’t time for that conversation. So we moved fast: check the USB drive, confirm login, run a single backup command. The database was small, and we got it copied just in time and I said ok now go please! You can rebuild a tech stack, you can’t rebuild a life. **Advice you wish you’d gotten sooner:** You’re not supposed to know everything. Most people are figuring it out as they go, even the ones who seem like they have it all handled. Ask questions, write things down, and build your own trail of notes and resources. The small tidbits you capture today often become the answer to someone else’s impossible question later. **The mic-drop moment:** I’m not sure there’s a moment where everything suddenly feels handled. What changed was getting comfortable being uncomfortable. I’m often not the smartest person in the room, but I’m curious. When something escalates, I step back and ask the basic questions, sometimes the “dumb” ones, until the real goal becomes clear. Once you focus on the outcome instead of the noise around the problem, that’s when things start to click. Also honor your experience from before your life in tech because it is totally relevant - no matter how different it is! I was an archaeologist and commercial diver and somehow I still find a LOT of cross overs in my role in tech. ### Ask. Connect. Grow. My takeaway - there is power in having a community that _just gets it_. Don’t be afraid to send an intro message and ask for advice. Chances are, the problem you’re facing has already been faced, and solved, and remember these three things: * You’re not supposed to know everything * You don’t have to be perfect * Your knowledge is worth sharing ### Resources * [#macwomen](https://macadmins.slack.com/archives/C063D6PT5) in [Mac Admins Foundation Slack](https://www.macadmins.org/about-the-mac-admins-foundation) * [Women in Tech Apple Admins Jamf Group](https://community.jamf.com/groups/women-in-tech-apple-admins-175)

Workbrew 1.7 release notes

Luke Hefson — Thu, 05 Mar 2026 00:00:00 GMT

Workbrew 1.7 improves how the Console understands and attributes activity across your workspace. This release introduces catalog syncing for Private Taps, clearer ownership and structure for Brew Commands, an Activity Log, and local timezone support for timestamps. Together, these changes make internal tooling easier to manage and administrative actions easier to audit. ## Activity Log ![](/content/blog/1.7-release-notes/activity-log.gif) The Activity Log provides a structured record of changes across your workspace. Workbrew now tracks create, update, and destroy events for key resources including: - workspace membership, - devices, - Brew Commands, - Default Packages (Brewfiles), - Policies, - installed packages, - vulnerability changes. Each event includes the actor, the affected resource, and the relevant change details. Filtering and export options make it easy to review activity over time, share audit data with stakeholders, or send events to your SIEM via the Workbrew API. **For Admins**: - Audit membership changes, role updates, and access grants or revocations. - Track device lifecycle events. - Monitor Brew Command, Default Packages, and Policies changes. - Review vulnerability detection and remediation events. - Export activity data for reporting or compliance. **For Your Team**: - Greater transparency into operational changes. - Clearer accountability around administrative actions. **Activity Log** is now available on Enterprise plans. ## Private Taps catalog ![](/content/blog/1.7-release-notes/brew-command-ownership-improvements.png) Private Taps have long been supported in Workbrew. In 1.7, we’ve improved how the Console understands them. Workbrew now catalogs the formulae and casks from your enabled Private Taps. Packages from those taps are indexed and visible inside the Console, so they can be referenced in policies, Default Packages, and other remote management workflows. Previously, the Console only had visibility into packages from public Homebrew taps. Whereas Private Taps could be installed, but not selected in Console-driven workflows. With 1.7, internal packages are included in the same catalog used across Workbrew. **For Admins**: - View formulae and casks from enabled Private Taps in the Console. - Add private packages to Policies, including [Cask Allowlists](https://workbrew.com/blog/casks-allowlist). - Include internal tools in Default Packages for “Day One” bootstrapping. - Manage internal and public packages through the same interface. **For Your Team**: - Internal CLI tools and apps can be rolled out consistently. - Private casks can be approved and distributed like any other managed package. - Less friction when standardizing on internal tooling. **Private Taps catalog** is now available on Enterprise plans. ## Brew Command ownership improvements ![](/content/blog/1.7-release-notes/brew-command-ownership-improvements.png) We’ve simplified how Brew Commands are created and understood. Commands are no longer required to have unique arguments across a workspace. Each time an admin writes and targets a command, it’s treated as a separate action with its own record and history. Re-running the same command no longer requires editing a previous one. You can now also filter commands by creator, and the Console clearly distinguishes between on-demand, admin-initiated, and commands that were auto-generated by a policy. Together, these changes make the Brew Commands list easier to reason about, audit, and manage. **For Admins**: - Create the same command multiple times without editing older entries. - Filter Brew Commands by creator. - See whether a command was created by a user or by the system. - Clearer auditing and attribution for remote management commands. **For Your Team**: - Better visibility into who initiated changes. - More predictable behavior when commands are re-run. **Brew Command ownership improvements** are now available on Pro and Enterprise plans. ## Console polish and usability improvements Workbrew 1.7 also includes a number of UI refinements across the Console. Tables are more consistent, removing unnecessary “card” UI. Readability is improved, and overall navigation has been improved. These changes reduce friction in day-to-day use and make common workflows feel more direct. **For Admins**: - Faster navigation and clearer data presentation. - More consistent table and filtering behavior. **For Your Team**: - A more responsive and intuitive Console experience. All Workbrew users will benefit from these improvements. ## Show timestamps in your local time Timestamps in the Console are now displayed in your local time zone. Previously, times were shown in fixed UTC, which could create confusion when scheduling commands or reviewing activity across teams in different regions. Timestamps now automatically reflect the viewer’s local time, making audits and investigations easier to interpret. **For Admins**: - View activity, commands, and events in your own local time. - Reduce confusion when reviewing logs across regions. **For Your Team**: - Clearer understanding of when actions occurred. - Fewer timezone-related misunderstandings. **Local timestamps** are now available on all plans. Workbrew 1.7. Focused on clarity. Comments or feedback? [Reach out](https://workbrew.com/contact).

3 Lessons for a High-Impact Off-Site

Kitty Shephard — Mon, 23 Feb 2026 00:00:00 GMT

Even as asynchronous pros, we make a point of getting together once a year to connect in-person. After doubling our team size in 2025, our off-site looked a lot different this year. I was tasked with designing, planning and delivering this week and learnt a lot along the way. Here are my 3 lessons to deliver an impactful off-site: ## **1\. Balance Results with Relationships** When imagining everyone in one room the impulse is to think of discussing roadblocks, moving projects along, and solving remote, async hurdles. My biggest lesson here is to leave room to breathe: it’s easy to overplan, and a great offsite lies in balancing the agenda between core sessions and activities. The magic happens in the gaps: the simple conversations, the “hallway track.”It’s vital to leave space and time for these moments. Snippets I overheard were more about building human connections, understanding how we work and also demystifying tricks of the trade we assume others know. Balance extends beyond the agenda into allowing team mates to take what they need. In the wise words of our COO Vanessa, “Make good choices”. Transitioning from remote to in-person can be exhausting, especially adding on travel to this. Help the team make the right choices to protect their energy levels, their ability to show up tomorrow in the best spirit, and let them know that they can communicate their needs to the event lead. No questions asked, just permission to be your authentic self. ## **2\. New experiences = new connections** Beyond being together, memories are important. In a remote world you miss the birthday celebrations, trying the new restaurant down the street, or even conversation when getting coffee. This off-site was all about creating memories in 2 ways: activities and of course, swag. Finding activities which were relaxed, and that let the team step up or take a back seat on what they needed was really important. Building off our highlight of VR room in 2025, we prioritized visiting Basilica de la Sagrada de Familia, and unwinding with a Paella cooking class. Letting an external party take the reins and guide us through an experience helped foster camaraderie, and allowed our small team to gel further. ![](/content/blog/images/5F7F8F62-CC5F-42C9-B4E3-4056AFBC668A_1_102_o.jpeg) My 2 personal highlights show the value in leaving room to breathe. The first night, I planned a casual, opt-in dinner. As the bar filled up, a pub quiz kicked off and who knew our crew loves a quiz, Bo knows so much about sport and Luke takes it very seriously. That unplanned shift turned a simple dinner into a highlight of the trip - the best memories often come from what you don’t script. Another highlight came from a running list we kept throughout the year: _things we wish we could do_. Small ideas surfaced over 2025: sharing birthday cake, trying each other’s favorite snacks. On the final day, instead of standard hotel coffee break food, we hosted an international buffet tasting: Scottish shortbread, Philippine dried mango, sorrel from Barbados, Þristur from Iceland, and the winning stroopwafels from the Netherlands. Both of these memories were simple, low-cost, and unexpectedly powerful. Of course, swag helps build identity and team belonging. High quality, useful products go a long way. Being the swag santa of the event was a role I was honoured to take on. Finding a theme which gets your team excited is crucial. Last note here is making sure everyone is included - even attendees who couldn’t attend got their swag pack to ensure they feel recognized and part of the team. ![](/content/blog/images/704C2A9C-F51D-4B15-A3D1-A04E490980CE_1_105_c%202.jpeg) Memories - they last a lifetime. ## **3\. Turn Offsite Energy Into Real Momentum** Discovery of new projects, solutions to roadblocks, or new formed friendships. This momentum can make a huge difference to our year ahead, but it’s hard to capture. We love using [Granola](https://www.granola.ai) to capture insights from conversations, even from all the tangents and side tracked thoughts. Sharing these recordings and notes after that week helps us keep momentum, tune into our north star, and also share knowledge across the team. Our watercooler channel, brewtunes radio and monthly meet-ups brings our culture into our day to day lives. But off-sites cement our camaraderie, build momentum on the year ahead, and also make us unified in our understanding of what we’re doing and where we are going. I can’t wait for our 2027 off-site, to apply these lessons, and see how we’ve grown a year from now. If you’re interested in working at Workbrew, [subscribe](https://workbrew.com/about#careers) to stay up to date our job openings.

Workbrew’s FOSDEM highlights

Joe Nash — Tue, 17 Feb 2026 00:00:00 GMT

[FOSDEM](https://fosdem.org/2026/) is an annual gathering of the free and open source development community in Brussels, Belgium. It attracts developers and projects from around the world for two days of talks, loosely organised around themed “devrooms”. Content ranges from status updates from existing projects, announcement and releases of new ones, and perspectives from maintainers and users. Many of the talks get published online, but with so many, where do you even start? Allow us to offer our favourites from FOSDEM 2026. ## Package management A FOSDEM devroom very close to our hearts is the [Package Management](https://fosdem.org/2026/schedule/track/package-management/) room, a space for developers and maintainers of various package managers across ecosystems to share their progress and discuss the challenges of building this vital class of software infrastructure. Here’s our top picks from the Package Management room: ### [Package management learnings from Homebrew](https://fosdem.org/2026/schedule/event/FGBYKV-package_management_learnings_from_homebrew/) Homebrew project lead, [Mike McQuaid](https://fosdem.org/2026/schedule/speaker/mike_mcquaid/), dives into his learnings from Homebrew. A large part of the presentation is about the surprising impact of performance, how sensitive end-users can be to any slow downs, and as a result, how powerful marketing around speed is for newer package managers. We found that last point especially interesting, as Mike explored a lot of the factors, such as backwards compatibility and legacy support, that tenured projects like Homebrew care about, which newer projects may not be grappling with yet. ### [The Terrible Economics of Package Registries](https://fosdem.org/2026/schedule/event/8WJKEH-package-registry-economics/) Package managers are vital to a lot of ecosystems, between programming languages, scientific runtimes, and operating systems. But it’s easy for them to become “invisible infrastructure”: end users don’t often think of the actual cost of services rendered when hitting that brew install. [Michael Winser](https://fosdem.org/2026/schedule/speaker/michael_winser/) delivers a fantastic talk on the economics of operating package registries, covering the costs of not just data and bandwidth, but also the cost of maintaining security, fighting abuse, etc. ### [Package managers à la carte](https://fosdem.org/2026/schedule/event/3SANYS-package-managers-a-la-carte/) If you spend enough time around computer science academics, you’ll see a lot of things being served _à la carte_: it’s a popular title for papers dealing with modularity, particularly amongst the functional programming enthusiasts. So when I opened this talk and saw [Ryan Gibbs](https://fosdem.org/2026/schedule/speaker/ryan_gibb/) presenting a calculus for packages, I was over the moon. Ryan’s Package Calculus is a formal model for dependency resolution with the goal of being able to model the real-world functionality of package managers. This allows the behaviour of existing package managers to be formally defined and communicated, but further than that, Ryan is working on projects that provide for cross-ecosystem dependency resolution. ### [Trusted by design](https://fosdem.org/2026/schedule/event/VPJH8F-trusted-by-design/) A special mention is this talk from the [Open Research](https://fosdem.org/2026/schedule/track/open-research/) room by [Niko Sirmpilatze](https://fosdem.org/2026/schedule/speaker/niko_sirmpilatze/), which deals with how to set up a new software package for successful community adoption. Whilst presented from the lens of the scientific software community, as a company that deals with _trust_ (or the lack thereof) in software packages, we thought that there was something in Niko’s guidance that every would-be package creator could learn from. ## Open source Workbrew is a company and product built upon the incredible foundations of Homebrew, and so naturally we are very interested in models of collaboration and governance between FOSS projects and organisations. Here’s two talks on this theme that caught our eyes: ### [Downstream mindset vs upstream communities](https://fosdem.org/2026/schedule/event/UTAMGU-downstream_mindset_vs_upstream_communities/) In this talk, [Ildiko Vancsa](https://fosdem.org/2026/schedule/speaker/ildiko_vancsa/) addresses the tensions between _downstream consumers_ of open source software, and the _upstream communities_ that produce that software. In particular, she deals with how downstream players like companies may have opposing or competing contribution cultures to their upstream communities, and explores a variety of scenarios and how to navigate them. ### [Companies vs. Foundations: Who Should Steer Your Open Source Project?](https://fosdem.org/2026/schedule/event/TNAAGZ-companies_vs_foundations_who_should_steer_your_open_source_project/) Speakers [Ray Paik](https://fosdem.org/2026/schedule/speaker/ray_paik/) and [Fatih Degirmenci](https://fosdem.org/2026/schedule/speaker/fatih_degirmenci/) take a look at the behaviour of open source projects under corporate governance, issues such as license changes, and the resulting rise in the foundation governance model. Crucially, whilst foundations have become very popular, and it seems every open source project is forming one, they discuss how foundations don’t offer the solution to all problems of sustainability and longevity for open source projects. ## Bonus: To sudo or not to sudo… Privilege management, how and when a device user gets elevated privileges, is an evergreen topic for us and our customers. This last talk gives a great overview of some recent work in the area: ### [Reduce attack surface or keep compatibility: lessons of sudo-rs and run0 transition plans](https://fosdem.org/2026/schedule/event/SEU99F-reduce_attack_surface_or_keep_compatibility_lessons_of_sudo-rs_and_run0_transiti/) We’re all used to hearing “rewrite it in Rust” at this point, but what happens when you do? [Alexander Bokovoy](https://fosdem.org/2026/schedule/speaker/alexander_bokovoy/) and [Alejandro Lopez](https://fosdem.org/2026/schedule/speaker/alejandro_lopez/) explore recent efforts to reduce the attack surface of privilege management, through an effort to rewrite sudo in Rust, and a sudo alternative, run0. Whilst these two efforts are promising and have potential upsides, Alexander and Alejandro reveal that they’re not yet ready for system management at scale, lacking vital features for central management and auditability. ## What were your favorite talks? Did you attend or watch any of FOSDEM? What talks did you find valuable? Let us know over in the [#workbrew](https://macadmins.slack.com/archives/C06DQLY28TG) channel on the [MacAdmins Slack](https://www.macadmins.org).

Brew better together

Joe Nash & Anup Narkhede — Fri, 30 Jan 2026 00:00:00 GMT

Workbrew’s Default Packages let you deliver software to target devices, ready to go on Day 0. Brewfile Syncing adds the ability to collaborate with device users using GitOps, providing a package request and approval workflow, letting you turn security and compliance into developer productivity. In this post we’ll dig into the motivation behind Brewfile Syncing, how it works, and how you can use it in your fleet. ## Security with a side of developer productivity Maintaining a secure and compliant fleet is easier when everyone is bought in. Friction between device users trying to do their jobs, and GRC teams trying to keep the company safe, is unfortunately all too common. Developers want the tools to get the job done, and IT admins need to know that what’s installed on machines doesn’t pose a risk. That tension is what gave birth to Workbrew: we knew that Homebrew was massively popular with MacOS devs, but posed a challenge to admins of Mac fleets. Resolving that tension is key to fleet security, but doing so means not only giving admins the tools to monitor and manage Homebrew usage, but also ensuring developers are bought in, that their developer experience is not impacted, and they feel they can be productive. That’s where Default Packages come in. Default Packages enables admins to specify a set of packages to be installed on a device when added to Workbrew or a device group, specified via Brewfile. Admins can use Default Packages to install necessary software such as password managers and VPN clients, but they’re also great for developer productivity. Developers no longer have to spend Day 0 getting their development environment set up, it’s all ready to go as soon as they open their machines. Whilst Workbrew makes admins' lives easier, this also makes Workbrew a win for developers, contributing to a more open, and collaborative culture around device management. ## Packages à la carte Default Packages are powered by Brewfiles, a declarative file format used by Homebrew to install multiple packages. Developers use them to back up or track their favourite packages so that they can install them on new machines, often automatically as part of dotfiles. Brewfiles can install Homebrew Formulae and Casks, and also packages from other ecosystems, [including Go modules, VSCode extensions, and Linux Flatpaks](https://docs.brew.sh/Brew-Bundle-and-Brewfile#types). But most importantly, they are a simple, plain text interface for describing a set of packages. When you set up Default Packages in the Workbrew Console, you create a Brewfile in our interface. ![](/content/blog/image2.png) Because Brewfiles are just plain text, with one package per line, they’re perfect for a GitOps workflow. In GitOps, the Git version control system is used to manage infrastructure, with configuration files for services or applications being kept in a Git repository, for example on GitHub. When managed on GitHub, collaborators can work on these files in the same way that developers work on code: pull requests can be used to suggest changes, and reviewers can comment on the proposals, until consensus is reached. GitOps has proved to be very popular for management of cloud resources, but increasingly, these workflows are making their way to other machines. Now, we’re bringing them to your fleet. ## Get in Sync Brewfile Syncing lets you leverage GitOps to manage and collaborate on Default Packages. In contrast to creating Brewfiles directly in the Workbrew Console, hosting Brewfiles in a GitHub repository enables collaborative workflows with device users and non-admins. For example, engineering team leaders can request a new package be added to their team’s machines, through a familiar, scalable process. Managing Brewfiles in this way also increases trust throughout the organization through transparency, as device users can see what software is being delivered to their machines in one place. ![](/content/blog/2026-02-brewfile-syncing/image1.png) ![](/content/blog/2026-02-brewfile-syncing/image3.png) ![](/content/blog/2026-02-brewfile-syncing/image4.png)

A Brewfile specifying the target Device Group and packages to install is pushed to the GitHub Repository, triggering the GitHub Action to sync the Brewfile to Workbrew.

To get started with Brewfile Syncing, create a GitHub repository with a `brewfiles` directory, and grab the example workflow for [our GitHub Action](https://github.com/marketplace/actions/sync-brewfiles-to-workbrew). Then configure the repository secrets, you will need to set your WORKBREW\_WORKSPACE\_NAME, and WORKBREW\_API\_TOKEN, which you can find in your [Workbrew settings](https://console.workbrew.com/settings). Note that for improved security, you may wish to use a dedicated Workbrew user with minimal permissions for this purpose, a so-called “service account”. The workflow will run every time Brewfiles are pushed, uploading changes to Workbrew via the [API](https://workbrew.com/docs/workbrew-api). Create or edit Brewfiles via a new branch or fork, [so that a pull request can be opened](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request), enabling collaborators to add comments and suggest changes. Once the pull request is merged, the GitHub Action will be run, and the changes will make their way to Workbrew, and then your fleet. The GitHub Action is [open source](https://github.com/Workbrew/sync-brewfiles-action), and built entirely using the [same API that Workbrew users already have access to](https://workbrew.com/blog/create-custom-api-workflows).

Our favorite Homebrew Packages

Joe Nash — Thu, 15 Jan 2026 00:00:00 GMT

It’s the start of a new year, why not treat yourself to some new tools? We asked the Workbrew crew what their favourite Homebrew packages are, whether a vital component in their daily workflows, a tool for special problems, or just something novel and fun. Here’s 8 packages to refresh your terminal in 2026. What’s your favorite package? [Let us know](https://www.linkedin.com/feed/update/urn:li:activity:7417512852581806081)! ## Get detailed display info from the command line We’ve often wondered how our CEO, [John](https://www.linkedin.com/in/johndbritton/), keeps on top of it all…the answer is apparently a complicated display setup. Why else would John’s favourite package be `displayplacer`, a utility for fetching and configuring multiple display configurations from your CLI. More than just a way to set up a second (or third, or forth) monitor, John values that it gives him a programmatic ability to save and configure complex monitor configurations. John uses [Hammerspoon](https://www.hammerspoon.org/) to run a script at boot that checks which office he’s working from, and uses `displayplacer` to set the monitors up correctly. You can find the script in [John’s dotfiles](https://github.com/johndbritton/dotfiles/blob/main/files/bin/office). ![](/content/image4.png)

displayplacer helps tame a complex monitor configuration, whether you have lots of monitors, weird aspect ratios, or both.

## Code search faster than you can say “Ack” [Danish](https://www.linkedin.com/in/danishpkhan/)’s favourite, `the_silver_searcher`, is a code search tool that started off with a simple goal: being a faster `Ack`. With its last commit almost being 8 years ago, it’s also a great example that many of us, especially in the open source world, can aspire to: sometimes a piece of software is actually just finished! It just works and is lightning fast, still today. But the best bit: the command itself is `ag`, the symbol for silver on the Periodic Table. ![](/content/image6.png)

the_silver_searcher - a fraction of a second to find a term amongst the over 170,000 lines of Ruby code in Homebrew-core.

## Hardware specs at your fingertips A must have for the tinkerers’ toolbox, `fastfetch` gives a fast, elegant way to print all of your system specs quickly, and in one easily shareable screen. Much like the previous listing, `fastfetch` is inspired by an earlier tool, `neofetch. fastfetch` is the favourite of [Kristján](https://github.com/koddsson), who uses it to share specs with his friends when discussing hardware, and to get system info faster than clicking through MacOS’s native menus. ![](/content/image11.png)

fastfetch is also included out of the box in Bluefin, a Homebrew-loving Linux, check out our webinar.

## History always repeats itself, especially if you search for it Shell history can be invaluable for working through complex, repetitive processes, or finding that magic one-liner that saved your life 3 months ago. [Joe’s](https://www.linkedin.com/in/joednash/) submission, `atuin`, replaces the humble `.bash_history` file with an SQLite database, straps on a search UI, and allows for encrypted syncing of the database between your machines. Joe uses the sync to pick up context easily when moving between machines, and to make it easier to manage a few too many Raspberry Pis. A very handy feature is the ability to set filters on the history that is kept, preventing for example, commands including authorization tokens being saved. ![](/content/image1.png)

You can take the results of this query as a bonus list of packages to check out. Thanks atuin!

## Keep on (b)top of your resources We’re not sure if Homebrew maintainers are allowed to keep favourites, but [Carlo’s](https://github.com/carlocab) is `btop`, a themable monitor of all your system resources, including CPU, GPU, RAM, disc storage, and network usage. This is a tool that takes terminal UI seriously, with a full-featured, video game inspired menu, and support for both keyboard and mouse to navigate around. If you’ve been scraping by with the default `top, btop` is a real upgrade, and will look great hanging out on your second display. ![](/content/image10.png)

More terminal applications need to use gradients like btop, if you ask us.

## Search that will leave you feeling warm and _fuzzy_ We can’t blame you for thinking Workbrew’ers have trouble finding things at this point in the list. But you’ll be sure to find whatever you’re looking for with [Petros’](https://github.com/petros) entry, `fzf,` an interactive command line fuzzy finder. `fzf` will devour anything vaguely list-shaped, be that files, processes, or git commits, and let you search it with fuzzy matching. Its interactive interface is themable and lets you search whilst it continues to index, but it can also be used non-interactively, for example as a step to feed results to other commands. ![](/content/image9.png)

fzf displays results in order of how close a match for your search term they are.

## Mix and match Markdown flavors with Apex Markdown is a great format for structured docs, but its rise has been organic, and not a straight-line. Which syntax and features are available differs between products, and why should you have to choose between having GitHub-flavored tables or Pandoc fenced divs? Have them all, says [David](https://github.com/djstarr), with his suggestion, the Apex unified markdown processor. Once Apex has ingested your multi-flavored Markdown monstrosity, it can output HTML in a variety of formats, making it a great part of a static blog or documentation pipeline. Apex is currently installed from a third-party tap, and not `homebrew-core`. ![](/content/image8.png) ![](/content/image3.png) ![](/content/image2.png)

From markdown to print-ready-HTML, David is using Apex to speed up our production of print materials for customer events and trainings.

## Git status at a glance `gitstatus` puts the status of your git repo right in your terminal prompt. Aside from saving you some keystrokes, [Brandon](http://brandonvalentine.com/) thinks `gitstatus` is invaluable in large codebases, where the full `gitstatus` output can become unwieldy. This entry might be familiar to users of the zsh, where it’s included in several popular `oh-my-zsh` themes. If you’re into `zsh`, a theme may be a good way to try it out, as like Apex above, `gitstatus` is distributed via a third-party tap. ![](/content/image7.png)

Brandon’s gitstatus prompt shows the current branch, whether it is ahead of or behind the remote, how many changes are staged or unstaged, and how many untracked files exist.

## What’s your favourite package? With over 15,000 packages, Homebrew is an enormous ecosystem, and there’s always something else to discover. We’d love to hear what packages you’re enjoying. Join us in [#workbrew](https://macadmins.slack.com/archives/C06DQLY28TG) on the [MacAdmins community](https://www.macadmins.org/), or let us know on [LinkedIn](https://www.linkedin.com/feed/update/urn:li:activity:7417512852581806081) or on your social media platform of choice and tag us.

