Managing Brew with Jamf Pro

Background

Lot of these developers like to code on a Mac so plenty of Apple admins will have a group of developers to support. Homebrew (or “brew”) is a “package manager” that makes it a lot easier to install and update open-source command line tools on a Mac. It’s the second thing a developer will probably want to install, right after XCode.

In most cases, Apple admins don’t install or mananage any of these things for their developers — the developers prefer to setup their dev environment for themselves. But recent supply chain hacks on some pretty prominent software companies may cause some to reconsider. It’s a trade-off. If your org decides they’d rather trust the IT admins than the developers, then the admins had better have a good security background and be really careful about what they’re doing.

Installing brew

From the command line:

$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Basically, that says, “Download this URL, fail silently, don’t show progress, show errors, and redo the request if the location has moved. Then take that thing you downloaded and run it as a bash script.

You could just take that command and stick it in a Jamf Pro script as-is, or you could download the actual installer script from github, carefully review it, and then put that into a Jamf Pro script. The advantage of of the former is that you won’t have to do anything to keep your policy up to date with the latest version — the curl is always going to bring down the current version. The disadvantage is that you have to trust the repo.

Automating Installation:

You could run the install and capture it with Jamf Composer. Don’t do it unless every machine you’ve got is identical. There’s a bunch of OS version and cpu-specific stuff in there. Also, it’s a waste of time. Use their installation script instead.

There’s a bit of a catch that makes Brew installs different from most other apps. Did you notice that there’s no sudo on the installation command? The authors don’t want you to give their tool permanent admin permissions — they’ll ask for them whenever they’re needed. When we run a typical policy with the Jamf Pro Framework, it runs as root by default, which is good 90% of the time because that’s what most Mac installers want, but not Brew. If you try to install homebrew as root, tons of permissions will be messed up and it won’t work. No problem… we just need a tweak our brew install so it runs as the currently logged-in user instead.

Here is a nice writeup on how to run Self Service actions as the currently logged in user if you want to understand the available techniques… https://scriptingosx.com/2020/08/running-a-command-as-another-user/ — thanks Armin.

Here are two projects which complete the Brew solution:

https://www.jamf.com/jamf-nation/discussions/24803/deploy-homebrew
https://github.com/kennyb-222/AutoBrew

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: