macOS Homebrew Installer Support

If you are using Homebrew to manage command line utilities and applications, you need to add the user to the admin group with a JIT group action and use a policy with additional advanced settings as described below.

With a policy in place, a standard (non-admin) user is able to run the Homebrew installer by entering the command line found on the Homebrew home page (https://brew.sh) at a Terminal window prompt. After that the installer proceeds and completes successfully, resulting in a Homebrew installation under /usr/local (or /opt/homebrew on Apple Silicon machines) owned by the user (not root).

Refer to this video demonstration.

Not supported on endpoints running the KEXT agent.

Copying any example text below and pasting it into filters, actions, or policies being set up on a server, might introduce special characters in pasted text, which can cause policies to fail.

Creating the Filters Needed

Create a Bash File Specification Filter

This filter will specify the applications targeted.

  1. Navigate to Admin | Filters.

  2. Click Create Filter.

  3. From the Platform drop-down, select macOS.

  4. From the Type drop-down, select File Specification Filter.

  5. Name the filter and provide a description to reflect the purpose, for example Bash Homebrew File Specification Filter.

  6. Click Create.

  7. Under Settings | File Names, enter bash.

  8. For Path, enter /bin.

  9. Click Save Changes.

Create a Homebrew Installer Commandline Filter

This filter will be added as an inclusion filter.

  1. Navigate to Admin | Filters.

  2. Click Create Filter.

  3. From the Platform drop-down, select macOS.

  4. From the Type drop-down, select Commandline Filter.

  5. Name the filter and provide a description to reflect the purpose, for example Homebrew Installer Commandline Filter.

  6. Click Create.

  7. Under Settings | Match Type, select Partial Match.

  8. For Command Line, enter https://github.com/Homebrew/brew.

  9. Click Save Changes.

Creating the Homebrew Admin Group Membership Action

This action will be added under Actions section of the policy.

  1. Navigate to Admin | Actions.

  2. Click Create Action.

  3. From the Platform drop-down, select macOS.

  4. From the Type drop-down, select Just-in-Time Group Membership Action.

  5. Name the Action and provide a description to reflect the purpose, for example Homebrew Admin Group Membership Action.

  6. Click Create.

  7. Under Settings | Group Name, enter admin.

  8. For Duration keep the default 5 min setting.

  9. For Suppress password prompts from sudo while a member of the group set the checkmark to change to yes.

  10. Click Save Changes.

Creating the Homebrew Installation Policy

  1. Navigate to your macOS computer group and select Application Policies.

  2. Click Create Policies.

  3. Select Skip the wizard, take me to a blank policy option.

  4. Name the policy, for example Homebrew Installation Policy.

  5. Click Create Policy.

  6. Under Conditions | Applications Targeted, click Add Application Targeted.

  7. Search for and add the Bash Homebrew File Specification Filter previously created.

  8. Click Update.

  9. Click Inclusions.

  10. Search for and add the Homebrew Installer Commandline Filter previously created.

  11. Click Update.

  12. Under Actions, click Add Actions.

  13. Search for and add the Homebrew Admin Group Membership Action previously created.

  14. Click Update.

  15. Click Save Changes.