Workbrew 1.6 release notes

Luke Hefson — Wed, 17 Dec 2025 00:00:00 GMT

This release focuses on clarity. Better reporting, easier navigation, and more control over how you manage Homebrew across your fleet. Workbrew 1.6 also introduces a new private beta for secure configuration management and expands support for private taps. ## Understand the History of Fixes with Vulnerability Change Reporting ![](/content/blog/images/vuln-history.gif) The new Vulnerability Changes page gives you a clearer view of how issues evolve across your fleet. You can search for a formula, then toggle between Detected and Fixed to see when a vulnerability first appeared and when it was resolved. It’s a faster way to trace impact and confirm fixes without digging through raw data. **For Admins**: * Quickly audit remediation across devices. * Export filtered reports that show only unresolved or already fixed vulnerabilities. **For Your Team**: * Use exported change history to inform internal policies. **Vulnerability Change Reporting** is now available on [Enterprise plans](https://workbrew.com/pricing). ## Track Vulnerability Remediation at a Glance ![](/content/blog/images/fleet-security-widget.gif) Vulnerability Change Reporting shows you what’s changed. The new Fleet Security Status dashboard widget gives you an instantly accessible overview of fleet health. At a glance, you can see how many vulnerable packages still need fixing and how many issues have already been resolved. This makes it easy to understand both current risk and remediation progress without leaving the dashboard. When you need more detail, you can still drill into the full vulnerability report from the widget. **The Fleet Security Status Dashboard Widget** is now available on the [Pro and Enterprise plans](https://workbrew.com/pricing). ## GitLab.com Support for Private Taps ![](/content/blog/images/gitlab-private-taps.png) Workbrew now supports [GitLab.com](http://GitLab.com) for managing and distributing private taps. Connect your GitLab account, select the taps you want to deploy, and Workbrew handles device-user authentication, installation and updates across your fleet. This change enables support for arbitrary Git hosts, and in the near future, we’ll bring support for GitLab Self-Managed, GitHubEnterprise, and any other Git host for Private Taps. If you’re interested in beta access — [let us know](https://workbrew.com/contact). **For Admins**: * Host your private taps where your code lives. **For Your Team**: * Keep internal tooling distributed and up to date across all devices. **The** [**GitLab.com**](http://GitLab.com) **Integration for Private Taps** is now available on the Enterprise plan. ## Private Beta: Secret Brew Configurations ![](/content/blog/images/secret-brew-configs.gif) Secret Brew Configurations let admins provision tokens and credentials for agent-run brew operations without persisting them to disk or exposing them to local brew runs. Kept only in the Workbrew Agent’s runtime memory and injected at execution time, these secrets remain invisible to users and the file system, letting security teams eliminate plaintext credentials from devices and achieve high compliance for sensitive resources such as private registries. If you’d like access, [reach out](mailto:help@workbrew.com) and we’ll enable the beta for your workspace. **Secret Brew Configurations** are available in private beta. ## Accessibility Updates 1.6 includes a series of accessibility-focused improvements such as updated aria labels and expanded automated checks & scanning in order to keep the Workbrew Console highly accessible.. Updated for all plans. ## Additional User Experience Improvements We love to hear feedback from customers on how Workbrew can improve. Here’s a handful of improvements sourced from customer requests. ### A Cleaner, More Focused Console This update includes some information architecture updates to the UI that make everyday navigation smoother. * The top bar is gone, giving you more room to work. * Related sections in the sidebar are now grouped more logically for easier navigation. Updated for all plans. ### Device Group IDs at Your Fingertips Device Group IDs now surface directly in the Console. This helps when integrating with the Workbrew API and our [Sync Brewfiles GitHub Action](https://github.com/Workbrew/sync-brewfiles-action) — when you want to target specific groups for managing with Infrastructure as Code (IaC). Available on [Pro and Enterprise plans.](https://workbrew.com/pricing) ### Stay Ahead of Device Limits Enterprise customers with device limits enabled will now see warnings as your workspace approaches its limit. This helps avoid enrollment surprises and gives you time to plan upgrades if needed. Available on [Enterprise plans.](https://workbrew.com/pricing) * * * That’s Workbrew 1.6. Got any feedback? [Give us a shout](https://workbrew.com/contact).

What Homebrew 5.0.0 means for your Mac fleet

Joe Nash — Tue, 18 Nov 2025 00:00:00 GMT

### The highlights There are a lot of changes in [Homebrew 5.0.0](https://brew.sh/2025/11/12/homebrew-5.0.0/), but there are a couple that are really important for administrators of Mac fleets. This major upgrade puts the spotlight on the security of [Casks](https://formulae.brew.sh/formula/cask), binary packages and Homebrew’s solution to deploy desktop apps. Casks are helpful for distributing and updating common app bundles like Slack or the Chrome browser, but present their own unique security and compliance challenges. These changes provide more security by default to Homebrew-using fleets and are good news for administrators. Firstly, Casks without codesigning and notarization are now deprecated, and will be removed from the official Tap, meaning they will no longer be installable using `brew install`, by September 2026. Casks distributed via Homebrew must meet the same security requirements as Mac software distributed outside the App Store. Developers of apps who wish to distribute them via Homebrew Casks must now ensure their apps are signed and notarized. Secondly, the `--no-quarantine` and `--quarantine` flags are being deprecated. The `--no-quarantine` flag was commonly used to ignore macOS warnings that are displayed onall applications downloaded from the internet. Whilst it is still possible for an end-user to bypass these requirements and run unsigned software, Homebrew no longer facilitates these actions, and aligns with Apple’s approach to application security.

Keep reading to learn more about each of these in detail, as well as updates to Homebrew’s [supported devices and operating system versions](https://docs.brew.sh/Support-Tiers), changes to acceptable content policy in official Homebrew repositories, and finally, a new environment variable to help control Cask installations. ### Much ado about codesigning The big ticket items with Homebrew 5.0.0 both relate to codesigning and notarization requirements on macOS. In a nutshell, [codesigning](https://developer.apple.com/documentation/security/code-signing-services) is performed by the developer of an application using their [Apple Developer ID](https://developer.apple.com/support/developer-id/) certificate, and provides two guarantees: * The application has been signed by the identified individual * The application has not been modified since it was signed These are important guarantees in supply chain security that let you know that the application source code was developed by the expected party, and that no one else has tampered with it along the distribution chain. [Notarization](https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution) is an additional process where the source code for an application is uploaded to Apple to check for known malware via an automated scan. Apps found to be free from known malware are provided a ticket which informs macOS that the application has been notarized. In the event that an application is later found to contain malware, Apple can revoke tickets to block the launch of malicious applications or opening of malicious files. Both codesigning and notarization have existed a long time, but Apple has been progressively tightening the constraints, making it so more applications must follow these processes, and that device-users have fewer easy workarounds. As of macOS 15 (Sequoia), the easiest way for users to bypass macOS’s security warning about unsigned applications through Control-clicking the application in Finder has been removed. [The Eclectic Light Company has a great breakdown of the history of codesigning on Macs and the different forms and implications.](https://eclecticlight.co/2025/04/26/a-brief-history-of-code-signing-on-macs/) ### Codesigning in the Homebrew ecosystem Homebrew’s audit process for Casks now checks that Casks have been codesigned and notarized, and Casks that fail this audit will be removed by September 2026, giving developers in the Homebrew ecosystem plenty of time to adopt codesigning. This change effectively aligns Homebrew with Apple’s stance on application security: device-users will no longer be able to receive applications without signing guarantees or Apple’s automated malware checks via the official Homebrew taps, which should give administrators some peace of mind. Device-users may also benefit from an improved user experience, as all applications they install via Casks should work without having to jump through any MacOS security hoops. The removal of the `--no-quarantine` flag is a further indication of Homebrew’s commitment to Apple’s application security model. This flag provides the ability to skip macOS’s security checks for applications downloaded from outside the App Store, enabling Device-users to run unsigned applications without having to manually add a Privacy & Security exception. As Apple continues to enhance their security protections and removes easy workarounds from the OS, Homebrew also “does not wish to easily provide circumvention to macOS security features”. In the past, developers of unsigned Casks may have included the `--no-quarantine` flag in their install instructions, which could cause device-users to install software without understanding the security implications. As with the deprecation of unsigned Casks as a whole, administrators should find this change rounds another potentially sharp edge off of Homebrew usage within their fleets. ### Hello Tahoe, goodbye Intel It’s been five years since the release of the first Apple Silicon Macs, and support for Intel Macs is coming to an end. The latest macOS 26 (Tahoe) is the last version of macOS to support Intel, and security updates for supported macOS versions will end in late 2028. Homebrew is following this timeline as well, with Intel Macs dropping to Tier 3 support in September 2026, and Homebrew ceasing to work at all in September 2027. Whilst it’s easy to assume Homebrew is merely walking in step with Apple, these timelines are influenced by how Homebrew works, and how it keeps the ecosystem safe and functioning. Homebrew relies on Continuous Integration (CI) to run its automated checks on packages, and as support for Intel Macs fades, the project will lose access to CI runners that can test packages for Intel Macs and older macOS versions. As with the codesigning changes above, following Apple’s schedule helps keep the Homebrew ecosystem secure. You can learn what is and isn’t supported by Homebrew in their [documentation about Support Tiers](https://docs.brew.sh/Support-Tiers). ### Adult content Homebrew has updated their policy on packages containing adult content, in essence deciding that it is allowed. However, URLs and documentation pages must be “safe for work”, meaning no one is exposed to adult content merely through Homebrew interfaces, before installing and using any packages. It’s important to mention that this isn’t a change in policy per se, but is instead an explicit clarification of Homebrew’s stance, and administrators shouldn’t expect anything to change. Homebrew also note that they reserve the right to apply ad hoc exceptions based on how packages behave and how they affect the wider Homebrew ecosystem, so if a piece of adult content on Homebrew gets out of hand, it can be removed. ### More controls for Cask installations Homebrew 5.0.0 adds a new environment variable, `HOMEBREW_FORBIDDEN_CASK_ARTIFACTS`, that allows blocking of Cask install methods. Lots of different types of software can be installed via Cask, for example, fonts can be installed via a Cask? The new environment variable accepts a list of artifact types and will prevent Casks of that type being installed. So administrators who really don’t want device-users installing new screensavers or keyboard layouts via Casks can now disable those artifact types. The available options can be viewed in the [Homebrew environment documentation](https://docs.brew.sh/Manpage#environment). [Workbrew Pro](https://workbrew.com/pricing) workspaces can already use this new environment variable across their fleets with Workbrew’s Brew Configurations, which allows setting of the hundreds of Homebrew environment variables by device group. You can learn more about Brew Configurations in [How Workbrew works.](https://workbrew.com/blog/how-workbrew-works)

Workbrew Free: Real Homebrew Visibility, Zero Developer Disruption

John Britton — Fri, 14 Nov 2025 00:00:00 GMT

Homebrew is widely used inside organizations, often before IT or security teams even realize it. Developers install it immediately because it gives them fast access to the tools they need. Over time, it becomes a de-facto part of your engineering environment that influences productivity, security, onboarding, and compliance. Yet despite its importance, most organizations lack even the most basic visibility into it. They don’t know where Homebrew is installed, what packages have been deployed, which dependencies are present, or whether vulnerabilities exist. They have no standardized method for installation, no consistent baseline for new devices, and no reliable way to govern how Brew is used. The challenge is simple but significant: You can’t manage what you can’t see. [Workbrew Free](https://workbrew.com/free) solves this [immediately. It](http://immediately.It) provides structured deployment, accurate visibility, and essential governance for Homebrew - without slowing developers down, operational friction, and cost. No credit card. No user limits. No device limits. No expiration. ### **The Organizational Problem Homebrew Creates** Homebrew was designed for individual developers, not teams and enterprises. That design assumption creates predictable gaps once Homebrew starts spreading inside a company: * Homebrew usage becomes difficult to identify across devices. * Package inventories remain isolated on each machine instead of centralized. * Dependencies lack context, making it unclear why they were installed. * Outdated or vulnerable packages can sit unnoticed for long periods. * Onboarding and provisioning are inconsistent from one device to the next. * Standard user environments often break down because Homebrew expects admin rights. These gaps introduce risk and inconsistency at scale. They also force organizations into undesirable patterns: ignoring Homebrew and hoping nothing breaks, relying on unenforceable documentation, or attempting to build internal tooling that is costly to maintain. ### **What Workbrew Free Delivers** Workbrew Free is built to give organizations the visibility and control they need, while preserving the simplicity and flexibility developers expect from Homebrew. ##### **Standardized Deployment Across the Fleet** Workbrew introduces a predictable installation method for Homebrew. Teams can deploy via: * A simple PKG installer for individual devices * Any major MDM, including [Jamf](https://workbrew.com/works-with/jamf), [Iru](https://workbrew.com/works-with/iru), [Intune](https://workbrew.com/works-with/microsoft-intune), SimpleMDM, and [Fleet](https://workbrew.com/works-with/fleet) After installation, devices automatically enroll into Workbrew, creating a consistent foundation for every Mac in the organization. ##### **Clear, Actionable Visibility** Once devices are connected, [Workbrew Free](https://workbrew.com/free) provides immediate insight into your Homebrew environment: * All devices with Homebrew usage * Every package installed across the fleet * Package versions, history, and install sources * Dependency chains and the reason each package exists * High-level vulnerability counts per device This transforms Brew usage from a blind spot into a defined, observable part of your environment. ##### **Consistent, Maintainable Onboarding** With [Workbrew Free](https://workbrew.com/free), teams can define a standard Brewfile - either through the UI or via version control - to specify the baseline packages new devices should receive. As devices check in, Workbrew installs these packages automatically. This ensures every Mac starts with the same approved toolkit, eliminating the drift and guesswork that normally accompanies Homebrew-based setups. ##### **Zero Disruption to Developers** Developers continue using Brew exactly as they always have: `brew install` `brew update` `brew upgrade` `brew tap` Workbrew preserves the expected Homebrew interface while layering in secure management under the hood. Existing installations remain intact, custom workflows continue to operate, and developers retain the speed and flexibility Brew provides. If Workbrew is removed, the underlying Homebrew setup continues functioning normally. There is no lock-in, no proprietary format, and no required workflow change. ### **Why Free Matters** [Workbrew Free](https://workbrew.com/free) is intentionally designed to meet the foundational needs of organizations without forcing a purchasing decision. It gives every team a responsible way to manage Homebrew at scale: * No cost barriers * No seat limitations * No per-device pricing * No trial period or expiration For teams that later need advanced capabilities - remote commands, detailed vulnerability data, guardrails, policy enforcement, or deeper integrations - those are available in [paid tiers](https://workbrew.com/pricing). But the essential deployment and visibility layer is fully available at no charge. ### **See Your Homebrew Environment Clearly - Starting Today** Homebrew is already powering your engineering organization. The question is whether you have a clear, accurate understanding of how it is being used. [Workbrew Free](https://workbrew.com/free) turns that uncertainty into visibility and control, while preserving the developer experience that makes Brew so valuable in the first place. Trying [Workbrew Free](https://workbrew.com/free) is simple: install it on a single device, even a virtual machine, and see Homebrew activity in the Workbrew Console right away. For a deeper look into how organizations are using Workbrew Free, check out our webinar recording [here.](https://workbrew.com/webinars/workbrew-free)

JNUC 2025: Jamf Acquisition, Automation, and the Future of Mac Admin Roles

John Britton & Luke Hefson — Fri, 31 Oct 2025 00:00:00 GMT

**Seven shifts shaping the “Apple-at-work” landscape** Four days. Hundreds of sessions. Dozens of hallway chats, and a few very good Happy Hours. If there was one shared sentiment echoing through the halls at [JNUC](https://www.jamf.com/events/jamf-nation-user-conference/) this year, it was this: “Everything’s changing — and no one has enough time.” The Mac admin world has evolved from a tidy collection of tools and policies into a sprawling ecosystem of code, identity, and automation. The question isn’t _if_ teams will modernize - it’s how fast they can do it _safely_. Three weeks after JNUC, [Jamf’s $2.2 B acquisition by Francisco Partners](https://www.jamf.com/resources/press-releases/jamf-enters-into-definitive-agreement-to-be-acquired-by-francisco-partners-in-2-2-billion-transaction/) made those hallway conversations about identity+device convergence, declarative management, and automation even more timely. If Jamf’s new owners invest in these areas, and retain the company’s long term commitment to the partner ecosystem, the future of Apple-at-work will remain bright. Let’s hope they are here to help move the community and the ecosystem forward. We left JNUC with 7 clear themes from automation and identity, to security and developer–IT alignment which are shaping the future of the Mac Admin role. ‍Note: Throughout the post, we link to sessions from the JNUC 2025 catalog. These entries have full session recordings, but are only available to logged in users. Creating an account is free. ### **1\. “Developer Empowerment” Meets “IT Control”** Developer workflows were everywhere. Sessions like [_Mac Admin Apps: The Greatest Hits Vol. 1_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1742590964836001dlXS) and our very own John Britton in [_Workbrew: How to Unite Developers, IT Administrators, and Security Professionals_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1756283995002001QfPB) highlighted the rise of “developer-first IT”. Environments where Homebrew, GitHub Actions, and open-source utilities are part of sanctioned workflows rather than tolerated exceptions. Admins are no longer saying “no” to developer tools. They’re saying “yes — but safely.” **Related sessions:** * [Mac Admins vs. Shadow IT](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1742308625330001po7m) * [One Year On: Evolving the Self Service+ Experience on Mac](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744714780331001JLaP) * [Workbrew: How to Unite Developers, IT Administrators, and Security Professionals](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1756283995002001QfPB) ### **2\. Migrating to Standard users: An ongoing trend** ![](/content/blog/images/6903bd20949e9cd9f7ccea7c_2929d6b0.jpeg) [_John Britton_](https://www.linkedin.com/in/johndbritton/)_, presenting_ [_Workbrew: How to Unite Developers, IT Administrators, and Security Professionals_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1756283995002001QfPB) A big theme in our conversations this year was the move from admin to standard user accounts. Practically every org we spoke to was in the middle of trying to make this shift, especially in highly-regulated industries such as finance, healthcare and government. It’s a tough one. Everyone is aware of the importance of least privilege, but developers still want to install the apps they need to get things done. This is why so many people lit up when we showed them [Cask Allowlists](https://workbrew.com/blog/casks-allowlist). It solves the classic “I need sudo to install this desktop app” headache by letting our agent handle all that securely for the device user. ### **3\. Automation & “Infrastructure-as-Code” Go Mainstream** Sessions like [_Infrastructure as Code with Jamf_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1743101994075001oK2x) to [_Automating Apple Endpoint Management (Git, CI/CD, Terraform)_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744962492146001SJxI) made it clear that Apple device management is moving from “set up a profile manually” to automated, code-driven workflows - versioned, reviewable, and repeatable. Teams are version-controlling policies, testing in CI, and deploying declaratively. In [_Getting the Hook of Webhooks_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744993753222001H6Lr), [Elmo Kuisma](https://www.linkedin.com/in/elmothemacguy/) showcased event-driven workflows that tied into identity and logging systems. It’s a cultural shift as much as a technical one, prioritizing workflows which are repeatable, auditable, fast. **Related sessions:** * [Infrastructure as Code with Jamf](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1743101994075001oK2x) * [Automating the Mac Lifecycle (Jamf + Okta + GitHub Actions)](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1742909879454001g8rd) * [Getting the Hook of Webhooks](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744993753222001H6Lr) * [MDM and DDM 101](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1742228699765001rHmj) ![](/content/blog/images/6903b46a1ef5f7513de5b8e3_IMG_9369.jpeg) _Connecting with our friends at_ [_Risotto_](https://www.tryrisotto.com) _\-_ [_Alex Confer_](https://www.linkedin.com/in/aconfer/) _and_ [_Aron Solberg_](https://www.linkedin.com/in/aronsolberg/)_._ ### **4\. Security, Compliance & Device Trust Deepen** If last year was about identity, this year was about trust.Talks like [_Device Compliance & Platform SSO with Microsoft and Jamf_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1743531021354001BMBH) and [_Soaring with Jamf Protect_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744747168968001cNRr) brought security to the center of every Apple conversation. Compliance isn’t a checkbox anymore - it’s continuous. [_Compliance Benchmarks in Jamf Pro: From Complex Scripts to Simple Clicks_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744985880589001Sh3R) demonstrated how frameworks like CIS are being embedded directly into management tools. The direction is clear: device trust, software integrity, and identity assurance are converging. Admins are expected to prove — not just assume — that endpoints are compliant. That shift will ripple through how teams select, deploy, and monitor every layer of the stack. **Related sessions:** * [Device Compliance & Platform SSO with Microsoft and Jamf](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1743531021354001BMBH) * [Soaring with Jamf Protect](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744747168968001cNRr) * [Compliance Benchmarks in Jamf Pro: From Complex Scripts to Simple Clicks](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744985880589001Sh3R) * [Threat Modeling: Practical Mac Security](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744820747290001SbLb) ### **5\. Platform Integration & Identity-Centric Management** Identity took center stage.From [_Platform SSO | The Next Frontier_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1756403365773001Rhgb) to [_Jamf & Okta – Passwordless_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744665254538001HUJZ) _and_ [_Super Friends (S.U.P.E.R.M.A.N.)_](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744907542370001Y9Uh), the message was consistent: **users are the new policy anchor.** Identity-driven management means onboarding triggers provisioning and offboarding revokes access automatically. Standards like SSF and CAEP signal a future where MDM, IdP, and security tools cooperate instead of compete. **Related sessions:** * [Platform SSO | The Next Frontier](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1756403365773001Rhgb) * [Jamf & Okta – Passwordless Authentication](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744665254538001HUJZ) * [Enterprise Standards with SSF/CAEP](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744844200118001rWlz) * [Device Compliance & Platform SSO with Microsoft](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1743531021354001BMBH) ### **6\. IT and developers aren’t in opposition, they’re allies with a tooling problem** One of my favourite conversations was a [Braindate](https://www.braindate.com/) with an Admin who manages thousands of developer Macs. He said something that stuck with me: > I want my devs to be as productive as possible, I just need them to be compliant while doing so. That sentiment echoed across dozens of the chats we had with attendees. IT doesn’t want to slow developers down and developers understand the need for compliance. Everyone just wants tools that make both sides happy, productive and secure. It’s not a zero-sum game. So this is the world we're creating at [Workbrew](https://workbrew.com/software-delivery/features): Productive Developers and happy IT & security teams. ![](/content/blog/images/6903c6e47e4e520c76cac792_506528600-47d1e769-7773-4b59-94ae-b7817e5bd091.jpeg) _In good company with the_ [_Mac Admin Foundation_](https://www.macadmins.org/)_, leading the way in strengthening the Apple admin community._ ### **7\. Shadow IT, Open-Source Risk & Supply-Chain Visibility** “Shadow IT” used to mean rebellion; now it means signal. The standout session that I attended was from [Todd Clark](https://www.linkedin.com/in/todd-d-clark/), Manager of IT Operations at [Get Well](http://www.getwellnetwork.com/). As he put it: > “If your users are going rogue, it’s probably because the official path is too slow.” He highlighted how "shadow IT" is pushing the boundaries of traditional IT admin. He pointed out that Homebrew is often a blind spot for IT teams — not because it’s bad, but because it’s often invisible and therefore risks evading compliance. It was cool to see how he tackles shadow IT in his own org using a blend of Jamf tooling, a few well-chosen third-party tools, and a refreshingly practical approach to change management. **Related sessions:** * [Mac Admins vs. Shadow IT](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1742308625330001po7m) * [Unified Defense: How Security Analysts, Developers and Data Scientists Collaborate on ML-Powered Phishing Detection](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744893220614001i3R0) * [What’s New with Extension Attributes](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1745010983774001teJL) * [Soaring with Jamf Protect](https://reg.jnuc.jamf.com/flow/jamf/jnuc2025/home25/page/sessioncatalogphase2/session/1744747168968001cNRr) ### **Where the Mac Admin Story Goes from Here** JNUC 2025 showed a community in motion. Mac admins are balancing speed with safety, automation with oversight, and developer freedom with compliance. The role has outgrown its old borders. Admins are now architects, collaborators, and security partners shaping how Apple gets managed at scale. Across every hallway and session, the goals sounded the same: faster, safer, more connected Apple management. The work ahead isn’t just technical - it’s cultural. The admins who thrive will be the ones who share knowledge, automate responsibly, and learn from each other. [Workbrew](https://workbrew.com/pricing)’s proud to be part of that story - helping connect the dots between developer velocity, IT governance, and software trust. ![](/content/blog/images/6903b491e1f590d535c51f64_IMG_9323.jpeg) [_Japan Jamf Macadmin User Group_](https://www.linkedin.com/company/jmug-jp/posts/?feedView=all) _leaders visiting us at the booth._

Homebrew Xcode License Error Fix: Managing macOS Fleets Efficiently

Bo Anderson — Tue, 28 Oct 2025 00:00:00 GMT

[Xcode](https://developer.apple.com/xcode/) is Apple’s IDE for building apps on macOS, iOS, and other Apple platforms. So if you’re not managing devices for app developers, you might be wondering… why are `brew` commands failing because of Xcode? Why are users seeing errors about agreeing to the Xcode license? ![](/content/blog/images/68ff6d2c482fc30df3fb1422_Screenshot%202025-10-27%20at%2013.00.37.png) In this post, we’ll get to the bottom of the sometimes tricky relationship between Xcode and other development environments on macOS. We’ll investigate what causes sudden Xcode issues for your fleet, and finally, provide some tips to help you avoid unexpected blockers. Are you a Mac Admin trying to resolve recurring Xcode license issues on your fleet? Check out our script for keeping Xcode in check at the bottom of the post. ### More than an IDE Xcode is not just the graphical app that you use to build Apple apps, it also includes many key development tools such as git and language compilers which don’t come installed in base macOS. Fortunately, Apple realized that not every developer who needs these tools is developing for their platforms, and so created the Xcode command-line tools. This is a slimmed down distribution that includes only the CLI developer tools mentioned above, without the full graphical development environment. Homebrew usage can depend on several of these tools, depending on how you’re `brew`‘ing. For example, Homebrew needs git for updates, as both Homebrew itself and package definitions are hosted on GitHub. When installing formulae, if you’re building from source, it’s possible that process will require tools that ship with Xcode. Finally, Xcode includes the code signing tools that, as of the transition to Apple Silicon, are required for access to more system functionality. ### License to `brew` As a key dependency, the Homebrew install script prompts the user to install Xcode command-line tools if they’re not already installed, or if the full Xcode distribution is not installed from the App Store. The problem arises around the license acceptance flow, as the Xcode license must be accepted by the user for both the full Xcode distribution, and the command-line tools. For the command-line tools, a user can accept the license by running the command `sudo xcodebuild -license`, however, you’ve probably already seen the catch: users must have `sudo` access to accept the license under both versions of Xcode. Users without `sudo` will require administrative intervention to accept the license before `brew` commands are able to be run on their devices, including remote commands executed through Workbrew. To complicate matters further, accepting the license is not a one-off operation, as the license must be re-accepted every time there’s a new Xcode major version. Users with sudo access can run the license acceptance command again and get back to running brew commands, but restricted users will once again have to escalate to an administrator. ## How to accept the Xcode license automatically on every update The following script will check whether Xcode is waiting for the license to be accepted, and if so, accept it. It also completes the Xcode installation by performing a first launch, which in rare cases, can also cause issues. ``` if /usr/bin/xcrun -find xcodebuild >/dev/null 2>&1; then if ! /usr/bin/xcodebuild -license check >/dev/null 2>&1; then /usr/bin/xcodebuild -license accept fi if ! /usr/bin/xcodebuild -checkFirstLaunchStatus >/dev/null 2>&1; then /usr/bin/xcodebuild -runFirstLaunch fi fi ``` Deploy this script via your MDM of choice, ensuring its run with admin privileges, to check for Xcode license issues, and catch them before they halt brew operations. Remember that Xcode updates can come at any time, and set this script to run regularly or as part of your ongoing maintenance scripts. The script only takes action when needed, and so is safe to run repeatedly and frequently. Whilst you’re at it, why not check out Workbrew? Workbrew integrates with your favorite MDM to give you zero-touch provisioning, automatic inventory syncing, and oversight of `brew` usage throughout your fleet. Using Workbrew with your MDM is free, and [our integration guides](https://workbrew.com/works-with) help you get set up quickly.

Workbrew 1.5 release notes

Luke Hefson — Mon, 06 Oct 2025 00:00:00 GMT

We’re back with another release packed with new features, refinements, and quality-of-life improvements. The headline in this release is [**Cask Allowlists**](https://workbrew.com/blog/casks-allowlist) - enabling admins to build a curated app catalog for optional desktop app installs. Alongside that, we’ve added more flexible policy management, richer device visibility, and fine-grained ways to integrate Workbrew into your workflows. ### **Cask Allowlists** Recently, we introduced [**Cask Allowlists**](https://workbrew.com/blog/casks-allowlist), giving IT and security teams the ability to explicitly define which desktop applications developers are permitted to install with Homebrew. This unlocks the ability to build your own “Software Center” for desktop apps. Required packages can still be rolled out automatically with our Default Packages feature, while optional apps can be offered via the allowlist for self-service installs — balancing compliance with developer flexibility. For developers on Standard accounts, this is a big shift: Previously, cask installs were blocked entirely, but with allowlists, admins can safely open up access to commonly needed tools without elevating privileges. That means fewer tickets for IT and more autonomy for developers. If you missed it, you can read the dedicated announcement with all the juicy details in our [blog post](https://workbrew.com/blog/casks-allowlist). **For Admins**: * Curate an app catalog of approved software. * Maintain tight compliance while offering optional installs. **For Your Team**: * Install approved apps on-demand, without overhead. * Reduce confusion around what’s allowed. **Cask Allowlists** are now available on Enterprise plans. ### **Build Your Policies Faster with List Support** ![](/content/blog/images/68e50d38204bc72e5fb3ef31_paste-csv.gif) Adding large lists of apps or packages to policies is now frictionless. You can paste comma separated values directly into the Console, and Workbrew will parse them automatically. This makes it simple to take existing spreadsheets or CSVs of approved software and turn them into a ready-to-use app catalog or policy in seconds. **For Admins**: * Copy and paste large package lists directly from existing spreadsheets or docs. * Save time setting up or updating policies. **For Your Team**: * Faster rollout of allowlists means quicker access to tools. **Available now on all plans**.‍ ### **Brew Command Runs for Each Device** ![](/content/blog/images/68e50d464629de7b09f152d3_device-runs.gif) Ever wondered what brew commands were last run on a specific device? Device pages now include a **Brew Command Runs** tab, giving you instant visibility into command history and execution status. This makes it easier to debug issues, audit behavior, or confirm that a remote action completed successfully. **For Admins**: * See the history of Brew Commands executed on any device. * Debug issues and confirm remote actions at a glance. **For Your Team**: * Easier troubleshooting when something goes wrong. **Brew Command Runs for Each Device** are available now on Pro and Enterprise plans. ‍ ### **Fine-Grained Notifications for Slack & Webhooks** ![](/content/blog/images/68e3791b6393cda20849b74d_657c2cda.png) ![](/content/blog/images/68e3791b6393cda20849b74a_16ad3963.png) Following on from the improvements in [Workbrew 1.4](https://workbrew.com/blog/workbrew-1-4), we’ve added more flexibility in how notifications are delivered. You can now subscribe to exactly the types of events you care about — from vulnerabilities, to device changes, to command runs — without adding extra noise. Some example workflows for you to try: * Pipe vulnerability alerts into a dedicated Slack channel for your security team. * Send Brew Command activity events via webhook into Datadog or another observability platform. * Tailor alerts to different teams instead of flooding everyone with the same feed. **For Admins**: * Subscribe to exactly the types of events you care about. * Reduce noise while keeping your workflows connected. **For Your Team**: * Receive only the notifications that are relevant to your work. * Stay focused and avoid alert fatigue. **Fine-Grained Notifications for Slack** are available on Pro and Enterprise plans. **Fine-Grained Notifications for webhooks** are available on Enterprise plans only. ### **Human-Readable Cask Names** ![](/content/blog/images/68e3791b6393cda20849b753_663b2b30.png) Not everyone speaks fluent Homebrew. To reduce confusion, the Casks list in the Console now shows the familiar application name (from the cask’s name stanza) alongside the technical token used in brew install --cask. For example: * github → GitHub Desktop * adobe-acrobat → Adobe Acrobat Reader This small change makes audits and exports easier to read and more accessible to non-technical stakeholders. **For Admins**: * Understand which apps are installed without needing Homebrew jargon. * Reduce confusion between tokens and app names. **Available now on all plans**. ### **Quality of Life Improvements** Alongside the bigger ships, our team has been putting a lot of focus the last few weeks into polishing-up the Console experience to make things smoother day to day. You should notice performance and quality improvements across the app. Some particular highlights include: * A more streamlined onboarding flow for new Workspaces. * Improved autocomplete ranking of packages across search fields. * A smoother experience for Free plan users, with unnecessary UI and upgrade banners removed. That’s Workbrew 1.5. We’d love your feedback - [let us know](https://workbrew.com/contact) what you think.

Software’s month of supply chain chaos

Joe Nash — Tue, 30 Sep 2025 00:00:00 GMT

_September 2025 was a busy month for software supply chain security._ Here at Workbrew, we spend a lot of time talking to administrators and security professionals about their concerns with keeping a grip on their organization’s software ecosystem. In September 2025, a lot of nightmares have come true, with a spree of supply chain attacks and governance fumbles impacting multiple language ecosystems. You may have heard of one or two of them, but since the chaos has been so distributed, we wanted to round up the happenings in one place. ### Should I be concerned about these supply chain attacks? Let’s get to the burning question: are these attacks likely to affect your org? To answer that, we have to look at what the supply chain is in this context. Most of the issues we are tracking in this post concern the package managers for particular programming languages. These are package managers used to distribute packages written in the target language, and intended for use in other software written in that language as dependencies. In use, these package managers download and install arbitrary code, including that of their own dependencies. Unfortunately, knowing whether your organization is at risk is not as simple as asking “do our developers use this language?”, as dependencies within a programming language ecosystem may rely on components written in other languages. This is especially true of two of the languages we are talking about today. Javascript/Node.js, and Python are very popular, and almost certainly in your supply chain. Especially if you work within the domains in which they are widely used, such as web applications, data science, or AI/ML. Many developer tools, even for other languages, are also written in Node.js and Python and are often distributed via package managers, increasing exposure to attacks that seek to compromise packages. ### The worm eating Javascript _Bless the maker and his packages_ npm, the Microsoft-owned package manager for the Node.js ecosystem, has been beset by a self-replicating worm, appropriately named _Shai-Hulud_, the name given in reverence to the giant worms of [_Dune_](https://en.wikipedia.org/wiki/Dune_$novel$) by the Fremen. Naming your own worm after fiction’s biggest and baddest shows grand ambitions, and rightly so, as Shai-Hulud has reportedly compromised over 500 packages, including some popular packages with regular downloads in the millions. The ultimate goal of Shai-Hulud appears to be credential harvesting: once a compromised package is installed on a system, it uses a variety of tricks, including open source credential scanner [trufflehog](https://github.com/trufflesecurity/trufflehog), to find and exfiltrate cloud keys and access tokens for popular cloud platforms. In the process, it spreads itself, looking for npm and GitHub tokens that it can use to compromise more packages. As of the time of writing, the attack is ongoing, and npm users should exercise caution in installing and updating packages. StepSecurity have an excellent write-up of how the worm functions, and how to monitor for compromise: [https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised](https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised) ### PyPI package takeover foiled Whilst Shai-Hulud ploughs through the Javascript ecosystem, a similar attempt to compromise the Python Package Index (PyPI) was discovered and prevented. This attack featured malicious code injected into GitHub Actions in an attempt to exfiltrate PyPI publishing tokens, which would allow attackers to take over the packages. Fortunately, the malicious code was noticed, and the PyPI team revoked the tokens for the affected packages before any harm could be done. You can read more about the attack on the PyPI blog: [https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/](https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/) ### (GitHub) Actions have consequences GitHub Actions is a critical component in both the npm and PyPI attacks, being used to run malicious code to exfiltrate information, as well as push compromised packages to the package managers. The ubiquity of GitHub Actions is in part because of its ease of use and availability, right there on GitHub alongside the source code, but that is also what makes it such a tempting target for these attacks. As Actions workflow files are contained in the repository alongside the source code, every GitHub account with write access is a potential vector for shipping malicious code. Phishing operations target developers, gain access to GitHub Actions workflow files, and can immediately begin running arbitrary code, with access to any secrets stored in the Actions environment, such as package manager publishing tokens. There are some basic steps every GitHub Actions user should take to mitigate these risks, particularly those who are using it to push to cloud environments or publish packages. Review access to your repositories with the [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) in mind, to ensure that the surface area for phishing attacks is minimized. GitHub features such as [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) and [branch protection rules](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule) can make it harder to add malicious code to workflow files, through requiring changes be made via a reviewed pull request. But remember, a compromised account can also approve a pull request, so requiring multiple reviewers for workflow files may provide better protection. Tokens are a prime target in these attacks, which once exfiltrated, allow an attacker to make changes and continue the attack outside of the GitHub Action, making it harder to observe and remediate an attack. [OIDC trusted publishing](https://docs.github.com/en/actions/concepts/security/openid-connect) is a new alternative to long-lived tokens that provides some protection in these cases, as it ties publishing to that particular service, preventing the exfiltration of publishing rights. It is increasingly supported, including by both [npm](https://docs.npmjs.com/trusted-publishers) and [PyPI](https://docs.pypi.org/trusted-publishers/). ### Don’t lose your head: RubyGems governance These attacks, highlighting the importance of supply chain vulnerabilities in package managers, caused a [governance dispute](https://thenewstack.io/open-source-turmoil-rubygems-maintainers-kicked-off-github/) in the Ruby ecosystem. Ruby Central, stewards of the RubyGems package management service, removed the access of several long-term maintainers from the Ruby Gems and bundler source code, leading to resignations and community turmoil. The exact sequence of events that lead to this action, and whether they had the right to do so, is still being debated in the blog posts on either side ([Freedom Dumlao](https://apiguy.substack.com/p/a-board-members-perspective-of-the), [Joel Drapper](https://joel.drapper.me/p/rubygems-takeover/)), but what any maintainer of an active open source project can tell you is that trust and community are tenuous things, and once lost, can be hard to rebuild. And when it comes to where you get your software dependencies, trust is very important. When exercising security best practices such as Principle of Least Privilege it’s important to also consider the sociocultural implications of people’s access rights, and how it might reflect the scale and history of their contributions, as Homebrew Fellow Mike McQuaid [explores on his blog](https://mikemcquaid.com/rubygems-contribution-data-with-homebrews-tooling/). ### Fake download pages for LastPass After all of the package manager drama, let’s reset with a reminder of why these trusted software repositories can be fantastic resources for a secure organization. Downloading your favourite software from the internet can be a minefield in its own right, as highlighted by a campaign targeting Mac users of LastPass, which has seen a large number of fake LastPass websites propagating via GitHub Pages attempting to lure users to download and run malicious code. The websites are using SEO techniques to appear in the top of search results for queries such as “LastPass GitHub MacOS”, and result in the installation of a credential stealing malware on the victim’s system. Homebrew itself has been the target of a similar attack [in the past](https://www.bitdefender.com/en-us/blog/hotforsecurity/criminals-use-fake-mac-homebrew-google-ads-in-new-malicious-campaign), with attackers’ using Google Ads to prominently position a fake Homebrew download in search results. Check out the [LastPass blog](https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages) for more details and how they’re tackling the campaign. ### Ctrl-f Homebrew Reading all this news, you would be right to have questions about Homebrew security. Packages added to Homebrew’s official taps are human vetted and subject to ongoing automated audits. Homebrew works with [security partners to perform audits](https://brew.sh/2024/07/30/homebrew-security-audit/), of which it shares the results publicly. You can learn more about Homebrew security in our post about the [Homebrew contribution model](https://workbrew.com/blog/security-and-the-homebrew-contribution-model). When installing Homebrew via Workbrew, you benefit from the additional security of the [Workbrew Agent](https://workbrew.com/software-delivery/how-it-works), which wraps Homebrew in a secure layer. The Workbrew Console allows you to see installed packages and their versions, track relevant CVEs, and block specific packages. Should the worst happen, such as a Shai-Hulud-like attack on Homebrew, these features give you the power to remediate the situation and prevent compromised package installs. Take a look for yourself: Workbrew’s free plan includes access to package observability in the Console, and support for unlimited devices. [Sign up for the free plan](https://console.workbrew.com/?signup_plan=free) today.

Simplify App Distribution with Casks Allowlists

Anup Narkhede — Thu, 04 Sep 2025 00:00:00 GMT

Casks are Homebrew packages that install binaries, often graphical apps, such as Slack, Zoom, or Chrome. Expanding the reach of brew beyond CLI tools, Casks are incredibly powerful not only for developers who are already comfortable with Homebrew, but admins looking to serve more diverse teams and software needs. This post introduces a new feature to Workbrew that streamlines Cask administration, making it easier to maintain a list of allowed Casks, whilst minimizing the impact to endpoint users. ### The Cask permissions challenge 👋 _**NOTE: Workbrew Access Modes have been replaced by a more intuitive workspace setting for granting `brew` CLI access — which works even better with Cask Allowlists. Learn more [here](https://workbrew.com/docs/managed-brew-access)**._ With Workbrew, admins can manage policies around Homebrew usage with Access Modes: Sudo, Standard, and Restricted. Standard is the usual choice for users who shouldn’t have admin access, but it also blocks user installation of Casks, as without sudo, apps can’t be installed into /Applications. This is a useful security and compliance stopgap preventing the installation of unapproved packages, but it requires end-users to seek admin intervention for key apps in their everyday workflows. Previously, admins may have dealt with this by using another Workbrew feature such as Default Packages to push the desired Cask-distributed apps to a group. But this can cause apps to be pushed to users who didn’t need those apps, and who may be surprised to find them on their machine. Extra device storage usage and another application to keep up to date, for a user who won’t use the app, just to work around a permissions issue. ### Introducing Casks Allowlist We heard from admins that many end-users are used to a self-service model. If you’ve seen an MDM “app catalog,” you know the experience: there’s a set of approved software, and you pick what you want, when you want it. No unwanted packages. No clutter. Just choice within secure boundaries. That’s the rationale behind Casks Allowlist. Casks Allowlist lets admins specify allowed Casks, and when a non-admin user, attempts to install that Cask, the installation is delegated to the Workbrew daemon and will install successfully. ![](/content/blog/images/68d3e1b24db67e594e16e5a2_1.4cask-allowlists.gif) The daemon handles the elevated install, and the output streams back to your terminal. It feels like Homebrew always did, but with the right safeguards in place. If there’s no allowlist, nothing changes and all installs remain blocked. This change keeps control where it belongs, with the admins, while giving end-users the freedom to install what’s useful to them. No surprises with unwanted software. No storage wasted on apps that never get opened. Just a simpler, more predictable way to manage casks in Standard mode. _Cask Allowlists are now available on the_ [_Enterprise plan_](https://workbrew.com/pricing) _only_

MacAdmins PSU 2025: Ice Cream, Innovation, and a Record-Breaking Crowd

John Britton — Tue, 19 Aug 2025 00:00:00 GMT

It’s been a month since [**MacAdmins PSU 2025**](https://macadmins.psu.edu/) wrapped up, and we’re still talking about it. This year wasn’t just busy - it was record‑breaking. Attendees came from 41 states and five countries across four continents, the widest reach MacAdmins PSU has ever seen. This new milestone just shows just how global the world of Apple IT has become. With so much happening, from must-watch talks to the kind of insightful hallway conversations you can’t find on the schedule, we couldn’t resist recapping some of the highlights. ![](/content/blog/images/68a44e84141c2e7966720edb_AD_4nXdBBt9qPeXGf68BzKDH44lANA5Qa2oi74OIathqvgOwULEKyIG3Xv_B6xlP3bTtIEga_Fjcqx-H_1hdtoqVYO0WT9jtOIHbYRci6L0TQDm0D0k3LDJaopqVqdWmmWQMMsvk_DCD.png) [@osuterrycat - #psumac - Mac Admins Foundation Slack](https://macadmins.slack.com/archives/C066MCBT2/p1752676236131299?thread_ts=1752666300.455939&cid=C066MCBT2) Last summer, Workbrew were the new folks, pitching big ideas to some curious admins. Coming back for our second year, the difference was huge, packed sessions, familiar faces everywhere, and conversation after conversation about what’s next for Apple device management. Going from strangers to swapping stories with people we now know by name is proof of just how quickly this community welcomes and supports you. ### **Ice Cream, Big Conversations, and Why PSU Feels Different** There are plenty of tech events out there, but [MacAdmins PSU](https://macadmins.psu.edu/) feels like it's in its own league. Credit goes to the [PSU organizers](https://macadmins.psu.edu/conference/team/), who have built a welcoming, open, and collaborative environment. It’s one of the rare places where you can hear from leading voices in the community and truly connect with attendees from every corner of the Apple IT world. Conversations here feel open, inclusive, and genuinely useful - the kind that spark new ideas long after the event ends. This year, we teamed up with [Risotto](https://tryrisotto.com/) to hand out the famous [Penn State Berkey Creamery](https://creamery.psu.edu/) ice cream in the sponsor hall, giving attendees a chance to cool down and enjoy a treat while exploring what the community had to offer. ![](/content/blog/images/68a44f018182b6c4ea6b9ac3_AD_4nXd4nwD41v8lkK_2vQMZlcb9SdiQOzw1vMeBYEgceVTm7rSEEldFfZFHu836zEa6F7OPupscDagFMQqpYgk_aHzNJBdGUaNucDvQ3Mcrc7_dUGQXaWCr6XTVMqRhrd6YQcmDQfv_yQ.jpeg) [Aron Solberg](https://www.linkedin.com/in/aronsolberg/) ([Risotto](https://tryrisotto.com/)) & [John Britton](https://www.linkedin.com/in/johndbritton/) ([Workbrew](https://workbrew.com/)) ### **Homebrew in the Spotlight** Beyond catching up with the community, we had the chance to take the stage for two sessions this year, diving into how teams can better manage Homebrew and bring dev, IT, and security together. * [Workbrew: How to Say Yes to Homebrew _\- Full recording_](https://www.youtube.com/watch?v=IeUUV5xwJeU&list=PLRUboZUQxbyWkCvacoCRerV2qY1ZpL-x0&index=59)Developers love Homebrew, but security teams ask tough questions. This session explored how Workbrew can provide the controls and visibility IT and security need so developers can keep moving fast without sacrificing safety. * [Homebrew: How to Unite Developers, IT Administrators, and Security Professionals _\- Full recording_](https://www.youtube.com/watch?v=szQWuJbOQow&list=PLRUboZUQxbyWkCvacoCRerV2qY1ZpL-x0&index=15) See how Homebrew can be a bridge, not a wedge, between teams, showing how shared tooling can spark collaboration instead of friction. We were thrilled to see packed rooms, great questions, and plenty of hallway follow-ups from folks who wanted to dive further. ### **Apple’s New Device Management: The Hot Topic (Even with the Ice Cream)** One theme stood out this year: [Apple’s newest device management features](https://developer.apple.com/videos/play/wwdc2025/258/). From the **Managed App Framework** to **Device Management Service Migration**, these were the hot topics in sessions and in the hallways. First impressions ranged from excitement over the new flexibility to healthy skepticism about how these tools will impact existing workflows. Some admins are already piloting the features; others are waiting to see how Apple evolves the frameworks before jumping in. Either way, these conversations gave everyone a chance to compare notes, swap early lessons, and debate what “modern” Apple management will really look like over the next year. ### **Sessions Worth a Rewatch** PSU 2025 brought an impressive lineup of sessions - the kind where you wish you could be in two rooms at once. The caliber of talks this year was especially high, with deep dives, practical workflows, and forward-looking insights that are already shaping how teams approach Apple management. A few standouts: **Leveling Up – Managing Admin Rights in the Enterprise** **–** [**Rich Trouton**](https://www.linkedin.com/in/rtrouton/)**,** [**Jamf**](https://www.linkedin.com/company/jamf-software/) [https://www.youtube.com/watch?v=XfHiPFY2VXA](https://www.youtube.com/watch?v=XfHiPFY2VXA) * This session discusses Apple's management of standard user and administrator user account privileges and how Mac admins can manage those account privileges for the users they support. **AutoAutoPkg - Manage your AutoPkg with GitHub Actions** **\-** [**Adam Anklewicz**](https://www.linkedin.com/in/ankle?originalSubdomain=ca)**,** [**Thumbtack**](https://www.linkedin.com/company/thumbtack-inc./) [https://www.youtube.com/watch?v=y8geZGyJMXc](https://www.youtube.com/watch?v=y8geZGyJMXc) * Walks through replacing a persistent Mac server with ephemeral GitHub runners to automate Munki repo updates, S3 syncs, and promotions, reducing maintenance while leveraging cloud-based GitOps workflows. **Automate all the things - fully automated OS and App patching** **\-** [**Jacob Burley**](https://www.linkedin.com/in/jc0b/)**,** [**Mollie**](https://www.linkedin.com/company/molliepayments?originalSubdomain=nl) [https://www.youtube.com/watch?v=rsK\_uZqRBcg&list=PLRUboZUQxbyWkCvacoCRerV2qY1ZpL-x0&index=18](https://www.youtube.com/watch?v=rsK_uZqRBcg&list=PLRUboZUQxbyWkCvacoCRerV2qY1ZpL-x0&index=18) * Showcases how open-source tools and Git workflows power fully automated, compliant app and OS updates, cutting toil and boosting security. **Create AutoPkg recipes for Mac/Win/Linux from scratch** **–** [**James Stewart**](https://www.linkedin.com/in/jgstew/)**,** [**BigFix Inc.**](https://www.linkedin.com/company/hclbigfix/) [https://www.youtube.com/watch?v=CyDfeT0-y2Q](https://www.youtube.com/watch?v=CyDfeT0-y2Q) * Shows how to create and automate Mac, Windows, and Linux packaging workflows with AutoPkg, enabling faster software deployment, easier maintenance, and scalable CI/CD integration. **The State of Identity on Apple Devices** **–** [**Matt Vlasach**](https://www.linkedin.com/in/mattvlasach/)**,** [**Jamf**](https://www.linkedin.com/company/jamf-software/) [https://www.youtube.com/watch?v=LsAI\_hIqt1E&list=PLRUboZUQxbyWkCvacoCRerV2qY1ZpL-x0&index=55](https://www.youtube.com/watch?v=LsAI_hIqt1E&list=PLRUboZUQxbyWkCvacoCRerV2qY1ZpL-x0&index=55) * Explores Apple’s built-in identity and device trust features that enable passwordless, phishing-resistant authentication and seamless zero-trust access. **Dynamically Scaling macOS: How, When, and Why** **–** [**Dave Siederer**](https://www.linkedin.com/in/siederer/)**,** [**AWS**](https://www.linkedin.com/company/amazon-web-services/?originalSubdomain=uk) [https://www.youtube.com/watch?v=WIvqVHF46fo](https://www.youtube.com/watch?v=WIvqVHF46fo) * Learn how to access Macs anywhere—physical, virtual, or cloud. Discover management with Jamf, Kandji, or Addigy, remote access via HP Anyware or Citrix VDA, and automation strategies to scale fleets and streamline app development. **Let’s Build Something with swiftDialog** **–** [**Casey Scruggs**](https://www.linkedin.com/in/casey-scruggs-467147245/)**,** [**Western Kentucky University**](https://www.linkedin.com/school/western-kentucky-university/) [https://www.youtube.com/watch?v=aUiGLl\_gbtU](https://www.youtube.com/watch?v=aUiGLl_gbtU) * For folks new to Mac management and/or haven’t added swiftDialog to their toolbox. In real time, we’ll build a message to appear to end users with AirDrop enabled for “Everyone”, learning many of the configuration options for swiftDialog along the way. Recordings of these (and plenty more) are available on the [MacAdmins YouTube channel](https://www.youtube.com/@MacAdmins) - well worth a watch if you missed them live or just want to revisit the details. ### **Looking Ahead** The beauty of PSU is that it doesn’t just end when the last session wraps. Thanks to the [Mac Admins Foundation](https://www.macadmins.org/about-the-mac-admins-foundation), this community stays connected year‑round - through the [#psumac channel](https://macadmins.slack.com/archives/C066MCBT2) where conversations and collaborations keep going long after the conference. Planning for next summer’s PSU is already in motion, and there are plenty of ways to get involved - whether it’s speaking, sponsoring or simply attending. You can find the interest form on the [Mac Admins site](https://www.macadmins.org/about-the-mac-admins-foundation). Until then, we’ll be rewatching talks, picking up those hallway conversations we didn’t finish, and be dreaming about that PSU ice cream.

Workbrew 1.4 release notes

Luke Hefson — Thu, 14 Aug 2025 00:00:00 GMT

Workbrew 1.4 is here. Here’s what’s fresh in this release: * **MDM Integrations now included in the Free plan** – yep, we’re generous like that * **GitOps approval flow for Default Packages** – request new packages via pull request * **Package Dependency Insights** – look before you remove a package * **Fine-grained email alerts** – be notified _just enough_ * **Run logging improvements** – find and understand failed runs faster * **Email domain controls** – block sign-ins from outside domains This release makes it easier to shape how software is installed across your organization, while reducing friction for everyone involved. ### MDM Connections now Free ![](/content/blog/images/689c6b655770f759b1dfd1c5_AD_4nXc1vYSOa1CVoUU1orgOuhWNeYKn1mR8zwhH15Bt2rAsuq6Jo2w2KmnW8fy6lz3XLoHMoOw4pWHYzs18p7h-t4xOZ8okomawl78jcyZaU32Sk1ka_nGBaZsIoL0fcO0Xbf6CrpzMPA.png) You can now connect your MDM to Workbrew at no cost, making it simpler to manage Workbrew across your entire fleet. View device data, stay in sync, and cross-reference with your MDM for complete fleet-level control. For step-by-step instructions on connecting your MDM to Workbrew and enabling zero-touch enrollment, see [our handy guides for all major MDMs](https://workbrew.com/works-with). **MDM Connections** are now available on all plans. ### Review and Approve Default Packages via GitHub ![](/content/blog/images/689c6b655770f759b1dfd1d0_AD_4nXfq2jHGkIUURzzT5Zi5Tz0rPLuHaWmmSNfG9qC_UqDWs74XznWBtv_MQNWVhRs6FyewMX_1u8L2WkUlwlBgwGBBTezB26QZr6lstuE6bAbMgWQs5Z-qqA_tEtYeaVZkwp2EAUMmZQ.png) You can now manage fleet-wide package updates through GitHub in a way that fits your team’s workflow. Instead of one central gatekeeper, you can choose the level of control that works for you: self-serve installation, peer review, manager review, multi-layer approval, or fully centralized review. Using familiar GitHub pull requests, developers propose changes to your Brewfile, get the right level of review, and merge when ready. Workbrew then syncs those changes automatically. This approach combines visibility, history, and collaboration. Every change is tracked in Git, one person’s improvements benefit the whole team, and newcomers automatically get the same setup as everyone else. Powered by [our new GitHub Action](https://github.com/marketplace/actions/sync-brewfiles-to-workbrew), this keeps your Brewfiles in sync with the Workbrew Console and reduces manual updates while making package management part of your normal developer workflow. Need help setting it up? [Contact us](https://workbrew.com/contact). **For Admins**: * Decide how much control to delegate * Maintain full visibility into package changes **For Your Team**: * Propose and review new tools in GitHub * Share improvements across the whole team automatically **GitHub-based Default Package Management** is now available on Pro and Enterprise plans. ### Package Dependency Insights ![](/content/blog/images/689c6b655770f759b1dfd1cd_AD_4nXdkJTNHHW4DdJFTDtdPkv1rvl2lt1QEX_fta1KjP3FU0Hi_6sFEgWvKfu8x9LW-aibmMcS4qc-Ex71Oo6xFDmoDV7_NPtxD1PzYA_exrjCH82NAGIrHVhUg5WKD3RqCJy70_ZUOwA.gif) You can now see package details even for tools that aren’t installed on your fleet. The Console now shows dependencies and dependents on package detail pages, so you can understand how packages relate before making changes. This means you can quickly spot when removing or forbidding a package might affect others, even if you’ve never installed it in your environment. **For Admins**: * See full dependency chains before making policy changes * Prevent downstream issues by understanding how packages connect **For Teams**: * Understand what powers the tools you use every day * Discover shared dependencies between apps **Package dependency insights** are now available on all plans. ### Custom Alerts: Right-Sized Notifications ![](/content/blog/images/689c6b655770f759b1dfd1d8_AD_4nXdO_l3oxBljpTrq4HAyDFb3lWjRyOQyayvXimwymHCQD6pRDFmNiu5573zjvmj5pO9k3q4WxY8mQij_7IJNHiYD01SAUYYEymukChLYdRe842M93tftKLNed5TDsVkbIzSUq2mY.gif) User notification emails now support fine-grained alerts. Set rules for which notification types you are most interested in and be updated when there is a change. For example, you might only want to know: * Are there new vulnerabilities? * Have any policies been violated? * Have any remote command runs failed? …without having to follow all other notification types. Stay informed without the noise. **For Admins**: * Set alert rules that match your workflows * Avoid alert fatigue by targeting what matters **And coming soon!** * Custom alerts for Slack notifications and Webhooks. **Custom Alert Subscriptions** for user notification emails are now available on Pro and Enterprise plans. ### Find Failed Runs Faster with Run Improvements Warnings and errors are now separated from general command output, so issues are easier to scan and debug. ![](/content/blog/images/689c6b695770f759b1dfd4e6_AD_4nXdEnmd9iq2ARkMNtCxAOxllOTT_kkbYrpX0TLBLITUEQ9tFY76mAbKQEdE_EADN85Lv6Rse2DoqAixAZNUe47YMxgM16Lr4WWOvji20Bt_Ih-i2JN4q-1U6Q0BTk-WIl211A1CP_w.gif) The Brew Commands list now shows run status at a glance. Quickly identify failed executions and dive into logs for more detail. ![](/content/blog/images/689c6b655770f759b1dfd1d5_AD_4nXf9i5YTqVKSLjNv1rhpl9CYl1bU9-AMn1UTCl8slMIRWwna9176EkPZxGTd15I9bl7NRjwtRUtKTJ6ai7LVlvmRaU4azkT1tgLv6m1wpDSSgwZvXsNMW4ScFWjWBQC2ny22uP2LOQ.gif) Run results can be exported manually or accessed via the API. Export for dashboards, audits, or that one spreadsheet-loving stakeholder. **Brew Run Improvements** are now available on Pro and Enterprise plans. ### Allowed Domains: Lightweight Access Control ![](/content/blog/images/689c6b655770f759b1dfd1c8_AD_4nXefxDid01itrV8iZ8iv5Jv29sw3_GaEQHycKD_722F5OyivYelAvIM-7Uc3mJ3blWFEPD2PPOMw9JH1Hr7hFreYtkGNoLgZk02BAnX08L-Mh-Tk98eY0Vv0eCyAJJSIbzDYjEJCWA.gif) You can now restrict sign-ins to specific email domains from your workspace settings. This helps ensure only people from your organization can join, reducing the risk of unauthorised access and keeping your workspace membership clean. Gain simple but effective control without the complexity of full SSO. **For Admins**: * Keep your workspace limited to known users * Add an extra layer of security with minimal setup **Allowed Domains** are now available on Pro and Enterprise plans. ### That’s what’s new in Workbrew 1.4 Want help making use of any of these features, or need advice on structuring your workspace? [Reach out to us](https://workbrew.com/contact). We’re always happy to help.

Understanding Homebrew Dependencies

Kristján Oddsson — Mon, 28 Jul 2025 00:00:00 GMT

Have you ever run `brew upgrade` and wondered why seemingly unrelated packages got pulled in during the upgrade process? When installing a package Homebrew might need to fetch additional software or libraries used to build the package, so-called “dependencies”. These dependencies might themselves have dependencies, meaning that installing or upgrading a single package could result in a cascade of package installations: installing [Node.js](http://node.js/), a popular Javascript runtime, leads to 58 other packages being installed! These changes can sometimes move in unexpected directions, for example, installing a package that depends on a newer version of a dependency you already have installed will cause that dependency to be updated, which may then lead to other packages dependent on it being updated, as explored in “[Unraveling Homebrew Dependencies: A Handy Guide](https://doriankarter.com/unraveling-homebrew-dependencies-a-handy-guide/)” by Dorian Karter. This can be a nightmare for keeping your fleet compliant. Imagine you want to install `curl`, a popular CLI tool, but your organisation forbids installing anything with the [0BSD](https://opensource.org/license/0bsd) license. Installing `curl` will also install `zx`, which has that license and so would be out-of-policy. But `zx` isn’t listed as a dependency of `curl,` it’s a dependency of `zstd`, another curl dependency. Understanding the “blast radius” of a new package entering your fleet can be difficult, but in this post we’ll dig into some ways you can tackle your own personal [dependency hell](https://en.wikipedia.org/wiki/Dependency_hell). ## Visualising the dependency graph Workbrew engineer Kristján created a visualisation of the Homebrew dependency graph which shows how interconnected most of the ecosystem is. A halo of packages without dependencies surrounds a dense knot of packages, with clusters around language runtimes such as `go, node, python`, and `openjdk`, as well as important components of web infrastructure such as `openssl`. These clusters are circled in the screenshot below: ![](/content/blog/images/68837bfa49f4764ad5fa4f38_AD_4nXf7xVPYwbFcAXhRAD5nIzpvuW6-5oy6UTvuY_d7IcvTYyi4JhYhAUJx-mC-5fLRboIXr_ejwtdPpJB6cRl7Ko5smnCgj1-NPTRzoU4Qu1L1aIUVOfKw4U1NGdbXPEMaLiHEdQlrpw.png) The graph is built with D3, go ahead and explore it at [https://koddsson.github.io/dependency-graph-component/](https://koddsson.github.io/dependency-graph-component/). You can visualise dependencies for packages right from your command line using `brew`. Brew’s [deps command](https://docs.brew.sh/Manpage#deps-options-formulacask-) shows dependencies for formulae, and using the `--graph` flag will generate and open a directed graph of the dependencies in your browser. ![](/content/blog/images/68837bfa49f4764ad5fa4f3f_AD_4nXecP84Zyf6oNps1d-gnRw7eIR-fFSPvCSzWZnPsCW3h9LQpN_oWZszp1E-TeNLU7anm3y-7iOJ9RPWzJT-n2SHelPHiCL6yDPZR5KHzu8apxCvWB97iVUWjpHAPZnMlM2xOqYuZ.png) This graph gives you a visual way to trace the chain of dependencies and what might be installed or updated as a result of changing a single package. ## New tools in Workbrew for managing dependencies Kristján’s graph visualisation came about as a result of experimenting with new features recently added to Workbrew. To give system administrators better visual insights into their fleet, and help make sure forbidden packages aren’t installed as part of a bigger dependency chain, Workbrew indexes dependencies and dependents of packages and exposes them visually within the Console. Whilst it’s important to understand what dependencies will be pulled in by an installation or upgrade, you need to understand what packages were actually requested and are in use, and not just an incidental dependency. As of version 1.3, Workbrew’s “Formula” view only shows explicitly-installed packages, or “leaves”, hiding dependencies for a cleaner and more actionable view. A new tab, “Formula with Dependencies”, exposes _every_ package installed across the fleet, and indicates whether a package is installed as a dependency. You can learn more about this change in the [Release Notes for 1.3](https://workbrew.com/blog/workbrew-1-3). ![](/content/blog/images/68837bfa49f4764ad5fa4f35_AD_4nXeFJ1yB_ftnRsrhkDk2ld9vEPCPcjF0lV2UMMh9LmJZWexinVAv859bPxV0xxmqrdzitTiActNsbZLV0VoRxJq-otdWQ3GP8KFDoOSBM2f15NqTZr78rJbQXG_0oYR6C93rEorIew.png) When viewing a Formula in the Console, its dependencies and dependents are now listed, allowing you to discover more about the relationship between formulae and their dependencies. You can click through on listed items to in turn view their dependents and dependencies. ![](/content/blog/images/68837bfa49f4764ad5fa4f3c_AD_4nXf7nS8tAI3qAKOC0rKL-9yydwLrm1oyVItNvyHZnVP-UNqCxc-ZMY96qK2sSVRK59WzyQdk7zymypwvfhZSg3_hjIglaqt1h-lGpAHVggX9iePKY_2hCOf9fWQanw2Rcxt-34a9IQ.png) ‍At Workbrew, we believe visibility into your toolchain — not just Homebrew Formulae — is key to confident system management. [**Try our free plan**](https://workbrew.com/pricing) to map your own dependency surface.

Workbrew: Fully SOC 2 Compliant

Vanessa Gennarelli — Thu, 10 Jul 2025 00:00:00 GMT

From day one, we’ve designed Workbrew with IT leaders in mind—offering clear visibility, admin controls, and intuitive security features. Workbrew has successfully completed its **SOC 2 Type II audit** for the period March 3 to June 3, 2025, with **no exceptions noted** throughout the engagement. SOC 2 Type II compliance isn’t just a checkbox—it’s proof that a company has implemented robust, continuously monitored controls around security, availability, and confidentiality. Our commitment to security has led to customers choosing Workbrew to protect their organizations, including [Remote.com](http://Remote.com), [GSR Markets](https://www.gsr.io/), [DRW Holdings](https://www.drw.com/), [Vespa.ai](http://Vespa.ai), and [Emburse](https://www.emburse.com/). From growing fleets, to supporting remote teams, to regulated industries, IT Admins can trust Workbrew. ##### Trustworthy and Verified For IT and Security teams managing vendor risk, this means you now have third-party verified assurance that: * Access controls are strictly enforced and audited quarterly (CA-59) * Encryption is in place for data both at rest and in transit (CA-41, CA-66) * Vulnerability scans and pen tests are performed regularly and issues remediated promptly (CA-16, CA-33) * Incident response and disaster recovery protocols are fully documented, tested, and operational (CA-22, CA-32, CA-77) * Production access is tightly restricted and backed by MFA and SSH key enforcement (CA-49, CA-51, CA-55) We’re excited to keep serving you—with even more security, transparency, and momentum. You can find out more about Workbrew’s ongoing commitments to security by visiting our [Trust Center](https://trust.workbrew.com/) or [Security Page](https://workbrew.com/security).

"Turning It Up to 11" at MacDevOpsYVR 2025

John Britton — Mon, 30 Jun 2025 00:00:00 GMT

[MacDevOpsYVR 2025](https://mdoyvr.com/) blew me away – I walked away inspired, informed, and more connected with the brilliant folks in the IT community. In its eleventh year, the event continues to set a high bar for community-driven conferences. In case you missed it, or if you’ve been curious about attending, here are my takeaways and learnings. Can’t wait for [MacDevOpsYVR](https://mdoyvr.com/) 2026. #### Excellent Conference Architecture Organized by [Mat X](https://mastodon.social/deck/@matx@infosec.exchange) and his amazing team, [MacDevOpsYVR](https://mdoyvr.com/) creates a space where participation is truly encouraged. One of my favorite parts of the event is the “quicktalks" - short, off-the-cuff sessions open to everyone in the room. It’s a reminder that everyone has something valuable to share. This year featured a strong mix of new voices and seasoned speakers. It was a great opportunity to hear how other admins solve problems, see people who I’ve been chatting with on Slack for the past year, and meet a few other startups trying to help in this space. ![](/content/blog/images/6862898144d92c8aa8d47905_AD_4nXcbEGrckoQWwCc9BPNgIVQ8s62DOr4FUr7vIdgROitAslBpfrdz1R3pWIkfTI9JqMGc6DEl51D8XqTyLiGRWagmYz4s5XcFncLM_fwd5jN1peThgj4XhjvD__AWMKgZMslnnYPY.jpeg) [Maya Kaczorowski](https://www.linkedin.com/in/mayakaczorowski/) ([Oblique](https://oblique.security/)), [Pete Markowsky](https://www.linkedin.com/in/petemarkowsky/) ([North Pole Security](https://northpole.security/)), [John Britton](https://www.linkedin.com/in/johndbritton/) ([Workbrew](https://workbrew.com/)), and [Michael Malone](https://www.linkedin.com/in/mmalone/) ([Smallstep](https://smallstep.com/)) ‍ I presented a workshop, _“Supercharge Homebrew with Workbrew,”_ which seemed to resonate by the scale of curiosity that followed. The questions were precise and use-case driven. Each conversation unearthed some real pain when trying to get the best out of Homebrew. [Watch the full recording.](https://www.youtube.com/watch?v=VBq9aXiwZrs) The sessions underscored a shift toward a more automated and security focused future for MacAdmins. Thanks to the single-track format, everyone shared the same journey through each talk, building a collective narrative throughout the event. Generous breaks fueled the hallway track, sparking spontaneous conversations and real connections between attendees. #### Themes and Highlights This year's edition featured an agenda packed with insightful talks on everything from system architecture to end-user behavior. The conference opened with a stellar keynote from [**Zach Wasserman**](https://www.linkedin.com/in/zacharywasserman/?originalSubdomain=ca), Co-Founder of [Fleet](https://fleetdm.com/) and longtime supporter of [MacDevOpsYVR](https://mdoyvr.com/). A veteran in this space and wealth of domain knowledge, Zach reflected on how the community has evolved alongside the tools we now rely on. **A few themes emerged consistently across the sessions:**[**‍**](https://developer.apple.com/wwdc25/sessions-and-labs/) [**Apple Announcements**](https://developer.apple.com/wwdc25/sessions-and-labs/): The recent [Device Management Migration](https://developer.apple.com/videos/play/wwdc2025/258/?time=419) and [Managed App Framework](https://developer.apple.com/videos/play/wwdc2025/203/) announcements were top of mind for attendees, with speakers exploring how these updates will reshape tooling. **GitOps for IT**: There was a strong emphasis on treating device and software management as code, with reproducibility, auditing, and automation driving best practices. **Software Installation & Management**: Speakers shared a range of approaches to installing, patching, and managing software using tools like [Munki](https://www.munki.org/munki/), [Installomator](https://github.com/Installomator/Installomator), and [MDMs](https://workbrew.com/works-with). [Homebrew](https://brew.sh/) and [Workbrew](https://workbrew.com/) were mentioned in several talks, with Workbrew gaining recognition as a developer oriented solution. **AI in IT**: From AI-powered patch monitoring to local agents like [Goose](https://goose.ai/), it's clear that large language models and automation are becoming part of the admin toolkit.**‍** **Security Everywhere**: Security was an ever-present theme throughout the conference—from SIP bypasses and ACME device attestation to privilege management and zero-trust [MDM enrollment](https://workbrew.com/docs/deployment-guide). Speakers shared real-world vulnerabilities, system architectures, and practical tools for defending fleets at scale. #### FOMO: The Future of IT? One of the most unique talk topics was from [**Katie Due**](https://www.linkedin.com/in/katiedue/), Manager of IT Platforms at [Snap](https://www.snap.com/). Instead of using punitive enforcement to keep devices updated, Snap leaned into gamification and FOMO. By rewarding users with exclusive, limited-edition wallpapers for patching promptly, they created a fun, positive reinforcement loop that improved compliance and morale. ![](/content/blog/images/68639beecdaf63a4937ad875_AD_4nXck5Vsczxdj4U5S41PXLX6EnL89KfwbkGiZSMhVd_tZ1DdLn13bh05MZjBrvRoZ25nyp8xeAwFGD-FTYCdgABdk5iEZWcgdyMtOEpk7sgJmRBwNP3wyj6qlYZlqdBdb2jZ-vb0jZw.jpeg) ‍[**Katie Due**](https://www.linkedin.com/in/katiedue/) ([Snap](https://www.snap.com/)) with exclusive wallpapers. ### MacDevOpsYVR 2025 - Session Recordings Here's a look at all the sessions that made this year's event so memorable. _Note: YouTube recordings are still being uploaded—links will be added as they go live. You can find all the_ [_MacDevOpsYVR_](https://mdoyvr.com/) _videos from previous years on their_ [_YouTube channel._](https://www.youtube.com/@MDOYVR) ![](/content/blog/images/6863b19479772d5062c200f4_AD_4nXc0zuL7jAoot2SkTZKOZNrfU5ybHq0PEWqz2mDsz0Og16rE5H8bV19HxhPzWTAqLbkV4h-8a0LAI0_vML-uECGq-uVjO_L9Xj8FtP5IKi3BNFUIP81cSp4qyUUsGAtt7DlvErBf.jpeg) #### 🧠 Automation & GitOps in IT Focus on using Git, pipelines, and automation to scale and secure IT operations. _Exploring, Understanding and Monitoring macOS Activity with osquery_ _\-_ [**Zach Wasserman**](https://www.linkedin.com/in/zacharywasserman/?originalSubdomain=ca) **(**[**Fleet**](https://fleetdm.com/)**):** Reflects on open-source tooling and declares 2025 the "Year of GitOps in IT." [https://www.youtube.com/watch?v=\_xkdcM-y3-A](https://www.youtube.com/watch?v=_xkdcM-y3-A) _Munki DevOps with Git and CI/CD Pipelines_ - [**Rod Christiansen**](https://www.linkedin.com/in/rodchristiansen/) **(**[**Emily Carr**](https://about.me/rodc)**):** Full DevOps pipeline for Munki using Git and Azure. [https://www.youtube.com/watch?v=ayQqGT9S\_cM](https://www.youtube.com/watch?v=ayQqGT9S_cM) _Introducing GitOps into IT Operations_ - [**Carmil Thelemarque**](https://www.linkedin.com/in/carmilthelemarque/) **(**[**Drata**](https://drata.com/)**)**: Using Git as a source of truth for managing IT infrastructure. [https://www.youtube.com/watch?v=-XweLReHJPY](https://www.youtube.com/watch?v=-XweLReHJPY) _Living Off the Pipeline: GitOps for Real Security_ - [**Guillaume Ross**](https://www.linkedin.com/in/guillaumeross/?originalSubdomain=ca) **(**[**Caffeine Security**](https://caffeinesecurity.com/)**)**_:_ Emphasizes verifying artifacts in GitOps workflows, not just trusting pipelines. [https://www.youtube.com/watch?v=UlrFDHJyLGQ](https://www.youtube.com/watch?v=UlrFDHJyLGQ) ![](/content/blog/images/6863b3faf923ca86cc54191c_AD_4nXeMmMC1Q7fVaMICLjsro5WqJwP8qETR4Bky7kiqYzTFl7w7-g0dR--iQbQmW5o75Fu1Cssh-9P2m4OxPB-cH2adiOHzwTb9-kvu1OlTCtPkU2Use1iviR4TmSlk2Qct-XvYMTkJMg.jpeg) #### 🛡 macOS Security & MDM These talks explore macOS fleet security, MDM enrollment, and vulnerability mitigation. _MDM Hygiene – How Safe is Your Mac Fleet?_\- [**Mykola Grymalyuk**](https://www.linkedin.com/in/mykola-grymalyuk/) **(**[**RIPEDA**](https://ripeda.com/)**):** Highlights real MDM misconfigurations and vulnerabilities. [https://www.youtube.com/watch?v=Rv5pvvae34I&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=5](https://www.youtube.com/watch?v=Rv5pvvae34I&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=5) _Securing macOS MDM Enrollments_ - [**Kory Prince**](https://www.linkedin.com/in/korylprince/) **&** [**Victor De Souza**](https://www.linkedin.com/in/victor-de-souza/) **(**[**Airbnb**](https://www.airbnb.co.uk/?_set_bev_on_new_domain=1751365266_EAZTI5NjBiOGJmNj)**):** Uses attestation and contextual signals for secure onboarding. [https://www.youtube.com/watch?v=hZ8CuLamCEw&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=3](https://www.youtube.com/watch?v=hZ8CuLamCEw&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=3) _AI-Powered Monitoring for Fleet Enrollments_ - [**Mike Meyer**](https://www.linkedin.com/in/mike-meyer-a5a21910/) **(**[**Foursquare**](https://foursquare.com/)**):** Uses AI to monitor real-time enrollment status in Fleet. [https://www.youtube.com/watch?v=TJEyEKI1fnw&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=4](https://www.youtube.com/watch?v=TJEyEKI1fnw&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=4) _Finding Vulnerabilities in Apple Packages at Scale_ - [**Csaba Fitzl**](https://www.linkedin.com/in/csaba-fitzl-5634472a/) **(**[**Kandj**i](https://www.kandji.io/)): AI + automation to find new SIP bypasses in 10,000+ packages. [https://www.youtube.com/watch?v=NbFZJs62bd8](https://www.youtube.com/watch?v=NbFZJs62bd8) _M365 Conditional Access for macOS_ - [**Teg Bains**](https://www.linkedin.com/in/tegbains/?originalSubdomain=ca) **(**[**TBITS**](https://www.tbitspecialists.com/)**):** Combines Addigy and Microsoft 365 to enforce security compliance. [https://www.youtube.com/watch?v=pLn0DKM88gE&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=13](https://www.youtube.com/watch?v=pLn0DKM88gE&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=13) ![](/content/blog/images/6863b765f20df9aa2e468a81_AD_4nXcMa6W6SMidChkcjm0fK0cS30k4DGyxCeTPxTr53J_Ctl7k1N5kll3zx5WatDif_NJVFbCeiE13ta3HHx6xsMh5mdi-XOedDo8h_43Kidupd4OOBFNguQlFbXuK0QfUIrkBBWwYnA.jpeg) #### 💻 Device Management & User Empowerment Talks that help IT teams manage endpoints while empowering or nudging users. _Cyprus – The Friendly macOS Self-Remediation Tool_ - [**Nindi Gill**](https://www.linkedin.com/in/nindigill/?originalSubdomain=au) **(**[**Block**](https://block.xyz/)**)** - Menu bar tool for users to fix their own Mac issues. [https://www.youtube.com/watch?v=3nQQRpquAQE&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=16](https://www.youtube.com/watch?v=3nQQRpquAQE&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=16) _Reining in Applications -_ **Nayt Brookes (**[**Ro Health**](https://www.linkedin.com/company/ro-health/)**):** – Combats software sprawl by guiding users through app removal. _Tips for Avoiding Munki Install Loops_ - [**Alan Siu**](https://www.linkedin.com/in/alanysiu/) **(**[**Snap**](https://www.snap.com/)**):** Practical fixes for common Munki issues. [https://www.youtube.com/watch?v=mcvpiSww1n8&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=15](https://www.youtube.com/watch?v=mcvpiSww1n8&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=15) _Encouraging Patch Behavior with Exclusive Wallpapers_ - [**Katie Due**](https://www.linkedin.com/in/katiedue/) **(**[**Snap**](https://www.snap.com/)**):** Turns compliance into a reward system with collectible wallpapers. [https://www.youtube.com/watch?v=JzWRXMiULWc&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=2](https://www.youtube.com/watch?v=JzWRXMiULWc&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=2) ![](/content/blog/images/6863b77cc8970140d2a6b7b3_AD_4nXdmCZrnx3nPoYVzvxwgQb8nTrndJSjzDBKz-_Z7tx0ZJu7RYMoInAPA1IbKa6iWliAttS459khC0RR-II8Kd6pponFvdEjS40mGRTAiDwvF6diocd-m7ZdBIvXgCmnXv6VDpuXmmg.jpeg) #### 🧰 Open Source Tools & Infrastructure Evolution Discussions around evolving or scaling key open-source tools in the Apple admin ecosystem. _Santa in the Summer_ _\-_ [**Russell Hancox**](https://www.linkedin.com/in/russellhancox/) **(**[**North Pole Security**](https://northpole.security/)**):** Shares Santa’s open-source roadmap and SaaS evolution. [https://www.youtube.com/watch?v=AN6jixPHevI&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=9](https://www.youtube.com/watch?v=AN6jixPHevI&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=9) _Modernizing Munki with Go_ - [**Brandon Friess**](https://www.linkedin.com/in/ericfriess/) **(**[**Stripe**](https://stripe.com/gb)**):** A secure, scalable infrastructure using mTLS and CloudFront. [https://www.youtube.com/watch?v=Plo6v21v0ck&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=12](https://www.youtube.com/watch?v=Plo6v21v0ck&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=12) _Santa’s Little Helper: Manage Mac Security w/ osquery_ _\-_ [**Harrison Ravazzolo**](https://www.linkedin.com/in/harrison-ravazzolo/) **(**[**Fleet**](https://fleetdm.com/)**):** Uses osquery to manage Santa without a sync server. [https://www.youtube.com/watch?v=iHJwtPzwYgA&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=11](https://www.youtube.com/watch?v=iHJwtPzwYgA&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=11) ![](/content/blog/images/6863b829969ca47cf76a6fc8_AD_4nXc3bbjOe0lsvuLhX1nR27mxO06L2Ard4G5SfQptXy2DmKxUvIEwyySIBzE5Om3Bi-ueKj2hVfHtK1CK08itDAGCk8_3Z1d7n6TJDGf9a4tLmrau--vrHpDZBMoM2WZWxcbzYmAy.jpeg) #### 🤖 AI & the Future of IT Insights into how AI and LLMs are already reshaping workflows and support for IT teams. _Wasting Some Time with LLMs in 2025_ _\-_ [**Sam Keeley**](https://www.linkedin.com/in/keeleysam/) **(**[**DoorDash**](https://careersatdoordash.com/)**):** A playful, practical look at LLMs solving (and creating) IT challenges. [https://www.youtube.com/watch?v=RXO25Ecdxv8&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=17](https://www.youtube.com/watch?v=RXO25Ecdxv8&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=17) _A Not So Secret Agent_ **\-** [**Wesley Whetstone**](https://www.linkedin.com/in/jckwhet/) **(**[**Stripe**](https://stripe.com/gb)**):** Introduces Goose, an autonomous AI support agent powered by models like Cursor. [https://www.youtube.com/watch?v=XD5pYFuLxo8&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=7](https://www.youtube.com/watch?v=XD5pYFuLxo8&list=PLOpBG-mD9ZjEFEzMWHSVEhK2NCZ0IOSa4&index=7) ### See You Next Time [MacDevOpsYVR](https://mdoyvr.com/) 2025 truly “turned it up to 11.” I’m already looking forward to next year’s event. If you're a MacAdmin, DevSecOps engineer, or just someone who cares about managing Apple devices at scale, put this conference on your radar.

Workbrew 1.3 release notes

Luke Hefson — Mon, 23 Jun 2025 00:00:00 GMT

Workbrew 1.3 brings precision and visibility to IT teams at scale. This release strengthens device access controls, improves default software rollout, enhances policy notifications, and streamlines the Console experience. ### **Enforce Access Modes with Confidence** 👋 _**NOTE: Workbrew Access Modes have been replaced by a more intuitive workspace setting for granting `brew` CLI access. Learn more [here](https://workbrew.com/docs/managed-brew-access)**._ Workbrew 1.3 enforces access mode boundaries precisely, alerting admins when devices no longer meet standards. #### Protect against self-installs on Standard devices In this fix, devices in Standard mode cannot self-install casks. In 1.3 users can no longer install GUI apps via `brew install --cask [app_name]` without admin involvement. #### Alerts for access mode violations ![](/content/blog/images/68541ac3420f165a6ff98a42_AD_4nXfkaIRlum4tccO5vgRn1l7UmVhxWw9Ut3I8Lz6kOzSIIp1eCv3ggCWW_K39BfrUQIOmk22GohoRq5KMXJgmYBJy6_ljFSY8z3lb6Z9w9ot3pDuvmagsTmJ5VKsSG8Xc1fQC2vJOOQ.png) Workbrew flags devices whose actual permissions don’t match the expected access mode. If a device is behaving like it’s in Sudo mode when it shouldn’t be, you’ll be alerted of access mode violations in the dashboard, and weekly email reports. #### Access modes per device group ![](/content/blog/images/68541ac3420f165a6ff98a87_AD_4nXc7c3spSAC3qGP7EjKrcERIxT_IAe6gQo4AYWwxaXv-YIKUaK2ZNl_3hZ7btY7CYs2NA38gkSTgtK9OJeNgQWo_1XJIyxBYU6LVMryvj0kzh1M04Nomz8sAee0C9C17_-ZrGUF2.png) Workbrew enables admins to assign access modes (Sudo, Standard, and Restricted) to different device groups. For example, your DevOps team might need Sudo access while all other developers remain restricted. If a device in your fleet exhibits behavior that’s a deviation from policy, this new feature will alert admins in the console. **For Admins**: * Configure fleet-wide or group-specific access mode expectations. * Get alerted when enforcement doesn’t match reality. **For Your Team**: * Developers stay within approved boundaries but can still use brew where permitted. **Console Access Modes and Alerting** is now available on [all plans](https://workbrew.com/pricing). ### **Dynamically-Targeted Policies** If teams within your company have different needs, Workbrew now enables multiple policies that apply to specific device groups or individual devices. #### Targeted enforcement ![](/content/blog/images/68541ac3420f165a6ff98a45_AD_4nXdFRKz2gfylvnL9KACCiAa9Ny-4O3gNbQxOdwkuZkAEcmezWysjusLhBzOnxZSE5El1YS2ZpcnlSXaPwzyjkwP44PeqnMo_Qp059Uz0LbQiPrBnOARbtFC-c_deb1DqlHRrUPZLbA.png) Whether you’re managing a small set of machines for internal tooling, or enforcing strict controls on production systems, you can now tailor policies to your exact use case. **For Admins**: * Apply different rules to different teams, roles, or device types. * Use tighter controls where needed without affecting the rest of your fleet. **For Your Team**: * Developers get the freedom they need within appropriate boundaries. **Dynamically-Targeted Policies** are now available on [Pro and Enterprise plans](https://workbrew.com/pricing). ### **Streamlined Control for Default Packages** New features for Default Packages in the Workbrew Console eliminate duplication of effort and boost efficiency for admins and users. #### “Brew Adopt” for existing apps If a device already has an app installed and it matches a Default Package, Workbrew converts it into a managed cask automatically. No duplicate installs, no disruption. **Brew Adopt** now available on [all plans](https://workbrew.com/pricing). ### **Scannable and Actionable Policy Management** These new features provide easy-to-parse information for admins in real-time. #### Daily policy violation digests ![](/content/blog/images/68541ac3420f165a6ff98a3f_AD_4nXdzRZnwOZtBRcd4D_OpnS3bnGcfrC8-0z4WRwXYGsDJj2R7Ru9tAbjZVQHu76E53GeMkfhw9lmkaMnk0IYD5SCJZ4bRAHqpKR2dAaR_GkO865fpd1rnMqyvC0qSRgDIATXaHQJg.png) Receive a daily summary of policy violations for forbidden packages. Each alert includes links to affected devices, contextual information on the package, and quick actions to resolve issues. #### Alerts with emoji tagging ![](/content/blog/images/68541ac3420f165a6ff98a37_AD_4nXcOPvSRnz06f0oafVUEFIKsG1R1gajIDwcpHr29Itd3u8R2xOsCP_evkoWVvKSB-f46wrE20rJo_uECxZVKrugeD3FbkSY7bm_2p1FdOsyZRj8AG26e-rjs7PF_GFW9GJp2VN_k.png) Notifications now use a clear noun + verb emoji pattern in email subject lines and slack/webhook notifications (like ‘🏃⛔’ for a run failure)-to help you triage at a glance. Use them to configure notification filters wherever you receive those. #### Multi-destination notifications You can now set multiple user emails or webhook destinations for alerts. ‍ ![](/content/blog/images/68541ac3420f165a6ff98a48_AD_4nXfQ9FsD8mY1h_JvtQ7PKg9d6S943z3mfw8RBGindZRsX25Weo5cJqu_hFeI7FJgdl-zFL4wBxvXkfIZk_WC_MlvWZzplioVtf5EH5687JZ7ov9QywDJRICBUs4XftCSHHeoV8xd.png) #### Actionable CVE Alerts: Smarter, Faster, Safer In the 1.3 release, CVE alerts include links to affected devices, public CVE records, package details, and one-click upgrade actions. **For Admins**: * Get more useful alerts with better filtering and clearer actions. * Route notifications to the right people, not just a shared inbox. **For Your Team**: * Less noise, more clarity-and faster security response when it counts. **Policy Violation Digests and More Actionable CVE alerts** are now available on [Pro and Enterprise plans](https://workbrew.com/pricing). **Multi-destination Notifications and Emoji Notifications** are available on [all plans](https://workbrew.com/pricing). ### **A Sleek, Speedy Workbrew Console** The Workbrew Console gets a glow up in 1.3-engineered for speed, clarity, and confidence. #### Visual Brewfile editor ![](/content/blog/images/68541ac3420f165a6ff98a84_AD_4nXcCsZBYNMf2t3SEoLFl8IhZJRSxT3qBwnUVMJ27lNo58GmJO8uCGx9Feby2EbdkHgUZikn84seZxx1gE3yWW_KbmrllcckORJD-hxS-Z3NCrk9W5WqVcSbe1my4hFCRpDfffNYm.gif) * Edit default packages effortlessly with a **drag-and-drop interface** * Use **autocomplete for formulae, casks, and taps** to eliminate guesswork * No deep brew expertise required-**just point, click, and customize** #### Quickly add multiple packages to any list ![](/content/blog/images/68541ac3420f165a6ff98a67_AD_4nXe-MkMhW4hYEtJ9svlFf-67zmPpX2DrKtIzQx9m9bM6EvOzf0PXpoNyUAF4xEnDcpveW-tBQfYv3A8Fv3yiDOaVPXGyKbKlsJyMzrhRP-lTa9uNloQqCtpoVVfZZW1aYCuN38LYjg.gif) Search for a category of packages and add all matching results to a policy or default packages list with one click. It’s especially helpful when setting policies by type. For example, you could forbid all VPN tools in one go, rather than selecting each one manually. #### Table filters and search ![](/content/blog/images/68541ac3420f165a6ff98a4e_AD_4nXdWqFPuKxystj2JYYRq4XuUbRSEY5ZCgb1sbOSWHX3B4IMGtzMvsZ3zB5vV9bC8tbyTZb5JG2HlA8M0lcPS_-usG0TiyVOyDFhQT_-GZxWauKee4Jwf1T3kCcptdEMfQ6aFJUzZ.gif) Tailored Reporting, simplified. Pages for Packages, Taps, Licenses, Vulnerabilities, and Device Groups now support sorting and filtering across columns. Quickly explore your data to answer questions like: * \_Which packages are the least used across my fleet? \_ * \_How many critical vulnerabilities are active? \_ * _Which device groups have elevated privileges like Sudo?_ Apply filters, sort by what matters, and **export exactly what you see**\-perfect for generating focused, custom reports without extra cleanup. #### Tools for large fleets: Only show ‘\[leaf\]([https://docs.brew.sh/Manpage#leaves](https://docs.brew.sh/Manpage#leaves)

MacAD.UK 2025: Connecting Endpoints and Admins

Brandon Valentine — Tue, 10 Jun 2025 00:00:00 GMT

We knew MacAdmins could hang. We did not know there would be a giant inflatable iMac. Here’s what else we learned from attending [MacAD.UK](http://MacAD.UK) for the first time. 1. Brighton rules. It’s been home to the [MacAD.UK](http://MacAD.UK) conference for a while, and we can see why – the views are amazing, and it’s centrally-located to bring together Apple enthusiasts from across the EU. 2. Ducks are big. We learned the conference also goes by the name “Mac-a-duck” which folks embrace wholeheartedly. We’d never seen a “DUK-IT-BUCKIT” before - since it was our first time attending, we followed suit: 3. IT Admins have questions. We weren’t sure what to expect, but so many folks had specific implementation queries. Others were curious about what Workbrew is up to. It was a non-stop flow of awesome conversations, and we ran out of Homebrew Cheat Sheets and Implementation Guides. 4. IT Admins have questions. We weren’t sure what to expect, but so many folks had specific implementation queries. Others were curious about what Workbrew is up to. It was a non-stop flow of awesome conversations, and we ran out of Homebrew Cheat Sheets and Implementation Guides. 5. The wonderful MacAdmins Foundation offers grants for folks who want to attend but aren’t in a position to fund the trip. For those looking to attend MacAdmins PSU, their applications are open. ‍ A big thank you to the [MacAD.UK](http://MacAD.UK) team and we’re excited to be back next year. If you missed it, check out my talk on Balancing the Needs of IT, Security, & Engineering Teams at Scale [https://www.youtube.com/watch?v=fETNODCU9WM](https://www.youtube.com/watch?v=fETNODCU9WM)

Stop Worshipping the Cloud: Local Development Provides Security at Speed

Vanessa Gennarelli — Thu, 05 Jun 2025 00:00:00 GMT

While Cloud IDEs and containerized environments have contributed key innovations, some forward-thinking teams are quietly realizing a hard truth: **developers do their best work locally**—and sometimes the cloud is a costly distraction. In my recent talk hosted by LocalStack, I suggest that “secure” doesn’t mean “centralized,” and speed doesn’t require Kubernetes. ### Cloud-Native Isn’t the Future—It’s the Bottleneck Virtualization and cloud-based dev environments may look good on paper, but in practice: * They require a PhD in DevOps just to set up. * They slow down dev cycles with performance overhead and fragile abstractions. * They quietly rack up cloud bills while your team wrestles with YAML files. Worse, they take developers out of their native environments—killing focus, wasting battery life, and introducing fragile dependencies you’ll pay for later. ### “Works on my machine” isn’t the problem—it’s the goal. If every machine is consistently configured, local-first development becomes the most reliable, ergonomic, and secure option. Local-first development offers critical advantages: * Onboards devs in hours, not days. * Eliminates the constant “can I get access to…” requests. * Slashes cloud spend and boosts performance. * Strengthens security by minimizing third-party exposure and reducing credentials. Check out the full talk here: [https://www.youtube.com/watch?v=U90yACw64Hk](https://www.youtube.com/watch?v=U90yACw64Hk) ### Workbrew: Security Without the Cloud Chains Workbrew manages secure Homebrew environments at scale—without containers, without VMs, and without compromise. From full-package visibility to instant patching, it brings fleet-wide control to what was once a Wild West of local setups. [Try Workbrew](https://workbrew.com/pricing)

Workbrew in Japan: Connecting with the Jamf Community in Tokyo

John Britton — Mon, 02 Jun 2025 00:00:00 GMT

In May, we had the opportunity to join the [Jamf Macadmin User Group (JMUG)](https://community.jamf.com/t5/jmug-japan/bd-p/JMUG-Japanforum-board) for their meetup in Tokyo. It was a strong turnout that speaks to the energy and engagement of the Macadmin community in Japan. ![](/content/blog/images/682c80ad7b79a58e408d04aa_Screenshot%202025-05-20%20at%2015.16.16.png) Events like these offer valuable opportunities to grow not just as professionals, but as part of a larger community. They create space to connect with peers, discuss challenges and explore lessons learned from others who have found solutions. Discussions with attendees highlighted how Workbrew was helping them manage and secure their fleets of all sizes. Fresh off our [1.2 release](https://workbrew.com/blog/workbrew-1-2) it was great to hear how default packages being available on the [free plan](https://workbrew.com/pricing) was helping teams to get new developers started with a consistent toolset. Attendees highlighted how the policies and vulnerability features helped them gain visibility on what was happening across teams and set guardrails to ensure compliance in regulated industries. Being able to connect with the community, hearing how Workbrew is addressing real-world requirements with flexibility and ease of use is invaluable. Our live product demo sparked a lively Q&A session, with detailed questions covering: * Free plan capabilities * SSO and multi-user support * Permission mode structure * Per-user policies * Device group configurations This kind of exchange is exactly why we show up. Listening closely to our community helps shape how we grow and deliver more value where it matters most. Thanks again to [JMUG](https://community.jamf.com/t5/jmug-japan/bd-p/JMUG-Japanforum-board) for the invite. We’re already looking forward to next year. You can connect with [JMUG](https://www.jmug.jp/) and register for future events [here.](https://www.jmug.jp/) ![](/content/blog/JMUG-2.jpeg)

Creative Ways to Extend `brew` with the Workbrew API

Vanessa Gennarelli — Wed, 07 May 2025 00:00:00 GMT

Finding ways to connect internal systems, gain visibility across your fleet, and orchestrate complex workflows can be challenging — but Workbrew’s API offers building blocks to make it easier. In a recent internal hackathon, we asked ourselves to show how the API can create meaningful, practical solutions for Workbrew users. The goal? To imagine new ways customers can extend, integrate, and enhance their Workbrew experience. Operationally, our product engineering team uses the [**Shape Up**](https://basecamp.com/shapeup) methodology, which means product work happens in 6-week cycles with 2-week cooldowns. After shipping [**Workbrew 1.2**](https://workbrew.com/blog/workbrew-1-2), we used the cooldown period to run a “Hack Day” — giving team members a blank slate and 24 hours to experiment. The projects they delivered showcased just how powerful the Workbrew API can be — and offer a glimpse of what you can build with it. ### **Project 1: Instant API Client Integration** #### Problem Workbrew lacked ready-to-use Postman collections, making it harder for users to quickly integrate and experiment with the API. Leading platforms like Twilio and Stripe provide these assets, setting a clear customer expectation. ![](/content/blog/images/681b12cba53ece25d5c0cf92_AD_4nXd5LYUwpmTLpluGuDLWAISpwQ7Gjg66Or78nX9CsiBPMOj5Rlnjc9kM8fc96PwULCmfa-CK1o-vgzoZRDBZoOi25PQ2FCuqlKdur5eAosCGb3WDZuB9qXPnWXzENL25dITeAQ99rQ.png) **Process** * Imported our Swagger spec into Postman, Bruno, and Hoppscotch. * Adjusted variables to support workspace names and default authentication. * Explored CLI generation but identified limitations in OpenAPI 3.0 tooling. #### User Impact Workbrew users can now start experimenting with the API instantly through graphical clients like Postman — with no code, no CLI setup, and minimal configuration. Collections also unlock advanced workflows such as scheduled API tasks, lowering the barrier to adoption and increasing API accessibility. ### **Project 2: Natural Language Access to Workspace Health** #### Problem Interacting with API endpoints can be technical and complex. We explored building a natural language interface for the Workbrew API to make data insights more accessible. ‍[https://www.youtube.com/watch?v=g1ZXdvXxxhU](https://www.youtube.com/watch?v=g1ZXdvXxxhU) **Process** * Created a Custom GPT that interacts with Workbrew API endpoints. * Enabled basic querying of cached workspace data through natural language prompts. #### User Impact This prototype demonstrates how AI can simplify Workbrew data access, offering a future where users interact with their workspace health in everyday language — not complex queries. It's an early step toward making our platform even more intuitive. ### **Project 3: Improving API Documentation** #### Problem Some API endpoints lacked clear examples, particularly around POST body formats for creating Brew Commands. ![](/content/blog/images/681b13c8544e0eccd264cd3a_AD_4nXc1uXraBAxNXgSIEAPgu2C-N-xrKJG0woYSAY-rxmT-nfQoT_5wAbYqhcFMDMkYiGxQCIZ2PmLj8U8RUeA-uiLhlujXtCT0tkfE5i7KrlJ2EINSgwm-1lsLl7MP2y6HNY9Rb83iKA.png) **Process** * Identified documentation gaps during internal review. * Collaborated across teams to validate and update API documentation. #### User Impact Clearer API documentation accelerates developer onboarding, reduces friction in integration, and strengthens user confidence when building on top of Workbrew.‍ ### **What Can You Build with the Workbrew API?** Whether you’re an IT admin scaling systems, a developer automating workflows, or a security/ops team looking to connect Workbrew to the broader stack — the possibilities are endless. The hackathon projects highlighted the true power of the API and how it can help your team: * What workflow can you make more efficient? * How can you integrate your tools to improve data flows? * What repetitive task can you eliminate? The Workbrew API isn’t just a tool — it’s an invitation to create. ### **What’s Next** Many of the experiments from the hackathon are evolving into longer-term projects, with a focus on streamlining usability, expanding documentation, and delivering more intuitive customer experiences. If you’re ready to explore what’s possible, watch CEO and Co-founder John Britton present [**Custom Integrations and Workflows with the Workbrew API.**](https://workbrew.com/webinars/custom-api-workflows) See the API live in action and learn how it can help you build smarter, tailored solutions for your team and catch up with our [**Custom Integrations and Workflows with the Workbrew API**](https://workbrew.com/webinars/custom-api-workflows) webinar. [**Watch on-demand.**](https://workbrew.com/webinars/custom-api-workflows) As we build on the momentum from this hackathon, we remain focused on delivering even more powerful, intuitive, and accessible experiences for every Workbrew user.

Get Free, Fleet-Wide Visibility on Homebrew Installations

Luke Hefson — Wed, 07 May 2025 00:00:00 GMT

IT admins often face the challenge of managing what they can’t see. Without knowing which company-owned devices already have Homebrew installed, it’s difficult to assess what’s happening, set clear policies, manage compliance, or plan migrations effectively. Worse, without visibility, you risk creating gaps in your software management strategy — gaps that can leave you exposed. Imagine having complete visibility into your device fleet — knowing exactly which machines are running Homebrew. With that insight, you can confidently shape a strategy, apply management policies, and ensure no device is left unmanaged. Importantly, you can do this without taking away the tools your developers love. We make this possible with a free script you can run across all your machines using your [MDM](https://workbrew.com/works-with) (like [Kandji](https://workbrew.com/works-with/kandji) or [Jamf](https://workbrew.com/works-with/jamf)) which quickly generates a report on which devices have Homebrew. Check out [**the script**](#) below: ``` #!/bin/bash # Check for Homebrew in supported installation paths. if [[ -x "/opt/homebrew/bin/brew" ]] || [[ -x "/usr/local/bin/brew" ]] || [[ -x "/home/linuxbrew/.linuxbrew/bin/brew" ]] then echo "Homebrew is installed." exit 0 else echo "Homebrew is not installed." exit 1 fi ``` With this insight, you can start shaping a smart management strategy. Workbrew’s [Free Plan](https://workbrew.com/pricing) helps you move from discovery to action: applying policies, improving compliance, and securing your Homebrew-using devices efficiently. Start using brew at work with our Free Plan. Deploy to unlimited devices via our hassle-free installer, seamlessly integrated with your MDM for zero-touch setup. Workbrew’s Secure CLI preserves the familiar brew experience for developers while giving IT total visibility into packages and versions across your fleet. [**Book a demo**](https://workbrew.com/demo)**,** share your use case, and discover how we can support your needs. ### Start Free Today Start using brew at work with our [**Free Plan**](https://workbrew.com/pricing). Deploy to unlimited devices via our hassle-free installer, seamlessly [integrated with your MDM](https://workbrew.com/works-with) for zero-touch setup. [Workbrew’s Secure CLI](https://workbrew.com/blog/how-workbrew-works#workbrew-installer) preserves the familiar brew experience for developers, while giving IT total visibility into packages and versions across your fleet.

Building Culture at Workbrew: Hackathons in a Remote-First Company

Vanessa Gennarelli — Wed, 07 May 2025 00:00:00 GMT

As anyone who has worked remotely before knows, it’s tough to build a shared sense of culture across 10 time zones. Operationally, our product engineering team uses the [Shape Up](https://basecamp.com/shapeup) methodology, which means that product work is focused into 6-week “cycles” with 2 week “cool-downs.” So during our last cooldown period, after shipping [Workbrew 1.2](https://workbrew.com/blog/workbrew-1-2), we tried an experimental “[Hack Day](https://workbrew.com/blog/create-custom-api-workflows).” Our goals were to prompt cross-team collaboration and produce artifacts from the Workbrew API that our customers could potentially use. But at Workbrew, these events are about more than what we build — they’re about how we build it together. ### **Remote work takes work** As a remote-first, globally distributed company, collaboration isn’t left to chance — it's something we actively design and invest in. Our team brings deep experience from companies like GitHub, 37signals, and Cloudflare, where remote work isn't just an adjustment — it's a craft. That shared experience set the foundation — but it was the hackathon that sparked something even deeper. "The hackathon gave us something rare — a little more camaraderie, and a little more room for ideas to grow without the pressure to be perfect," one engineer shared. During the hackathon, that mindset meant deeper focus, stronger collaboration, and the freedom for ideas to emerge naturally. Trust and autonomy weren’t obstacles — they were accelerators. While our Shape-Up cycles drive focused product development every eight weeks, we saw the cooldown period as an opportunity to do something different: * **Cross-team collaboration** beyond daily roles * **Customer-first exploration** based on direct feedback * **Creative freedom** without the pressure of long-term maintenance By intentionally creating space to work differently, we unlocked fresh thinking — and strengthened the connections that make remote collaboration thrive. The results stretched far beyond the projects delivered: * **Camaraderie**: Celebrating unfinished experiments and small creative wins. * **Creative risk-taking**: Turning small sparks into ideas with real customer potential. * **Role-stretching**: Engineers stepping into product, design, and customer advocacy roles. * **User empathy**: Experiencing the API firsthand revealed actionable ways to reduce friction and drive value for customers. As one participant put it: "Seeing small ideas come to life, and realizing how quickly we could help customers in meaningful ways, was inspiring." ### **Iterating to Improve** Our [first hackathon](https://workbrew.com/blog/create-custom-api-workflows) in this format exceeded expectations. Moving forward, we’ll be integrating hack days into our [Shape Up](https://basecamp.com/shapeup) cycle to build a stronger, more creative, and more connected company. By making space to experiment together — across oceans and time zones — we’re not just extending what Workbrew can do. We’re extending what Workbrew can be.

Workbrew 1.2 release notes

Luke Hefson — Wed, 23 Apr 2025 00:00:00 GMT

Workbrew 1.2 is here. This release expands the Workbrew policies system, delivers powerful new automation tools, supports device management at scale, and enriches the admin experience to provide deeper insights into the software running across their fleet. 1.2’s features and improvements **tighten security**, **streamline administration**, and **improve visibility** – helping MacAdmins, IT teams, and security professionals better manage Homebrew at scale while keeping developers moving fast. Let’s dive in. ### Default Packages Now Available On The [Free Plan](https://workbrew.com/pricing) Free plan users now have access to **Default Packages**, making it easier than ever to get new developers started with a consistent toolset. Define a set of core packages your team needs – and have them automatically installed on enrolled devices. Whether you’re managing a small team or just getting started with Workbrew, you can now ensure faster onboarding, fewer setup issues, and more productive environments from day one. It’s a powerful way to bring order to developer machines – now available at no cost. ### Avert Compliance Violations and Fortify your Stack with New Policy Features Define and enforce which software enters your stack with Workbrew’s policies. Make your mission-critical tools available effortlessly, while preventing risk from unauthorized software. To support this goal, this release introduces **three powerful new policy types**, and new features to flag violations in your dashboard. ### Allowed Taps Policy: Enable Private and Trusted Taps ![](/content/blog/images/680899d91220b0f29599aebc_AD_4nXeY1QKd_kyic2HPxvRcqhah3aK9nToSS4a6OS0PUQA9_MATq1Ct7JM3qFDNMXnfHj3uHiHpwdW6yDbUD_5AZv0O34kpV5NnFuT3G0YJ_XdU15u3ba9n3w8O8-Md3M8c_Efx0qS7eg.png) Prevent installations from unauthorised or untrusted sources by setting a clear policy on which Homebrew taps are allowed. **For Admins:** * Automatically allow official Homebrew taps and any private taps connected to your Workbrew workspace. * Block package installs from unknown, risky, or shadow taps – strengthening your software supply chain security – by only allowing trusted third-party taps. **For Your Team:** * Install packages confidently from approved taps without worrying about unknown risks. **Allowed Taps Policy** is available on [Pro and Enterprise plans](https://workbrew.com/pricing). ### Forbidden Licenses Policy: Support OSS, but Prevent IP Risk ![](/content/blog/images/680899d9bf8a0b5742e4cbe9_AD_4nXfmAsGTPXhceRqLk802CrmwGOjc0UzSJHMIPmREtLOxVa5lQ2jSspAEG35P0055FtZU9fxpQOrHn-tPqOMpqbZn5Z0rOzW_sQrq2PyeXRBVr04dBNKDyZjV6itd6Ieh1mKMrRA7aQ.png) Encourage open source usage to empower engineers and accelerate development, while avoiding legal or compliance exposure. **For Admins:** * _Proactively_ block high-risk open-source licenses, such as strong copyleft licenses (e.g., AGPL, GPL), that might conflict with your organisation’s compliance requirements. * Simplify open-source license management across your fleet. **For Your Team:** * Build a “win/win” collaboration between engineering and security. * Feel confident that any open-source projects you incorporate won’t put your company’s IP at risk. **Forbidden Licenses Policy** is available on [Pro and Enterprise plans](https://workbrew.com/pricing). ### Automatic Upgrades and Uninstalls Policy: Keep your Fleet Up-to-Date, Globally ![](/content/blog/images/680899d906ff7882cdf70f6b_AD_4nXcdJ4pTcvv3hQHgCfhBny7qUH8UiWlEAwvoJK_1J545oEUpUPlcfX7kv49DyHT8cHPUyXmbAn66BWnvpxbVPktEJ6b7Ivdj8P8-_eHjZ9w9FtU-Zex_hXKhf63hzY9iZq-qxTzcjw.png) Programmatically ensure your fleet is secure and up-to-date, removing the manual back-and-forth of chasing each team member to run brew. **For Admins:** * Patch brew formulae when vulnerabilities are detected, without human intervention * Upgrade outdated packages (formulae or casks) on a regular cadence to minimise team disruption. * Retroactively uninstall forbidden packages that pre-date the policy. **For Your Team:** * Ongoing maintenance and regular updates with minimal disruption for your developer teams. **Automatic Upgrades and Uninstalls Policy** is available on [Enterprise plans](https://workbrew.com/pricing) only. ### Flag Policy Violations with New Dashboard UX ![](/content/blog/images/680899d91b4e6eb964e9cfb4_AD_4nXcaTN4pTfMstw5uMyx-nPPtrWJlgjJmFUGZHc9I0XrdWI1KjsWnjEZIeQwZ9klpIK21z4Rqoc8hMRTOTCodbKUqSgn9k6nkUDJXIyXTiG4frnjRmyekUMD6JKNVtKAm27Gd_GlYKQ.png) No more digging through lists or cross-referencing device data. Identify non-compliant devices at a glance — including which policies are being broken, and which packages are responsible. Updated **weekly email reports** provide a summary of all policy violations across your fleet. Admins now have consistent insight into compliance status — even while away from the console. **Flagged Policy Violations** are available on [Pro and Enterprise plans](https://workbrew.com/pricing). ‍ ### Device Group Management for Growing and Changing Teams “Device groups” allows you to easily manage installs and updates based on project, role, or team. Whether you are rolling out devices to larger fleets, or realigning projects to fit new business goals, Workbrew offers new features to seamlessly manage groups. ### Rich Default Packages for for New Devices ![](/content/blog/images/680899d91a6b12a6d547904f_AD_4nXf7gNsmIHEdxutZrtyDlLt6yUCN53XlFTbJ07Cz02uj-zB2qTp-oDNkBj9Zwfj1pGNXswd1run_eZ75twg0SCyZohv9-5CGrj0ykGu9BB2CpNZAZ88MPG2lsyFTXzzM5fj7UcoH5g.png) New devices added to a device group now automatically inherit the group’s assigned default packages, policies and commands – without needing any manual retargeting. **For Admins:** * Save time and eliminate missed configurations as your team scales or changes. **For Your Team:** * Newly onboarded devices are ready to go from day one. ### Sync Device Groups Directly from Your MDM ![](/content/blog/images/680899d9563b6663823c6282_AD_4nXcaL-ULrilUT86qkOVCUEUpa4nqqpQNm088o06qX_GUaV3sxTE_Sqf5hNCRp3auCzIWSJhvpWOZGFP828VJqR5jGMnQScI4USy0Dge6eTip5SMe5DE9mSNXf478F1CiWz_qVDWDMA.png) Workbrew now supports read-only syncing of device groups from your MDM (Jamf, Kandji, Intune, JumpCloud, Fleet and SimpleMDM). **For Admins:** * As devices join MDM groups, Workbrew automatically updates their software and policies – no extra steps needed. * Keep your source of truth clean: edits to device groups stay within your MDM. **For Your Team:** * Consistent device experience without manual updates or missed policies. **Dynamic Targeting and MDN Device Group Sync** is now available on [Pro and Enterprise plans](https://workbrew.com/pricing). ### Triage Unknown Software Faster with Insights from Package Metadata ![](/content/blog/images/680899d90f31b0cb0e122762_AD_4nXdDW61tRaMidVaJ5rX6Pg2ka-vyaNRUuXvztF4_z9QowFGcjvkmSJy5yTpeLOJjTlc_U7hwR4E10NqmIdqZ9sf0NZzNqAijQrSHypmHBqntyzDfzT4zAJwrJfBU-VuLoAaneDZvSw.png) As Admins come across unknown or unvetted packages, Workbrew’s console surfaces key information: package descriptions, versions, licensing information, and more. From the Packages tab, click on any package listed to view detailed information. **For Admins:** * Make informed decisions about unknown or unvetted packages from within the Workbrew console. **For Your Team:** * Faster software approvals mean quicker access to the tools your developers need. **In-Console Package Metadata** is available on [all plans](https://workbrew.com/pricing). ### Quickly Locate, Target, and Troubleshoot Devices Across Your Fleet ![](/content/blog/images/680899d98fa4e967f6b936c0_AD_4nXeS7uOJy7EnprxQX1zldMydf1b1ZX-WzFOu2drien_-BPPJjzKl5QpDAFyK1XmFdTU3NQkI1D7YtN9z7svxYeSCrlKBhKmyw2VYpisIgwAbyOEn16HqmgyF3WDcKJmIWzqmdDJS.png) Workbrew now prioritises displaying device names (from your MDM or the device’s hostname) over serial numbers. **For Admins:** * Plain-language naming conventions offer clarity when Admins need to access devices quickly. * No more hunting through spreadsheets or other sources of device identification. **For Your Team:** * Resolutions happen faster when devices need attention. **Device Identification** is available on [all plans](https://workbrew.com/pricing). ### UX Upgrades for Intuitive Management This release also includes a series of updates that improve visibility, searchability, and everyday usability inside the Workbrew Console – especially for larger teams managing complex fleets. ### Console UI Refresh The Workbrew Console has received a makeover to make it faster and easier to use. * **Improved tables**: Cleaned-up tabular layouts make package, device, and policy data easier to scan and act on. * **Simplified navigation**: We’ve reorganized navigation to help you find what you need faster. * **Updated visual design**: Subtle visual tweaks bring clarity and polish across the entire Workbrew console. ### Search for Formulae and Casks on the Packages Page ![](/content/blog/images/680899d9c29b6f5044d18420_AD_4nXe77qnRI8RoO5Pa9fDxWURbSJwADEdG95o03S7-D62t9qURqHVq3oqtQ43JUTZwrGErJ6jfXFObdMnfu8HSfyr1ZrRPIhrF1nY8IZujptrQzRPNFXWZix3ehxcBZi_VIC8jTHgwMA.gif) The **Packages** page now supports full search functionality across all formulae and casks in your fleet. Quickly filter down to a specific tool, investigate a suspicious package, or locate items that might need to be added to a policy – without scrolling through massive lists. ### Filter Brew Commands by Creator Need to track down commands created by a specific workspace administrator? You can now filter the **Brew Commands** page by command creator, making it easy to understand who ran what and when – especially in workspaces with multiple admins managing remote software delivery. Useful when troubleshooting, doing an audit, or just coordinating with other admins. **The Improved Console UI and Searching for Formulae and Casks on the Packages Page** is available on [all plans](https://workbrew.com/pricing). **Filtering Brew Commands by Creator** is only available on [Pro and Enterprise plans](https://workbrew.com/pricing). ## Workbrew 1.2: Stronger Policies, Smarter Automation, Better Insights and Better UX To roundup, Workbrew 1.2 brings major improvements to security, automation, and device management: * **Expand your policies** to cover taps and licenses, not just packages. * **Keep devices patched and secure** automatically – without user disruption. * **Manage growing fleets easily** with smarter group targeting and MDM syncing. * **Make faster decisions** with detailed in-console package data and improved discovery tools. * **Navigate your fleet faster** with better device naming. We’re proud to keep building Workbrew based on your feedback – and we’re excited for what’s next. Have questions or feature ideas? [**Reach out to us**](https://workbrew.com/contact) – we’d love to hear from you.

Deploy Workbrew with Iru

John Britton — Mon, 14 Apr 2025 00:00:00 GMT

To help our customers get started with Iru, a popular Apple MDM solution, we’ve created a tailored deployment guide. The guide walks Iru administrators through: * Available options for deploying Workbrew with Iru * How to integrate the two systems, and configure Library Items * Assignment Maps to get Workbrew onto their devices. Speaking about how the Workbrew integration has helped his customers, Iru Sr. Solutions Engineer [Danny Hanes](https://www.linkedin.com/in/dannyhanes/) said: > "_Every time a Iru customer mentions they use Homebrew, I always tell them to check out Workbrew. It's a fantastic tool for allowing developers to perform their job, without compromising security."_ After following the guide and integrating Workbrew and Iru, your organisation will be able to leverage the incredible package ecosystem of Homebrew, whilst maintaining security, compliance, and management priorities. Administrators can now keep their fingers on the pulse of what packages developers find indispensable, without losing sight of potential vulnerabilities and open source licensing considerations. Every developer has started a new job with a tedious day of installing developer tools: with Iru and Workbrew, new devices can be ready to go on Day 1, with your organization’s stack rolled out automatically with `brew` commands and configurations. > "This deployment guide is all about speed, security, and simplicity. Our partnership with Iru brings together the best of Mac device management and developer productivity—giving teams a seamless, secure way to get up and running with the tools they need." — [Vanessa Gennarelli](https://www.linkedin.com/in/vanessa-gennarelli/), COO at Workbrew ‍ **Get Started Today** [Workbrew + Iru Deployment Guide](https://workbrew.com/docs/deployment-guides/workbrew-deployment-guide-kandji) [Get the Workbrew + Iru integration](https://www.kandji.io/integrations/)

Security Audits 101: Insights & Best Practices from Trail of Bits

Vanessa Gennarelli — Thu, 27 Mar 2025 00:00:00 GMT

**Cybersecurity isn't just a checkbox—it's a journey.** In a [recent session](https://workbrew.com/webinars/security-audits) hosted by Vanessa, COO and co-founder at Workbrew, experts from the elite security firm [**Trail of Bits**](http://trailofbits.com/) shared deep insights into how organizations can approach, structure, and benefit from security audits. The conversation was packed with practical advice and real-world examples. ### Meet the Experts * **Lindsay Rakowski** – Sales Manager at Trail of Bits, with a background in education, passionate about helping organizations understand cybersecurity.**‍** * **Chris Dahlheimer** – Leader of the Sales Engineering team at Trail of Bits, former Department of Defense specialist, focused on proactive network defense and threat intelligence. ### Why Security Audits Matter Security audits go beyond bug hunting. They're about improving the **overall architecture, design, infrastructure, and security posture** of a system. Firms like Trail of Bits help organizations: * Identify weaknesses early * Strengthen system architecture * Guide long-term security strategies Their holistic approach integrates security into every phase of the development lifecycle. ### Types of Security Assessments Trail of Bits offers a range of services, each tailored to where a company is in its security journey: * **Design Reviews** – Ensure architectural soundness before coding begins * **Threat Modeling** – Identify and prioritize potential threats * **Infrastructure & Cloud Security Reviews** – Analyze configuration and environment risks * **Integrated Security Reviews** – Combine static and dynamic analysis * **Rapid Risk Assessments** – Conduct early for a quick look into your security posture or post-incident evaluations to prevent recurrence * **Code Reviews** – In-depth assessments of mature codebases ### When to Start: Timing Is Everything **Start early. Stay continuous.** Waiting until the end of a product cycle can be costly. Instead: 1. Start with a **design review** 2. Follow with **threat modeling** 3. Conduct **infrastructure reviews** 4. Wrap with **code reviews** before launch Engaging security partners early builds institutional knowledge, reduces rework, and maximizes effectiveness. ### How to Prepare for a Security Audit Maximize the value of your audit with smart preparation: * **Set clear goals** * **Fix low-hanging bugs** before the audit * **Provide comprehensive documentation** * **Include unit and integration tests** * **Share previous reports and known issues** Well-prepared teams get more impactful, strategic insights from their audits. ### Choosing the Right Security Partner When selecting a vendor: * **Check credentials and reputation** * **Review past public reports** * **Look for research contributions and open-source work** * **Evaluate communication and collaboration style** * **Ensure actionable, long-term recommendations** Trail of Bits emphasizes transparency, deep expertise, and a consultative approach. ### Turning Audit Results Into a Competitive Advantage Audit results aren't just for internal use—they can be a **strategic asset**: * **Demonstrate maturity** to customers, partners, and investors * **Improve product stability** and development processes * **Signal security leadership** in your industry * **Prioritize future investments** based on real data Publishing updated audit results after remediation builds trust and confidence. ### In-House vs. Third-Party: The Right Balance Trail of Bits recommends a hybrid approach: * Build **internal security teams** for day-to-day needs * Use **third-party experts** for niche or advanced issues External partners bring a fresh, unbiased perspective and help level up your internal capabilities over time. ### Final Takeaway Security isn’t a one-time task—it’s a continuous, strategic process. Engaging with experienced firms like Trail of Bits early and often ensures you’re building secure, resilient, and trusted systems from the ground up. **Start early. Stay secure. Think long-term.** _Interested in a security audit or just want to learn more? Visit_ [_Trail of Bits_](https://www.trailofbits.com/) _or reach out to their team to start the conversation._ _Check out_ [_Workbrew's Trust Center_](https://trust.workbrew.com/) _to access our report from Trail of Bits, or_ [_try Workbrew for free_](https://workbrew.com/pricing)_._

Workbrew + Jamf Pro: Secure, Automated Software Management for Enterprises

John Britton — Tue, 25 Mar 2025 00:00:00 GMT

Developers rely on powerful package managers like Homebrew for quick installations. IT teams must have **visibility** into deployments and may need to enforce restrictions to ensure **security** and **compliance**. Managing software at scale for developer-centric environments is challenging. The Workbrew + Jamf Pro integration lets IT admins enforce enterprise grade security and control, while ensuring developers have the tools they need. ##### **What is Workbrew?** **Workbrew** simplifies Homebrew management for enterprises, ensuring software management is secure, automated, and compliant. With Workbrew, you can install Homebrew across large fleets of macOS devices, gaining access to the most popular package manager for macOS and over 15,000 packages, with the peace of mind given by centralized management and real-time monitoring of all software installed with Homebrew. Workbrew **bridges the gap** between developer flexibility and IT control, keeping software **up-to-date and secure**. ## The Power of Jamf Pro + Workbrew Jamf Pro is a popular Apple device management (MDM) solution, providing IT teams the ability to remotely manage devices, set security policies, and deploy software Integrating Jamf Pro with Workbrew gives your organization the best of both worlds: Existing Jamf users can keep peace of mind whilst empowering their developers with best in class package management, whilst existing Workbrew users gain zero-touch deployment and automated device inventory syncing. Workbrew + Jamf Pro provides a powerful combination that equips IT teams with: 1. **Automated software management** 2. **Complete visibility into Homebrew package usage** 3. **Enforced security and compliance policies** This integration enables centralized IT management of Homebrew, whilst ensuring a seamless experience for developers. ## Key Benefits of Workbrew + Jamf Pro Integration 1. **Seamless Deployment and Management of Developer Tools:** IT teams can leverage Jamf Pro’s device management capabilities to deploy Workbrew across all macOS devices in their environment without manual intervention. Once deployed, Workbrew makes it quick and easy for administrators to onboard new devices with their org’s stack, roll out new software, and set policies around which packages can be installed. 2. **Enhanced Security and Compliance Monitoring:** Workbrew helps IT administrators ensure that all installed open-source software packages are secure and comply with organizational policies. Get full visibility into all software installations, including tracking package versions, managing updates, and staying in compliance with security standards. Workbrew tracks package vulnerabilities and provides an overview of potential issues, allowing administrators to audit their fleet at a glance. 3. **Reduced IT Workload and Increased Efficiency:** Automate repetitive tasks like software deployment, updating, and compliance reporting, freeing your IT team up to focus on the important issues. Workbrew’s analytics and monitoring tools provide IT administrators with real-time insights into the health and security of their software deployments, making it easier to troubleshoot and address issues proactively. 4. **Simplified Mac Management for Developers:** Keep developers focused on writing code and solving problems, rather than wrestling with manual software installation or configuration. Workbrew + Jamf Pro helps administrators keep developers’ devices equipped with the latest developer tools and libraries, eliminating the risk of outdated or incompatible versions slowing down their work. 5. **Visibility and Management for IT Teams:** Gain complete visibility into what packages are being installed across your organization, letting your IT team stay ahead of the curve and proactively support the needs of their colleagues. See which versions of a package are installed on which device, and when they were last updated. Get to know the software your teams are using, with information like software licenses for every installed package. Whether you're managing a small team of developers or overseeing the software needs of a large organization, Workbrew and Jamf Pro help ensure that both developers and IT teams are working with the right tools in the right environment—secure, compliant, and efficient. ## **Get Started Today** [Get the Workbrew + Jamf Pro integration](https://marketplace.jamf.com/details/workbrew) ‍[Workbrew + Jamf Pro Deployment Guide](http://workbrew.com/guides/workbrew-deployment-guide-jamf-pro) [Learn more about Jamf](http://workbrew.com/docs-guides/workbrew-deployment-guide-jamf-pro)

Stay ahead of Security Events with Workbrew’s Automation Tools

John Britton — Mon, 17 Mar 2025 00:00:00 GMT

## Data Export Simplifies Auditing and Integrations Managing software across multiple devices generates vast amounts of data. Workbrew simplifies data management by providing an easy-to-use export function wherever tabular data is presented. For example, in the Packages View, you can access a comprehensive list of every installed package across all devices, complete with metadata, including: * Impacted devices * License details * Installed versions * Latest versions * Known vulnerabilities Let me walk you through the process in the Workbrew Console: [https://youtu.be/Zajmf3RUnT4](https://youtu.be/Zajmf3RUnT4) To meet auditing requirements or integrate with third-party tools, users can export this data in JSON or CSV formats with a simple click. Whether you’re performing custom analysis or integrating with another system, Workbrew gives you the flexibility to work with your data in a way that best suits your needs. ## Monitor Your Fleet in Real-Time with Notifications & Webhooks Proactive monitoring is key to maintaining a secure environment. Workbrew offers a variety of notification options to keep you informed about critical events, such as newly detected vulnerabilities, command executions, and failures. ### Slack and Email Alerts * Slack Notifications: Connect Workbrew to a Slack channel, and our bot will instantly notify you when significant events occur. Alerts include actionable links, enabling teams to respond quickly. * Email Notifications: Configure Workbrew to send email alerts for teams that rely on email-based workflows or integrate with tools that support email ingestion. ### Webhooks for Automation For advanced automation, Workbrew supports webhooks, allowing you to trigger actions based on system events. Let me show you how: [https://youtu.be/Gg8zhFxkOVk](https://youtu.be/Gg8zhFxkOVk) The webhook makes an HTTP request to send event data from Workbrew to an external system, enabling dynamic responses such as: * Quarantining a vulnerable device automatically * Updating security dashboards * Initiating patch management workflows For example, a customer with a high-security environment uses webhooks to quarantine devices upon detecting high-severity vulnerabilities. When an event is triggered, their system: 1. Receives webhook data from Workbrew. 2. Fetches additional details via the API. 3. Automates actions like blocking VPN access or isolating the device. With webhooks, Workbrew enables organizations to react in real-time, reducing manual intervention and enhancing security. ## Introducing the Workbrew API: Full Automation and Custom Integrations For teams that require deep integration and control, the Workbrew API provides an extensive set of capabilities. Every action available in the Workbrew console can also be performed via the API, allowing for programmatic control over fleet management and security operations. Let me walk you through the documentation within the console: [https://youtu.be/PvK7Kwk3QrU](https://youtu.be/PvK7Kwk3QrU) With the Workbrew API, you can: * Export Data Programmatically: Automate data extraction to JSON or CSV for seamless integration into SIEM (Security Information and Event Management) systems like Splunk. * Automate Security Responses: Use API calls to monitor and mitigate vulnerabilities in real time. * Custom Integrations: Connect Workbrew with existing IT tools to streamline workflows. Workbrew’s API-first approach ensures that teams can scale automation, integrate with other platforms, and build custom workflows tailored to their needs. ## Role-Based Access Control: Secure and Manage Permissions Ensuring the right level of access for different users is essential for security and operational efficiency. Workbrew now includes Role-Based Access Control (RBAC), allowing administrators to assign specific permissions based on job roles: * Read-Only Access: Ideal for teams that need to view reports and data without making changes. * Write Access: Suitable for IT and security teams responsible for managing fleet operations. * Admin Access: Grants full control, including user management and system-wide configurations. By implementing RBAC, Workbrew enhances security and ensures that only authorized users can modify critical settings, reducing the risk of misconfigurations. From data exports for auditing, to real-time alerts and webhooks for automation, and a powerful API for seamless integrations, Workbrew ensures you stay ahead of potential security threats while maintaining operational efficiency. Ready to optimize your IT and security workflows?

Workbrew’s 2024 Security Audit with Trail of Bits

Vanessa Gennarelli — Thu, 13 Mar 2025 00:00:00 GMT

In the fall of 2024, Workbrew commissioned a Security Audit from reputable cybersecurity firm [Trail of Bits](http://trailofbits.com/). The scope of the audit consisted of: * The Workbrew console (Rails-based application) * The Workbrew endpoint agent (Go-based, with integrations into brew) * The Workbrew installer (macOS installer with associated shell scripts) The audit focused on reviewing the Workbrew update mechanisms, remote `brew` command execution, filesystem access controls preventing unauthorized access (by a non-root user), as well as checking for exposure of sensitive system secrets. ![](/content/blog/images/67cb33a9d2d5ab3215eb528b_test2.gif) * Items found - 9 * Items resolved - 7 * Items in progress/partially resolved - 2 Findings by severity: * Informational: 3 * Low: 4 * Medium: 1 * Undetermined: 1 Additionally, Homebrew underwent an [in-depth security audit](https://brew.sh/2024/07/30/homebrew-security-audit/) in 2023, and interested parties can read that report from Trail of Bits [here](https://blog.trailofbits.com/2024/07/30/our-audit-of-homebrew/). To access the full Workbrew report, please visit our [Security page](https://workbrew.com/security). Trail of Bits will be joining Workbrew for an [upcoming webinar about security audits](http://workbrew.com/webinars/security-audits) on March 25, and we'd love to see you there.

Deploy Workbrew with Microsoft Intune & JumpCloud

John Britton — Wed, 12 Mar 2025 00:00:00 GMT

If your enterprise uses Microsoft [Intune](https://www.microsoft.com/en-us/security/business/microsoft-intune) as part of your Microsoft 365 stack, or your company is among the 250,000 who use [JumpCloud](https://jumpcloud.com/), Workbrew has new integrations that offer device inventory syncing. This feature makes it easier to deploy, especially for large fleets. ‍[**Start for free**](https://workbrew.com/pricing) ## Microsoft Intune Maintain the security posture you need, roll out the hardware your teams want. The integration allows Admins to sync device inventory across systems, and easily track and manage enrolled devices. [**Find out more**](https://workbrew.com/works-with/microsoft-intune) ## JumpCloud IT admins who use JumpCloud for “Cross-OS” device management can build upon their toolset to sync device inventory and ownership data across systems, and quickly navigate between Workbrew and JumpCloud. [**Learn more**](https://workbrew.com/works-with/jumpcloud) ## Works With Workbrew Workbrew continues to grow [our list of integrations](https://workbrew.com/blog/works-with-workbrew), based upon requests from customers. If you don’t see your MDM tool listed here, we’d love to hear from you— whether you’re a customer looking for support, or an integrator interested in building a connection with Workbrew. [**Contact us**](https://workbrew.com/demo)

Automate your Fleet with Declarative Policies

John Britton — Mon, 03 Mar 2025 00:00:00 GMT

If you’re familiar with the declarative vs. imperative approach, you know that instead of managing tasks step by step, you define the desired state and let automation handle the rest. Workbrew brings this philosophy to fleet automation, offering powerful features like MDM Integration with Inventory Sync, Device Group Management, and Customizable Default Packages. Let’s dive into how these functionalities simplify IT operations. ## Sync your fleet with new MDM integrations Workbrew seamlessly integrates with leading MDM platforms, including Jamf, Kanji, Fleet, SimpleMDM, JumpCloud, and Microsoft Intune. This integration allows IT teams to sync device inventory automatically, ensuring accurate and up-to-date records. Here's a brief demo from my recent webinar: [https://www.youtube.com/watch?v=rsegL8tkP0E](https://www.youtube.com/watch?v=rsegL8tkP0E) This streamlined inventory sync eliminates manual tracking, making it easier to manage thousands of devices across an organization. ## Deploy OS updates, patches, and security fixes to device groups Organizing devices into groups simplifies software deployment, policy enforcement, and tracking. Workbrew allows IT admins to manually create device groups and assign devices accordingly. Once a group is set up, administrators can: * Run commands targeting specific groups. * Apply configurations to ensure consistency across devices. Here's a brief demo of device groups in action: [https://www.youtube.com/watch?v=bP0IwAXq48A](https://www.youtube.com/watch?v=bP0IwAXq48A) Using device groups, IT teams can push fixes to different groups based on priority or risk level. We’re also working on automating device group membership syncing from various sources, an enhancement that will further reduce manual effort. ## Automate your fleet’s configuration with default packages Standardizing developer environments is crucial for operational efficiency. Workbrew leverages Homebrew’s `brew bundle` functionality to automate software installations across fleets. Default packages allows administrators to: * Define a set of essential tools and applications per team (e.g., engineers, data scientists, sales teams). * Automatically install these applications when a device is first set up. * Eliminate the need for manual software setup, reducing onboarding time. * Schedule default packages to run once, daily, weekly, or monthly. Here's how you set them up: [https://www.youtube.com/watch?v=K\_TpilRzQv8](https://www.youtube.com/watch?v=K_TpilRzQv8) New engineers can receive a fully configured machine the moment they log in—without the hassle of manually installing dependencies. By embracing fleet automation with Workbrew, IT teams can spend less time on repetitive tasks and more time on growing their business. Ready to streamline your operations? [Try Workbrew today](https://workbrew.com/pricing) and experience the future of automated device management.

Automate your Operations with Recurring Commands, Private Taps, and Vulnerability Patching

John Britton — Mon, 03 Mar 2025 00:00:00 GMT

Managing software updates and distribution across multiple devices can be a daunting task. Between running routine commands, ensuring software consistency across teams, and patching vulnerabilities, IT teams and developers often spend significant time on manual tasks. In this post, we'll explore how you can streamline day-to-day operations using three new Workbrew features. ## Recurring Brew Commands: Automate Routine Software Updates One of the most common pain points for teams managing software updates is keeping packages up to date without disrupting workflows. With Workbrew, you can schedule recurring commands to run automatically on a daily, weekly, or monthly basis. This ensures that your most critical packages are always current without requiring manual intervention. In the demo below, I walk through an example of keeping Git up-to-date using Recurring Brew Commands. You can set up a recurring command targeting a specific group of devices to execute: [https://youtu.be/iB6wLfGUIuo](https://youtu.be/iB6wLfGUIuo) This automation prevents outdated software from becoming a bottleneck while minimizing disruption. Even more critically, you might want to ensure that security-sensitive software—such as OpenSSL—is always on the latest version. By setting an automated update schedule, you can ensure that your security-critical dependencies stay patched against the latest threats. ## Standardized Internal Software Distribution with Private Taps If your organization builds internal software tools, distributing them efficiently across all developer devices can be a challenge. Private taps provide a way to manage and distribute internal packages just as easily as public ones. Homebrew organizes package definitions into repositories called _taps_. While the default taps include widely used open-source packages, organizations can create their own private taps to distribute proprietary software. Traditionally, managing authentication for private taps required _manual_ setup on _every device_. However, by integrating private taps through Workbrew’s centralized management console, you can automate authentication and package distribution. Let me show you how: [https://www.youtube.com/watch?v=ezM2A2hWG7E](https://www.youtube.com/watch?v=ezM2A2hWG7E) This ensures that every developer or employee has seamless access to the right internal tools without jumping through configuration hoops. ## Automated Vulnerability Patching: Stay Secure Effortlessly Security vulnerabilities are an ongoing concern, and patching them manually can be time-consuming. Traditionally, IT teams would receive an alert about a vulnerability and then manually trigger updates across affected systems, which is not only onerous but potentially a gap in the organization’s security posture. With automated vulnerability patching, you can define policies that enforce updates whenever a security issue is detected. For example, if a new version of OpenSSL is released to fix a critical vulnerability, your system can automatically update it. Instead of waiting for users to upgrade, essential security patches are deployed immediately. And you can configure rules to allow users control over most software versions but enforce automatic upgrades when security risks are detected. This approach ensures that critical security updates happen promptly, reducing the risk of exposure to exploits. With automation in place, your team can focus on building and innovating rather than spending valuable time on routine maintenance. If you haven’t yet explored these Workbrew features, now is the perfect time to start automating your workflows and improving efficiency.

Workbrew 1.1 release notes

Luke Hefson — Fri, 28 Feb 2025 00:00:00 GMT

We’ve shipped a whole bunch of new features and capabilities since [1.0](https://workbrew.com/blog/workbrew-1-0) in only a few months! Here’s a roundup of the powerful new features to help MacAdmins, IT professionals, and security teams to better manage their Homebrew environments at scale. From **role-based access control** to **automated remote management**, this update is designed to **streamline workflows, enhance security, and improve collaboration across your teams**. ### Policies: Keep Your Fleet Secure and Compliant Workbrew now enables a dedicated **device policy enforcement view**, ensuring your team stays within security and compliance guidelines. ![](/content/blog/images/67c0c5fd51dbb8ebb634d894_policies-v1.gif) For Admins: * Prevent unauthorized or non-compliant Homebrew packages from being installed. * Reduce security risks by blocking restricted software across all devices. ##### For Your Team: * Get real-time feedback when blocked by viewing the Admin contact information directly from Homebrew in your Terminal, so you know who to reach out to for help. ##### And coming soon! * **Automated package updates** to keep your fleet secure by upgrading outdated or vulnerable software. * **Allow list for Taps** to restrict which sources of Homebrew packages employees can install from. * **Deny list for software licenses** to help enforce open-source compliance and avoid legal risks. ‍**Policies** are now available on [Pro and Enterprise plans](https://workbrew.com/pricing). ### Multiple Default Packages: Target the Right Software to the Right Devices Workbrew now supports **multiple lists of Default Packages**, allowing admins to create any number of custom [Brewfiles](https://github.com/Homebrew/homebrew-bundle?tab=readme-ov-file#usage)which can then be targeted at either a team of people’s devices (via Device Groups), an individual device or your entire fleet. ![](/content/blog/images/67c0c62a8c65ec0f8d1d99e3_multiple-default-packages.png) ##### For Admins: * Assign software packages dynamically – apply a default set of packages to: * Specific teams or departments (e.g. Engineering, Security, Machine Learning). * The entire company for core applications. * Individual devices that require custom setups. * Ensure consistency across teams without manual intervention. * Reduce onboarding time by automatically installing the right tools for new employees. ##### For Your Team: * Start working immediately with a pre-configured environment which is optimised for your organisation or team – no need to find and install all the default tools manually. ‍**Multiple Default Packages** are now available on [Pro and Enterprise plans](https://workbrew.com/pricing). ### Automated Remote Management: Reduce Manual Work Automate device provisioning and software management with **scheduled and on-demand tasks** to help you manage software across your fleet without logging into each device manually. ![](/content/blog/images/67c0c6652c27e60a20810bcf_automated-commands.png) ##### For Admins: * Auto-run commands on newly provisioned devices. * Schedule brew commands to ensure consistency. ##### For Your Team: * Devices are always up to date with the latest approved software—no manual updates needed. ‍**Automated Remote Management** capabilities are now available on [Pro and Enterprise plans](https://workbrew.com/pricing). ### Role-Based Access Controls (RBAC) for your workspace Admins now have fine-grained control over **who can access what** within their Workbrew workspace. ![](/content/blog/images/67c0c68b3823d6ef5e084a63_RBAC.png) ##### For Admins: * Manage who has permission to make changes in Workbrew. ##### For Your Team: * Reduce accidental misconfigurations by limiting access based on user roles. ##### New Roles & Permissions: * Read – Can view data but cannot make changes or invite new users. * Write – Can read and write data but cannot manage users. * Administrator – Full access, including user management and invites. **Role Based Access Controls (RBAC)** is now available on [Enterprise plans](https://workbrew.com/pricing) only. ### Easily Manage and Distribute Internal Tools Simplify how your team accesses private taps and internal tools – no more token management juggling or need for unnecessary GitHub access. Just connect a private tap to your Workbrew workspace and **all of your enrolled devices now have instant access to the internal software they need to be productive at work**. ![](/content/blog/images/67c0c6a43ce61a2aeddfe70c_private-taps.png) ##### For Admins: * Simplified authentication – no more managing personal GitHub tokens. * Centralized software management – track who has access and who is using what internal tools. ##### For Your Team: * Installing private software is now as easy as: `brew install internal-tool` ‍**Workspace Private Tap Support** for one Tap connection is now available on [Pro plans](https://workbrew.com/pricing). [Enterprise plans](https://workbrew.com/pricing) can connect unlimited Taps. ### Export Just the Table Data You Need to JSON/CSV Need to analyze different types of Workbrew data across your fleet? Workbrew now supports exporting any page’s table data to JSON or CSV – so that you can **gain instant access to critical data for reporting & compliance checks**. ![](/content/blog/images/67c0c6d337a00a410317e6fc_export-tables.png) **Page-by-Page Table Data Exports** are now available on [Enterprise only](https://workbrew.com/pricing). ### REST API for Exporting Data & Remote Management Take full control of Workbrew from your existing DevOps workflows. * Send monitoring data to Splunk, Datadog, or other analytics tools. * Automate package upgrades and other common brew commands programmatically – no need to log into the Workbrew Console. [Check out our REST API documentation](https://console.workbrew.com/documentation/api) which includes example commands which dynamically handle your API key in order to help you get started quicker. ‍**Read-only REST APIs** are now available on [all plans](https://workbrew.com/pricing). The **REST API for Creating Brew Commands** is for [Pro and Enterprise plans](https://workbrew.com/pricing) only. ### Notifications: New Event Types for Real-Time Alerts We’ve expanded the **Workbrew notifications system** with **new event types** to help you stay informed about critical events as they happen. You can continue to choose email, Slack, or webhooks (or any combination) to deliver alerts for: * New Vulnerabilities – Take action quickly when potential security risks are identified. * Brew Command Failures on Specific Devices – Catch errors early and troubleshoot before they escalate. * Billing Failures – Stay on top of payment issues to keep your Workbrew subscription running smoothly. **Email and Slack notifications** are available on [all plans](https://workbrew.com/pricing). **Webhooks** are an [Enterprise only](https://workbrew.com/pricing) feature. ### Login: Expanded Microsoft Account Support We’ve enhanced the **Workbrew login** process to support **Microsoft corporate/business accounts**, in addition to personal Microsoft logins. This update makes it easier for teams in enterprise environments to **seamlessly access Workbrew** using their existing organizational credentials. ‍**Microsoft Business Account Login** is available on [all plans](https://workbrew.com/pricing). ### New Integrations for Popular MDMs: JumpCloud & Microsoft Intune Workbrew now integrates seamlessly with two important enterprise MDM solutions, making the connection between `brew`and your MDM even easier. * Sync device inventory and ownership data across systems. * Quickly navigate between Workbrew and your MDM platform. * Easily track and manage enrolled devices. **JumpCloud and Microsoft Intune MDN Integrations** are now available on [Pro and Enterprise plans](https://workbrew.com/pricing). ### Security and Compliance In case you missed it, [Workbrew has achieved SOC 2 compliance](https://workbrew.com/blog/workbrew-achieves-soc-2-compliance-offering-secure-and-compliant-brew) and recently completed a security audit by leading cybersecurity firm Trail of Bits. We’re committed to maintaining enterprise-grade security and trust for our users. You can find both reports in [Workbrew’s Trust Center](https://trust.workbrew.com/resources) for detailed insights into our security posture and processes. ## What’s Next? Workbrew is continuing to evolve based on your feedback. Let us know what features would make it even better for your team! Got questions? Reach out to us or [check out the documentation](https://console.workbrew.com/documentation) for detailed guides on all our features.

Workbrew Achieves SOC 2 Compliance, Offering Secure & Compliant `brew`

Vanessa Gennarelli — Wed, 19 Feb 2025 00:00:00 GMT

We're happy to share that Workbrew has achieved SOC 2 compliance. Customers in regulated environments can use Workbrew with the confidence of The American Institute of Certified Public Accountants (AICPA) Service Organization Controls “SOC 2” security standards. This milestone reinforces our commitment to security and compliance, providing third-party validation of the measures we take to protect customer data and build trust. A big thank you to Vanta and Advantage Partners for their support and guidance throughout the process. You can find out more about Workbrew’s ongoing commitments to security by visiting our new [Security page](https://workbrew.com/security). ![](/content/blog/images/67b370dfa75ae1e691dd782d_SOC2Brew.png)

Security and the Homebrew contribution model

John Britton — Tue, 03 Dec 2024 00:00:00 GMT

If your developers use Macs, Homebrew is almost certainly used throughout your fleet, and acts as a critical component of engineering’s workflow. Is Homebrew secure? Does it meet requirements for enterprise-grade software, specifically in regulated industries? Does using a package manager compromise your company’s security posture? Our answer to these questions, at a high level, is yes: Homebrew is more secure than you might think. ### Misconceptions about Homebrew Let’s first dispel some myths about Homebrew: * Anyone can self-publish a package to Homebrew (not true!) * Changes or updates in Homebrew do not require human review (false!) * As a result of the above: Homebrew is as vulnerable to "supply-chain security attacks" as most language package managers (nope!) While some package managers do not require human review for all newly-created or updated packages, that’s not the case with Homebrew. There’s rigor in the vetting process, which has a robust system of both automated and human-dependent processes. ### The contribution model: built with security in mind Homebrew has two main repositories, known as “taps,” for package contributions: Homebrew/homebrew-core and Homebrew/homebrew-cask. Each has slightly different processes for testing, security, code review, and maintenance. ### Homebrew/homebrew-core The Homebrew/homebrew-core tap only accepts open source packages, which will build from source on Homebrew’s testing infrastructure. Homebrew then generates a binary package called a bottle, which is what all users in a supported configuration will end up installing on their machines. To create a package for Homebrew/core, there is a `brew create` command that will generate a template for a new package definition called a formula, which specifies the source code URL, name and homepage URL for the software. See [Homebrew/core’s Acceptable Formulae documentation](https://docs.brew.sh/Acceptable-Formulae#requirements-for-homebrewcore) for requirements to submit a formula. ##### Check 1: Local tests on the formula If you’re submitting the formula for inclusion in Homebrew/core, you’ll need to add a test to your formula to verify that Homebrew has built and installed the software correctly. Next, you'll build the formula from source on your local machine, and, as long as that build is ok, open a pull request to the [Homebrew/homebrew-core repository on GitHub](https://github.com/Homebrew/homebrew-core). ##### Check 2: Automated audits from Homebrew project Homebrew’s GitHub Actions will run a series of automatic audits and style checks on the formula. These tests have been developed by the Homebrew maintainers to check not just style, but also that the license is acceptable, and to ensure the software is appropriate for Homebrew/core. ##### Check 3: Human review from maintainers Usually within a day, at least one human will review the pull request, and depending on the submission, may request updates to be made. Once the pull request is merged, 50 minutes later any Homebrew user can type `brew install ` and install that software. ##### Check 4: Ongoing maintenance From then onwards, a Homebrew maintainer, contributor, or GitHub Action will generally keep that formula up-to-date by monitoring when there's new versions, and creating pull requests for those. Users who have that software installed can keep their installation up-to-date by running `brew upgrade`. If “upstream”, the original author of the software, gets compromised, the Homebrew project will respond accordingly by relying on a combination of Apple security features, CVE reports, and the Homebrew maintainers and security team. ### Homebrew/homebrew-cask The Homebrew/homebrew-cask tap accepts pre-compiled binaries, and it’s most commonly used for installing desktop applications. Casks are not compiled on Homebrew infrastructure. Because of how they are packaged, some casks may be changed on the upstream’s server at any time so cannot be checksummed as formulae can. Casks can also be created via `brew create` but the code that’s generated for a cask looks a bit different. Instead of Homebrew compiling source code, it's downloading an application or binary off the internet and installing it on your machine. The process for submitting a cask is different from a formula: casks don’t have a test block, but there are still GitHub Actions tests to ensure the cask behaves properly. Casks can also auto update themselves. For the guidelines on submitting a cask, [see Homebrew’s Acceptable Casks documentation](https://docs.brew.sh/Acceptable-Casks#finding-a-home-for-your-cask). ##### For end-users: Casks and security When an end-user installs a graphical application, that application needs to be signed by Apple, which provides their own security review process (i.e. Quarantine, Gatekeeper). ### Homebrew’s Security Team Among the core maintainers are security experts who advise and protect the project, most recently: * [William Woodruff](https://yossarian.net/). As Engineering Director for security firm [Trail of Bits](https://www.trailofbits.com/), William also directs their Open Source Ecosystem Security group. * [Patrick Linnane](https://www.linkedin.com/in/patrick916). Patrick, in addition to his role as Senior Director, Information Security Operations at Emburse, is a licensed CISSP and CCSP professional. In addition to [remediating incidents](https://brew.sh/2021/04/21/security-incident-disclosure/), the Security Team has led [security audits](https://brew.sh/2022/05/17/homebrew-security-audit/) and ensures Homebrew stays in-line with security best practices. ### If you want 100% peace of mind, try Workbrew * **Security trust model.** The security trust model of Homebrew is optimized for a single Mac `admin` user with complete control of their machine which has made it among the most popular developer tools on the internet. By contrast, the security trust model of Workbrew provides separation between the `workbrew` user who owns and runs Homebrew, and the user (who does not have to be an admin) who can run Homebrew commands on the machine. You can think about it as a sort of two-way suspicion, insulating both parties. * **Fleet-wide security configuration**. Homebrew operates on a single machine whereas Workbrew controls entire fleets of machines. This allows Workbrew customers to forbid formulae, casks, formula licenses or taps from their fleet or only allow installation from specific taps. * **Upgrade and monitor everywhere**. When software in Homebrew has been updated to resolve a CVE, every user must run `brew upgrade` in order for the fleet to be secured. With Workbrew, this can be done with a single command as well as monitoring what software versions are installed.

Workbrew "Works With" SimpleMDM, Jamf, Iru & Fleet

Vanessa Gennarelli — Tue, 26 Nov 2024 00:00:00 GMT

Managing devices at scale is no small feat. Whether you’re enabling a Bring Your Own Device (BYOD) program, meeting compliance standards, or securing a fleet of devices, mobile device management (MDM) is your cornerstone. At Workbrew, we’re making device management even easier with [robust integrations for leading MDM platforms](https://workbrew.com/works-with) like SimpleMDM, Jamf, Kandji, and Fleet. ### **The Power of MDM and Workbrew** MDM solutions are essential tools for modern organizations, offering: * **Regulatory requirements** to meet industry-specific compliance standards. * **BYOD enablement**, ensuring employees can use personal devices securely. * **Fleet security**, protecting devices and data at scale. With Workbrew, deploying your devices through any MDM tool is seamless. Our platform integrates with the tools you already trust, without disrupting the workflow of your employees. ## **Deploy Workbrew with Your MDM Tool of Choice** While IT teams can deploy Workbrew via any MDM tool, we’ve taken it a step further by offering tailored integrations with some of the best in the industry. Here’s how we’re simplifying device management with **SimpleMDM**, **Jamf**, **Kandji**, and **Fleet**: ### **Jamf: Robust Apple Device Management** Jamf secures 76,000+ businesses, schools and hospitals, and is known for its comprehensive deployment and security features. Workbrew’s Jamf integration enables: * Seamless syncing of device inventory data. * Elimination of manual configuration tasks. * Enhanced workflow efficiency. Explore the benefits of our Jamf integration [here](https://workbrew.com/works-with/jamf). ### **Iru: Perfect for Highly-Regulated Industries** Iru is an advanced MDM solution designed for Apple device security and compliance, making it ideal for organizations in regulated industries. With Workbrew’s integration, you can: * Effortlessly sync device inventory data. * Streamline device identification and management. * Ensure compliance without added manual effort. Learn more about the Iru integration [here](https://workbrew.com/works-with/kandji). ### **Fleet: Real-Time Endpoint Management** Fleet is an open-source endpoint management tool designed for real-time device monitoring and security. Integrating Fleet with Workbrew allows you to: * Sync device inventory data efficiently. * Gain real-time insights into your device ecosystem. * Simplify the management of large fleets. Discover how Fleet and Workbrew work together [here](https://workbrew.com/works-with/fleet). ### **SimpleMDM: Lightweight and Intuitive** SimpleMDM is a user-friendly platform that simplifies Apple device management for organizations of all sizes. When paired with Workbrew, you can: * Sync device data quickly and accurately. * Accelerate device identification and setup. * Manage Apple devices effortlessly. Find out more about our SimpleMDM integration [here](https://workbrew.com/works-with/simplemdm). ### **Ready to Streamline Your Device Management?** Whether you use one of our featured integrations, or another MDM tool, [deploying Workbrew is effortless](https://workbrew.com/blog/zero-touch-provisioning-with-mdm). * [**Book a demo**](https://workbrew.com/demo) to see Workbrew in action. * [**Try for free**](https://workbrew.com/pricing) and explore how we can simplify your workflows.

Workbrew 1.0 and $5M in Funding for Secure Software Delivery

John Britton, Vanessa Gennarelli & Mike McQuaid — Tue, 19 Nov 2024 00:00:00 GMT

[Workbrew](https://workbrew.com/) is the secure software delivery platform for workplaces of all sizes, from small teams to large enterprises. Its foundation is [Homebrew](https://brew.sh/) (Read their [announcement and FAQ](https://brew.sh/2024/11/19/homebrew-and-workbrew/)), the ubiquitous and Open Source package manager for macOS (and Linux). ![](/content/blog/images/6782735dc36756f3a6c7bffd_6753001a41910f51b21fae61_6746f3ff179eba53bc52c6fa_WzegrtoAqMEiw0PbM85s4qppvBE.png) ## Secure software delivery for teams Today, Workbrew is graduating from beta to 1.0 and is generally available, including a [Free](https://workbrew.com/pricing) plan with support for unlimited users and devices. With this milestone, there’s finally a way to deploy, manage, and secure `brew` at scale. Increased developer productivity no longer comes at the expense of a weakened security posture for organizations. With Workbrew, developers get the tools they need to do their jobs, while IT and security teams gain peace of mind from a software delivery platform with zero-touch deployment, analytics, observability, remote management, policies, and vulnerability detection baked-in. ## Building the software delivery platform for everyone [Developer tools are our passion](https://workbrew.com/about), and we’ve worked on some of the best around – Twilio, GitHub, Scratch, and of course, Homebrew: * **John Britton**, Workbrew’s CEO, has been a Homebrew user since 2009 and a project contributor since 2014. * **Vanessa Gennarelli**, Workbrew’s COO, serves on the Homebrew Project Leadership Committee. * **Mike McQuaid**, Workbrew’s CTO, is the Homebrew Project Leader and its longest-serving maintainer with 15 years of service to the project. We’ve seen how top engineering teams deliver a competitive edge through superior tools, workflows, and developer experience. We want to bring that level of quality, insight, and flow to every team, everywhere. We’re on a mission to unlock the freedom of tool choice at scale by making all the world’s software discoverable and instantly available to everyone. The first step is to build the essential tools teams need to unlock the full potential of `brew`. Supported by $5 million in funding — led by the developer-focused VC fund, [Heavybit](https://www.heavybit.com/press/heavybit-welcomes-workbrew), with participation from [Operator Collective](http://www.operatorcollective.com/blog-posts/homebrew-at-enterprise-scale-workbrew-brings-developer-favorite-brew-to-work) and [Essence VC](https://essencevc.fund/)—we’ve begun delivering on our mission. ![](/content/blog/images/6782735dc36756f3a6c7c000_6753001a41910f51b21fae64_6746f3ffb9f021ae95d60ec8_oXgbnJGkmRqkyq4joZyeP6p03s.png) Workbrew is also backed by an incredible group of industry leaders, including Tom Preston-Werner (Founder and former CEO of GitHub), Nate Smith (Founder of Lever and Visiting Group Partner at Y Combinator), Zach Holman (GitHub’s second developer), Zach Lloyd (Founder and CEO of Warp), and Till Pieper (Founder of CoScreen and Director of Product Management at Datadog), among others. ## The `brew` you know, now with more power For developers, it’s second nature to install software via the CLI command `brew install`. It’s a fast, efficient workflow that unlocks access to an up-to-date library of 14,000 software packages. ![](/content/blog/images/6782735ec36756f3a6c7c04b_675301620680178905c09ff5_675301509a5da269c53a4313_STGOkXeKdFo9VaOHm5vqCovGKO4.webp) Workbrew supercharges `brew`, enhancing it with tools for teams and enterprises: * **Streamlined developer experience:** Get your team up and running faster than ever with an easy way to set, share, and roll out developer environments to the whole fleet. * **Standard user support:** Non-admin users get the full `brew` experience without requiring elevated privileges, making it ideal for companies in regulated industries like finance and healthcare. * **Vetted commands:** Workspace admins can configure and run security and compliance checks whenever `brew` is executed. * **Flexible access control:** With its isolated `brew` installation, Workbrew lets you set various policies and choose the access control model ([restricted, managed, or guided](https://workbrew.com/blog/how-workbrew-works#:~:text=three%20access%20control%20models)) that suits your needs. ## Gain real-time insights from your fleet IT and Security professionals need clear, real-time visibility into the systems they manage. Workbrew delivers comprehensive insights into the use of `brew` within your organization, offering a centralized view of your software supply chain. It’s easy to track installed packages, versions, third-party sources, software licenses, and potential vulnerabilities — all in one place. ![](/content/blog/images/6746f3ff68c51e7ae12c4cfa_pb35jZnqXJUfxy63T7Bc002cX10.gif) * **Package visibility:** track all packages and versions across your fleet, including third-party sources. * **License tracking:** ensure compliance and reduce legal risks with software license visibility. * **Command analytics:** analyze `brew` usage to streamline workflows and boost productivity. * **Vulnerability alerts:** identify and respond to vulnerabilities in installed packages. ## Remote management: simplified across your organization Workbrew centralizes remote management of `brew` across all your devices, letting you easily run commands and configure defaults — whether for the entire fleet, specific groups, or individual machines. It’s a streamlined way to oversee and optimize `brew` usage organization-wide. ![](/content/blog/images/6746f3ff9f13703937c9d417_3w3xTiOA0qpXkElcOOtU1hYfg.gif) * **Fleet-wide commands:** execute any `brew` command (`install`, `uninstall`, `upgrade`, `pin`, etc.) with a single action. * **Configure defaults:** ensure a standardized environment by setting default packages and configuration options. * **Device grouping:** easily organize devices into groups for efficient, targeted management and configuration. * **One-click actions:** streamline fleet management with one-click resolutions for known vulnerabilities and outdated packages. ## Protect your software supply chain with policies Blocking access to `brew` isn’t a practical solution — leaders and developers alike understand the need for the freedom to use the right tools to stay productive. Workbrew allows you to support this flexibility while putting essential policies in place, so teams can work efficiently without security risks or compliance gaps. ![](/content/blog/images/6782735ec36756f3a6c7c026_67530156eaf5f13ccae6050f_675300d60680178905c018d6_YFIz9ONNHSUd2R89zQdGTMSsH2Y.webp) * **Compliance guardrails:** define policies to restrict specific licenses, packages, and third-party sources (“Taps” in Homebrew’s terminology) in line with organizational requirements, ensuring compliance and reducing risk. * **Configuration management:** standardize and enforce settings across your fleet, creating a consistent and secure environment. * **Policy checks:** verify devices against compliance policies and surface deviations so issues can be resolved proactively. * **Flexible targeting:** apply policies to individual devices, specific device groups, or across the entire fleet, allowing precise control over configurations and compliance settings. ## Zero-touch deployment with your preferred MDM Workbrew is the fastest and easiest way to deploy `brew` for teams. Simply deploy the package with your existing mobile device management (MDM) tool. As new devices connect to your MDM, Workbrew is installed automatically. For existing devices already using Homebrew in production, Workbrew provides a smooth upgrade that maintains installed packages, and does not interrupt developer workflows. For teams who don’t use an MDM tool, Workbrew Bootstrap provides an alternative install method that’s just a single command. ## Inventory sync from Jamf, Kandji, Fleet, and SimpleMDM While you can deploy Workbrew with any MDM, we’ve enabled a deeper integration with several of the most popular MDM tools: [Jamf](https://workbrew.com/works-with/jamf), [Kandji](https://workbrew.com/works-with/kandji), [Fleet](https://workbrew.com/works-with/fleet), and [SimpleMDM](https://workbrew.com/works-with/simplemdm). By connecting with your MDM provider, your device inventory and ownership data will be automatically populated in Workbrew, making it simple to identify all of the devices in your fleet. ![](/content/blog/images/6782735ec36756f3a6c7c00b_6753001a41910f51b21fae67_6746f400a5c3dbf3bc7ddb81_r1ABoANYgVU7HbjBmeDtyJdpuLA.png) Discover tools and products that [work with Workbrew](https://workbrew.com/works-with). ## Get started with Workbrew today, for free Workbrew is available today. Teams from startups to enterprises now have a simple and secure way to deploy `brew` at scale, standardize developer environments, and gain visibility into their software supply chain. ![](/content/blog/images/6782735ec36756f3a6c7c00e_6753001a41910f51b21fae5e_6746f3ff64acbdbf374e4cf6_7w8OmFHRCZQiFpgGdwaQVVpz7zw.png) * [**Workbrew Free**](https://workbrew.com/pricing) simplifies installing brew with zero-touch deployment, and gives IT and security teams full visibility into the packages and versions being used across your organization. * [**Workbrew Pro**](https://workbrew.com/pricing) brings remote management capabilities, custom configurations, and access controls to improve your endpoint security posture. * [**Workbrew Enterprise**](https://workbrew.com/pricing) is built for organizations with sophisticated security and compliance requirements, especially companies in regulated industries like finance, healthcare, insurance, and government. ## Looking to the future Workbrew 1.0 marks a key milestone in secure, scalable software delivery for teams of all sizes. Built on the foundation of Homebrew, Workbrew empowers organizations by combining the productivity of `brew` with robust security features. IT and security teams can support developers without sacrificing peace of mind. [Deploy Workbrew today to unlimited users and devices, for free.](https://workbrew.com/pricing)

Zero-touch provisioning with MDM

John Britton — Tue, 17 Sep 2024 00:00:00 GMT

Homebrew is designed to be installed and managed by a single, admin end user. The default install process for Homebrew is to: * download a script with `curl` * run it with `bash` The install script has a few assumptions built in, including that the user account exists already and that you’re using one device per user. These prerequisites present challenges for deploying via mobile device management (MDM) systems like Jamf or Kandji:: * You have to have a preexisting user account with admin access * There's one user account per device, which is frequently true, but not in all cases. * Users must run Homebrew directly or the MDM-run script must figure out the name of the user on the system to drop privileges to as MDM scripts are run as `root` and Homebrew refuses to be run as root. Take, for example, educational use cases where lots of Mac users have many different accounts logging into the same machine. Homebrew assumes that it's one device to one admin user. ## Tools to solve MDM + Homebrew challenges ### Homebrew’s PKG installer The [Homebrew PKG Installer](https://docs.brew.sh/Installation) allows you to install Homebrew with your MDM tool. This package installs Homebrew just like you usually would, from the script, but it still needs to be run after account creation. So you’d need to provision the machines, create the user accounts only _after_ the user has logged in for the first time once their account is set up, and push the PKG out to the end points. It also requires an internet connection after installation to complete successfully. These tools assist an IT Administrator with their fleet of Macs, but none of them are “zero-touch”: each of them has a trade-off with either manual intervention, or needing to produce some custom glue code. ### Strap [Strap](https://strap.mikemcquaid.com/), built by Workbrew co-founder Mike McQuaid, is an open source project that bootstraps a new machine, and installs Homebrew. It can’t be done in a fully unattended way, but if you’re using Homebrew to onboard new `admin` developers getting company-owned machines they control, it’s pretty easy to use. It’s been extended and improved by Workbrew’s “Bootstrap” feature. ## Workbrew’s approach to “Zero-touch provisioning” One of the reasons we started Workbrew was to help enterprises use Homebrew at scale, especially with this use case. Inside your MDM system, it’s possible to provision machines individually, or automatically every time a new machine is onboarded before a user has even been created. It’s also possible to have non-admin users use Homebrew and this can be decided on a user-by-user basis. When a machine is provisioned with the Workbrew Installer using the Workbrew-provided MDM script Workbrew Bootstrap feature, it will show up in the Workbrew Console as a Device and update status periodically. If you need zero-touch provisioning of Homebrew today, [try Workbrew for free today](https://workbrew.com/pricing).

Taming IT Sprawl: Common practices for using Homebrew in the enterprise

John Britton — Tue, 10 Sep 2024 00:00:00 GMT

Homebrew is ubiquitous among developer teams on macOS. With 13,000 packages, a large number of 3rd-party package repositories (“taps”), and tens of millions of users, it’s almost certain that your team depends on it every day. In our discussions with IT managers, MacAdmins, and as contributors to Homebrew ourselves, we’ve noticed a number of strategies companies use with regards to Homebrew. The most common use cases are: * Software developers running macOS * Continuous integration on macOS and Linux * Privately distributing internal tools When it comes to managing Homebrew across organizations, we’ve noticed three core patterns, each with their own benefits and drawbacks. ## 1: Do nothing Whether it’s due to overtaxed IT teams, budget constraints, or simply a lack of internal knowledge about Homebrew, this strategy is a bit “Wild West” where anyone who has a Mac can install Homebrew, and use it however they like. This self-service approach gives developers total freedom to use the tools they want to, but it’s not formally supported by IT. Developers might come to the IT department with a ticket related to Homebrew, but that developer has to figure it out for themselves. This strategy goes horribly wrong when there’s a major vulnerability like Heartbleed for OpenSSL that requires the entire fleet of devices to be updated to a non-vulnerable version quickly. ###### Pros: * Total developer freedom * No upfront cost / effort ###### Cons: * Zero visibility * No way to remediate security issues * Gets unwieldy as you grow, no consistency across the team ## 2: Informed trust The second strategy we’ve seen IT teams with Homebrew in their fleet take is a kind of “Informed Trust” strategy, where there may be some unenforced rules prohibiting certain packages, or recommendations about vetting packages before you install them. Perhaps the IT team will help you set up Homebrew for the first time, but if something goes wrong, there isn’t necessarily a standard operating procedure to support them. ###### Pros: * Relatively simple to implement * Lots of freedom for end users * Low upfront cost ###### Cons: * Low visibility: Unable to ensure policies are followed * Not compliant with regulated industries - finance, healthcare and others can’t do this because of regulation * If something goes wrong, it could go undetected (and be a very significant) ## 3: Roll your own This is the most sophisticated strategy we’ve observed. We’ve seen companies use tools like Installomater or scripts from GitHub that help manage deployment, or get some basic observability about which packages are installed on specific machines. Generally this approach has some level of “glue code” that IT teams have to create and maintain that is difficult to manage. Most MDM tools run scripts as `root` and, as Homebrew refuses to be run as `root`, this adds additional complexity to any scripts created. ###### Pros: * Bespoke solution * Integration with other custom / internal tooling * Roadmap ownership ###### Cons: * Costly in terms of time, money, and expertise * Ongoing maintenance, siloed tech knowledge * Not a core competency, so it will never be complete with all the features you want (or need) ## 4: Use Workbrew Workbrew provides the best parts of all the 3 options above. We provide a managed tool to reduce load for IT, provide developers with unfettered access to Homebrew with only the enforcements your organization requires, rules enforced fleet-wide and the ability to quickly respond to security vulnerabilities by updating the entire fleet in hours, not days. ###### Pros: * Provides control over developer systems to IT teams * Provides improved Homebrew security * Provides an identical Homebrew experience for developers [Workbrew Free](https://console.workbrew.com/?signup_plan=free) simplifies installing `brew` with zero-touch deployment, and gives IT and security teams full visibility into the packages and versions being used across your organization. [Workbrew Pro](https://console.workbrew.com/?signup_plan=pro) brings remote management capabilities, custom configurations, and access controls to improve your endpoint security posture. [Workbrew Enterprise](https://console.workbrew.com/?signup_plan=enterprise) is built for organizations with sophisticated security and compliance requirements, especially companies in [regulated industries](https://workbrew.com/webinars/regulated-industries) like finance, healthcare, insurance, and government.

Workbrew is in Public Beta

Vanessa Gennarelli, John Britton & Mike McQuaid — Wed, 21 Aug 2024 00:00:00 GMT

### It's time to take `brew` to work Workbrew is the secure software delivery platform for your company. Supercharge [Homebrew](https://brew.sh/) to increase developer productivity, reduce IT workload, and improve your security posture. With the newly-available Free, Pro, and Enterprise plans, there's something for everyone. ##### Simplify deployment and understand how `brew` is used at your company [Workbrew Free](https://workbrew.com/pricing) simplifies installing `brew` with zero-touch deployment, and gives IT and security teams full visibility into the packages and versions being used across your organization. ##### Improve security posture, remotely manage `brew`, and enforce policies. [Workbrew Pro](https://workbrew.com/pricing) brings remote management capabilities, custom configurations, and access controls to improve your endpoint security posture. ##### Meet and exceed security and compliance standards. [Workbrew Enterprise](https://workbrew.com/pricing) is built for organizations with sophisticated security and compliance requirements, especially companies in [regulated industries](https://workbrew.com/webinars/regulated-industries) like finance, healthcare, insurance, and government. Check out these posts to learn more about Workbrew: * [What is Homebrew](https://workbrew.com/blog/what-is-homebrew) * [Understanding Homebrew's History](https://workbrew.com/blog/understanding-homebrews-history) * [How Workbrew Works](https://workbrew.com/blog/how-workbrew-works) * [Why We Are Building Workbrew](https://workbrew.com/blog/why-we-are-building-workbrew) #### Meet The Workbrew Crew As tenured GitHub alumni, [Workbrew](https://workbrew.com/) Founders John Britton, Mike McQuaid, and Vanessa Gennarelli all share a deep knowledge of the importance of developer tools. ##### John Britton: Co-Founder & CEO - Homebrew Contributor & Member With 20 years of experience in system administration, networking, and software development, John is on a mission to improve how software is deployed and managed within organizations. His expertise in open-source and developer-tools go-to-market strategies has made him an industry leader. As employee 13 at Twilio, he made waves with his now-legendary live coding at the New York Tech Meetup, which was dubbed “perfect” by VC veteran Fred Wilson and “the best demo we’ve ever seen” by Business Insider. Later, John joined GitHub, where he created GitHub Education and launched successful products like the Student Developer Pack and GitHub Classroom, impacting millions of users. His technical expertise has been featured in major publications like Wired, TechCrunch, and VentureBeat, and he has contributed to several open-source projects, including Homebrew. ##### Mike McQuaid: Co-Founder & CTO - Homebrew Project Leader As the CTO and Co-Founder of Workbrew, Mike McQuaid is the technical powerhouse behind the company’s innovative technology. With a deep background in building software at extreme scales, Mike has been a key player in the tech industry since 2007. His journey with Homebrew, where he’s been a maintainer since 2009, and his role as an early employee at GitHub (#232), Mendeley (#1) and AllTrails (#8) have equipped him with the skills and insights needed to lead Workbrew’s product and engineering teams. He is also the author of Git in Practice and an engineering expert, having delivered over 45 talks at international conferences. ##### Vanessa Gennarelli: Co-Founder & COO - Homebrew Project Leadership Committee Vanessa is a leader with a proven track record of managing cross-functional teams in rapidly-growing organizations. In 2023, A Book Apart published her book Surviving Change at Work, which garnered attention from Fast Company, Built In, and Design Better. She earned her master’s degree in Technology, Innovation, and Education from Harvard, and is a graduate of the LEAD Program at Stanford Business School. She is also actively involved in the tech community, serving on the leadership team of Out In Tech's Philadelphia chapter, and the Project Leadership Committee for the Homebrew open-source project. We're [building Workbrew](https://workbrew.com/blog/why-we-are-building-workbrew) because we’re committed to improving the future of software.

How Workbrew Works

John Britton — Tue, 20 Aug 2024 00:00:00 GMT

## What is Workbrew? Workbrew is a secure software delivery platform — a control center for all of the software packages installed on the endpoints at your organization. It’s also the best way for teams familiar with Homebrew to deploy, manage, and secure `brew` at scale. #### How It Works Workbrew has four main components: * Homebrew * Workbrew Installer * Workbrew Agent * Workbrew Console ### Homebrew Workbrew sits on top of [Homebrew](https://brew.sh/), so to understand Workbrew you need to first [understand Homebrew](https://workbrew.com/blog/what-is-homebrew). Homebrew is an open-source package manager with an extensive library of official packages. It’s installed on tens of millions of devices and it’s nearly ubiquitous on macOS. Homebrew is also supported on Linux and Windows Subsystem for Linux (WSL), although these users are less common. For our purposes, it’s useful to focus on two primary components: 1. `brew`, the command-line interface (CLI) for managing packages. 2. Taps, the repositories where packages are defined. ### `brew` The `brew` CLI provides the underlying infrastructure for installing packages onto the target system. It has a variety of useful subcommands and configuration options, you can read more about how to use `brew` in the [official documentation](https://docs.brew.sh/Manpage). **Taps** Taps provide the underlying definitions and instructions for installing specific software packages onto the system. Homebrew has two official Taps: [homebrew/homebrew-core](https://github.com/Homebrew/homebrew-core) and [homebrew/homebrew-cask](https://github.com/Homebrew/homebrew-cask). In addition to the official Taps, it’s possible to use unofficial third-party Taps and even to create your own. Read more in our post “[What is Homebrew](https://workbrew.com/blog/what-is-homebrew)”. ## Workbrew Installer Workbrew is distributed for installation as a signed PKG file. It can be installed interactively or via an MDM tool. This allows Workbrew to deliver a zero-touch installation experience. Whenever you buy a new device from Apple, Workbrew will be installed by default as part of the device MDM enrollment experience with no further intervention from your IT team. Workbrew’s secure CLI is a wrapper around the standard `brew` CLI that allows Workbrew to run security and compliance checks on every command before it is executed. Our CLI looks and behaves identically to the standard `brew` CLI interface, so even though it adds an extra layer of security and compliance, there is no difference for end users, preserving the experience they are already accustomed to. For users with an existing Homebrew installation, Workbrew completes the same installation and enrollment processes without any disruption. All existing packages stay in place and the user is seamlessly upgraded to Workbrew. **Isolated** `brew` **installation** Another key benefit of the Workbrew Installer is how it makes the secure `brew` CLI available. Workbrew is installed in an isolated and tamper-resistant environment. ## Workbrew Access Modes 👋 _**NOTE: Workbrew Access Modes have been replaced by a more intuitive workspace setting for granting `brew` CLI access. Learn more [here](https://workbrew.com/docs/managed-brew-access)**._ With this isolated `brew` installation it’s possible set and enforce various policies according to Workbrew's Access Modes: `Sudo`, Standard, and Restricted. ##### `Sudo` `Sudo` is the default access mode for anyone who is a member of the `admin` group, and accordingly enables extra security privileges. Users in this access mode will still be subject to Workbrew’s policies, but because of their membership in the `admin`group, these users do have the ability to override the configured policies. ### Standard Users with a standard user account in macOS have access to the Workbrew secure CLI. As long as their commands are compliant with the configured policies, these users can run commands in `brew`. However, the Standard mode blocks all self-installs of casks. To assign a user to the managed access model, all you need to do is add them to the `workbrew_users` group. ### Restricted Under this model, administrators manage all software installation. Even though `brew` is installed, the end user has no access to it. An end user can use software installed with `brew`, but cannot install their own or interact with the secure `brew` CLI. ### Enforcing Access Modes Workbrew flags devices whose actual permissions don’t match the expected access mode. If a device is behaving like it’s in `Sudo` mode when it shouldn’t be, `admin` users will alerted of access mode violations in the dashboard, in addition to weekly email reports. Access modes can also be set per device group. For example, your DevOps team might need `Sudo` access while all other developers remain Restricted. Only the devices in Restricted will trigger alerts. ## Workbrew Agent The Workbrew Agent is a lightweight background process that is the conduit for communication between your devices and the Workbrew Console. It runs on a schedule to perform these routine tasks: * Retrieve metadata about the state of the device and send it to the Workbrew Console, where Workspace administrators can review and analyze the data. * Receive Brew Configurations from the Workbrew Console and set those settings on the affected device. * Receive Brew Commands from the Workbrew Console and ensure they are successfully executed on the device while reporting logs and results. In addition, the Workbrew Agent handles local `brew` commands received through the secure CLI. Most policy checks are performed directly on the device. To ensure consistent operation, Workbrew uses a single code path for `brew` locally and from the Console. ## Workbrew Console The Workbrew Console is a cloud-based web application designed for IT managers and security professionals. It provides a unified platform for managing `brew` across your organization, offering features such as analytics and observability, remote management, and robust security and compliance tools. The top-level organizational unit in Workbrew is a Workspace. This is where you control your team’s access, configure your MDM tool, and manage your account settings, including billing. As you install Workbrew on your devices, they will automatically appear in your Workspace and if you configure your MDM integration it will match your device inventory and link devices to your company directory. Within the Workbrew Console there is a wealth of valuable information. It’s easy to drill down on individual devices for troubleshooting and incident response. It’s also straightforward to look at aggregate information from across your organization like popular packages and versions. The Console also exposes reports on software licenses and third-party tap (Homebrew package repository) usage. The Workbrew Console provides a comprehensive report of known security vulnerabilities impacting your fleet. Workbrew cross-references the inventory of installed packages and versions with several distinct vulnerability databases and provides a straightforward way to understand any known vulnerabilities and provides a single-click path to remediation. It is possible to configure automated notifications when new vulnerabilities are discovered. There are two types of remote management action you can take in the console; you can do configuration setting or run commands. In addition to the visibility afforded by the Workbrew Console, it serves as the gateway to two fundamental remote management features: Brew Configurations and Brew Commands. ## Brew Configurations Homebrew has nearly [one hundred different configuration options](https://docs.brew.sh/Manpage#environment). It’s quick and easy to set and enforce these options across your entire fleet from the Workbrew Console using Brew Configurations. An example policy that many of our customers choose to set and enforce using Brew Configurations is to limit the installation of packages to those that are included in the official Homebrew Taps ([homebrew/homebrew-core](https://github.com/homebrew/homebrew-core) and [homebrew/homebrew-cask](https://github.com/homebrew/homebrew-cask)): ``` # Allow officially Homebrew Taps only HOMEBREW_ALLOWED_TAPS=homebrew/homebrew-core homebrew/homebrew-cask ``` Some other commonly used Brew Configurations are as follows: ``` # Ensure all artifacts are downloaded from the specified domain # Airgap brew ensuring packages are not downloaded from the internet HOMEBREW_ARTIFACT_DOMAIN=artifacts.example.com HOMEBREW_ARTIFACT_DOMAIN_NO_FALLBACK=1 ``` ``` # Verify cryptographic attestations of build provenance# for bottles from homebrew-core HOMEBREW_VERIFY_ATTESTATIONS=1 ``` ``` # Block specified Casks, Formulae, Licenses, and Taps HOMEBREW_FORBIDDEN_CASKS=[cask] HOMEBREW_FORBIDDEN_FORMULAE=[formula] HOMEBREW_FORBIDDEN_LICENSES=[license] HOMEBREW_FORBIDDEN_TAPS=[tap] ``` ``` # Provide users an escalation path # Used when an action is forbidden by policy HOMEBREW_FORBIDDEN_OWNER=Corporate IT HOMEBREW_FORBIDDEN_OWNER_CONTACT=https://helpdesk.example.com ``` ### Brew Commands Brew Commands are an extremely powerful and fundamental component of Workbrew. The more familiar you are with Homebrew, the more useful they will be. With Brew Commands, you can do anything `brew` can do with a package: `install`, `uninstall`, `upgrade`, `pin`, or `unpin`on a specific device or across your entire fleet. Brew Commands aren’t limited to package operations, you can also take other actions like: `tap`, `untap`, `update`, and `cleanup`. The power is in the flexibility, you can use Brew Commands to install standard tools for your developers like `brew install --cask vscode` or to apply a critical security patch like `brew upgrade xz`. Each command is mapped to the targeted devices through a number of Runs. A Run is a specific instance of a Command that was executed on a particular Device at the specified time. Workbrew automatically tracks the exit status of Runs and makes logs available in a central location. ### Who Is Workbrew For? This all adds up to secure software delivery platform that: * Has zero-touch installation and enrollment, which allows you to remotely set up all of your organization's devices to a standard profile. * Enables your developers with the tools that they know and love, while maintaining security and compliance. * Eliminates the learning curve. Your developers already know it, and nobody else ever needs to touch it. So then, Workbrew is for any business or organization that wants to: * bulk manage their fleet’s software use, or * let their developers use `brew` while remaining secure and compliant, or * automate remote device setup, even on brand new fresh-from-Apple devices, or * any combination of the three. Within an organization, Workbrew adds value for everyone. For developers, Workbrew drives productivity. They don’t need to learn a new tool and they don’t need to spend time working around corporate security measures. For IT professionals, Workbrew reduces workload. Workbrew automates a large portion of device setup, and drastically reduces touchpoints for the remainder. For security professionals, Workbrew is peace of mind. With Workbrew’s ability to remotely manage policies on their entire fleet, they can easily do preventative maintenance and are able to quickly respond to situations. For everyone else, Workbrew is seamless and invisible. It automates maintenance for software, security, and compliance. They can just keep on doing their thing while Workbrew works its magic to keep their software secure and up to date.

Understanding Homebrew's History

John Britton — Tue, 20 Aug 2024 00:00:00 GMT

Have you ever noticed how using Homebrew on a Mac feels a bit like working on a Linux system? Or wondered why Homebrew, despite being available on Linux, is especially beloved by Mac users? As a long-time developer and Homebrew enthusiast, I’d like to take you on a journey through the evolution of package managers, highlighting why Homebrew has become such an essential tool for Mac users today. #### Discovering Package Managers on Linux My first encounter with package managers was on Linux, specifically with Gentoo, a distribution that made it incredibly easy to build and install software from source. All I had to do was type the `emerge [package]` and the package manager took care of the rest—fetching, compiling, and installing the software. It was a revelation. When Apple introduced macOS, a Unix-based operating system, it seemed like a dream come true. Here was a system that could combine the power and flexibility of Unix with the sleek, user-friendly design of a Mac. However, there was a catch — there was no easy way to install software outside of what Apple provided. The App Store wouldn’t arrive until 2008, and even then, it was primarily focused on consumer desktop applications. #### The Unix Foundation of macOS Apple’s decision to base macOS on a Unix foundation was significant. macOS was built on the POSIX-compliant Berkeley Software Distribution (BSD) and included a custom kernel called Darwin. This meant that macOS could run many of the same tools and utilities that Linux and other Unix-based systems could run, making it particularly attractive to developers who were already familiar with these environments. However, while macOS was powerful, it lacked a native package management system like those available on Linux distributions. This was a gap that needed to be filled. #### The Early Days: Fink and MacPorts Recognizing this gap, the open-source community quickly stepped in. The first major attempt to bring package management to macOS was Fink, released in 2000. Fink was based on Debian’s `apt-get`, which was already a trusted and reliable package manager on Linux. In 2002, another option emerged — MacPorts. Inspired by the BSD Ports system, MacPorts offered a way to install Unix-based software on macOS. Both Fink and MacPorts were significant steps forward, but they had their limitations. #### Enter Homebrew: A New Era for Mac Users Homebrew launched in 2009, and it quickly gained popularity by addressing the pain points of earlier package managers. Instead of relying on complex setups, Homebrew made it easy for users to install, update, and manage software with just a few `brew` commands. One of Homebrew’s most significant innovations was its integration with GitHub. All of Homebrew’s packages are stored in a version-controlled GitHub repository. This means that when a package needs to be updated, maintainers can simply update the repository, and the changes are immediately available to everyone. This approach also made it easier for contributors to add new packages or improve existing ones, fostering a vibrant community around Homebrew. Later, Homebrew began to distribute pre-compiled binaries ("bottles"), which made installations faster and more reliable. The combination of ease of use, speed, and a strong community made Homebrew the go-to package manager for Mac users. #### The Homebrew Community and Its Impact One of the key strengths of Homebrew is its community. The curated list of packages, maintained by a passionate group of contributors, ensures that the software available through Homebrew is reliable and up-to-date. This community-driven approach not only improves the quality of the software but also ensures that updates are rolled out efficiently. #### Scaling Up: Workbrew for Teams As Homebrew became more popular, it became clear that there was a need for a solution that could work across teams and organizations. Enter Workbrew — a tool designed to manage package installations, upgrades, and uninstalls not just on individual machines, but across entire teams or companies. Workbrew extends the power of Homebrew, making it easier to keep everyone on the same page when it comes to software management. Homebrew has evolved into more than just a package manager — it's a vital tool for developers who use macOS. Its success lies in its ability to seamlessly integrate the best aspects of Linux package management with the unique needs of Mac users. Whether you’re a solo developer or part of a larger team, Homebrew and Workbrew offer powerful solutions that make managing software on macOS both simple and efficient.

What is Homebrew

Mike McQuaid — Tue, 20 Aug 2024 00:00:00 GMT

[**Homebrew**](https://brew.sh/) is a popular open-source package manager, primarily used on macOS (but also on Linux). Here we will spell out the basics of package managers and share details about Homebrew in particular. ### **What is a package manager?** A package is software that you can install, remove, and upgrade on your system. Package managers, broadly-speaking, fall into two categories: 1. The first is an system package manager that installs software into a specific location on your OS e.g. Homebrew on macOS, Apt on Ubuntu, DNF on Fedora 2. The second is a language-specific package manager that provides dependencies or applications for or written in a particular programming language e.g. RubyGems for Ruby, NPM for NodeJS, or pip for Python ### **What is Homebrew?** Homebrew is a system package manager for macOS. This means it's a tool that you can use to install all of the software that you need on your Mac, whether that's command line tools (e.g. `curl`, `wget`), desktop applications (e.g. Google Chrome, 1Password), or developer dependencies (e.g. the PostgreSQL or MySQL databases). #### **Glossary of Homebrew** * Homebrew - the open-source package manager which fetches, installs, upgrades and uninstalls packages (formulae or casks) on your machine. * `brew` - the executable used to run Homebrew (or Workbrew). * Formula - build instructions for packages installed by Homebrew that are built from the source code. * Cask - packages in Homebrew that install binaries from elsewhere (i.e. not open-source software built by Homebrew). These are most commonly used for installing desktop applications. You can use it to install things like 1Password, Google Chrome or Visual Studio Code, or many other Mac desktop apps. * Taps - collections of formulae, casks or commands run by Homebrew or third parties. * Homebrew/homebrew-core - the official formulae tap with bottles for Homebrew. Only includes open-source software. * Homebrew/homebrew-cask - the official cask tap for Homebrew. #### **Key benefits of Homebrew** ##### Standardization Homebrew’s formulae allow many users to install the same software in a standardized way. Homebrew/homebrew-core (and some other taps) provide “bottles”, pre-compiled binaries, which means users don’t have to wait for a potentially lengthy build from source-code on their machine. ##### Curation One key benefit of Homebrew is its curation. To be included or updated in Homebrew’s official package Taps (Homebrew/homebrew-core or Homebrew/homebrew-cask) there is a minimum standard and a human review process. This is similar to the approach used by Ubuntu’s main repositories or the Apple App Store. In contrast, package managers like NPM allow anyone to publish or update a package without any human review. ##### Up-to-date Homebrew is a “rolling release package manager”, which means that the Homebrew maintainers keep all packages in official repositories as up-to-date as possible at all times. This is in contrast to other package managers that maintain a specific version of a package and support it for a longer periods of time. When a user runs `brew upgrade` Homebrew will replace the older version on your machine with the newer version. ##### Manages dependencies Some packages have no “dependencies”, meaning you can install one package and you’re done. Other packages will have dependencies. For example, CMake is freestanding, but many, many packages depend on it. If you install a package that requires CMake, Homebrew will automatically install it for you first. When a new version of the package is released, you can run `brew upgrade` and it will replace the version on your machine with the newer version. If you want to get rid of something, you're going to run `brew uninstall`, and it will remove the package from your system, whether it's a cask or a formula. If you want to keep install, upgrade, uninstall and view the packages installed not just on your machine but all the machines in your team, organization or company: [**try Workbrew today**](https://workbrew.com/pricing), the best way to use Homebrew at work.

Why We Are Building Workbrew

Vanessa Gennarelli — Tue, 20 Aug 2024 00:00:00 GMT

### A New Era for Secure Package Management For over 15 years, Homebrew has been the go-to solution for developers seeking an efficient, open-source package management tool on macOS. Over time, it became clear that while Homebrew perfectly suited individual developers, it didn’t directly cater to the requirements of teams and enterprises. This gap has been a growing concern, particularly for IT admins and organizations that rely on Homebrew for managing their software infrastructure. ### The Challenge with Homebrew in the Enterprise World As a successful open source project built by volunteers, Homebrew consciously chose to invest their effort serving the needs of the individual developer. This focus meant that features that are essential for enterprise environments, such as indefinitely pinning older versions, managing multiple users, or sharing formulae for developer onboarding, were outside its scope. As a result, many companies have had to adapt Homebrew in ways that may not be ideal. In chatting with dozens of companies, we’ve noticed that they generally fall into one of three camps when it comes to managing Homebrew internally: 1. **Do Nothing**: Some companies just accept that Homebrew is being used, even though it's officially not allowed. IT managers often look the other way because blocking it isn’t really an option without harming developer productivity. This situation clearly shows there’s a need for a more seamless solution that fits better with existing systems. 2. **Informed Trust**: Other organizations put some structure around Homebrew by creating guidelines and documentation. But this method relies a lot on trust and manual checks. Enforcing policies and making sure everyone sticks to them can be tricky, leading to gaps in security and management. 3. **Roll Your Own**: Then there are those who build custom solutions by tweaking Homebrew with scripts and custom glue code. While this can offer some tailored benefits, it also adds a layer of complexity and technical debt. As new updates and operating systems come out, these custom setups can become a hassle, needing constant tweaks and maintenance. Even if your business has made-do so far, there will always be challenges that you don’t have the expertise, time, or money to solve. While Homebrew does an excellent job staying up to date with the latest operating system versions, your internal code may be brittle and require ongoing maintenance with every new operating system and Homebrew release. Something will eventually stop working, and you’ll need to scramble to make a fix and unblock your teams. ### Introducing Workbrew: The Secure Software Delivery Platform Recognizing these challenges, we’re excited to help companies streamline their software delivery with Workbrew. We believe in providing developers with a top-notch experience where access to their preferred tools is in harmony with keeping the organization secure and compliant. With Workbrew, organizations can enjoy the following benefits: * **Developer Experience:** Developers thrive when they have access to their preferred tools. * **Analytics & Observability:** Gain comprehensive insights into software usage across your teams. * **Remote Management:** Centrally manage software across your entire organization. * **Security & Compliance:** Set and enforce policies, gain visibility into vulnerabilities and quickly respond. Workbrew lets developers use their favorite tools while keeping the company secure and compliant. It makes managing software way easier and cuts down on the hassles and technical debt that come with DIY solutions. ### Take the Next Step If your business has been struggling to address IT sprawl and compliance concerns, Workbrew is here to help. To learn more about how Workbrew can transform your software management experience, check out these resources: * [What is Homebrew](https://workbrew.com/blog/what-is-homebrew) * [How Workbrew Works](https://workbrew.com/blog/how-workbrew-works) * [Understanding Homebrew’s History](https://workbrew.com/blog/understanding-homebrews-history) Ready to experience the benefits of Workbrew firsthand? Try Workbrew for free and see how it can simplify your package management and boost your enterprise’s efficiency. Embrace a future where software management is seamless, secure, and tailored to your needs with Workbrew. [Try Workbrew for Free](https://workbrew.com/pricing)