How do you brew?

k3vmo
Contributor II

Will be getting a large end user department who got approved for Macs to use NPM/homebrew/Git, etc

I know how to gather what's installed - but how do ya'll patch that stuff?

Assuming you have a company policy that *any* install needs to be current - how would one approach that via Jamf?

Sure, there are exceptions where a dev needs a certain build but how does one accomplish patching those packs via Jamf?

5 REPLIES 5

jamf-42
Valued Contributor II

early days and its in beta.. but this maybe what you looking for: https://workbrew.com/

as it stands.. and as every dev is different.. they maintain their brew setup. We do provide the latest pkg in Self Service and sometimes update brew via policy if there is a security reason. 

k3vmo
Contributor II

Thanks @jamf-42 - Unfortunately this won't work for us.   I had a demo with John from the company and the problem is - a lot of their setup requires going through their proxy.  My environment is enough of a nightmare - using a bluecat web proxy with NTLM authentication.  Adding yet another proxy setup isnt an option. 

AJPinto
Esteemed Contributor

If you are referring to Homebrew, we don't allow it or any of the tools it installs. The vast majority of stuff you would get from Brew is available from GitHub or directly from vendors. The one-off tools that cannot be found anywhere either can be replaced with something that performs a similar function or should not really be used (like trying to update the build in Python or CURL).

 

Where it's not technically impossible to manage brew, it is a lot of lifting that usually does not have the business need to drive the effort required.

k3vmo
Contributor II

@AJPinto How'd you guys block it - if you don't allow it?

AJPinto
Esteemed Contributor

There are a few different checks.

  • On the network side, the brew hosts are blocked.
    • ForcePoint, Netscope, Zscaler, etc
  • Our users don't have Admin access.
    • We don't use tools like make me admin or anything, necessary privilege escalation is controlled by EPM tools (see next bullet).
  • We also have a Privilege Manager that blocks binary escalations unless specifically allowed.
    • CyberArk EPM, BeyondTrust EPM, Jamf Protect, etc

 

It's even difficult for me as the Engineer for the environment with admin access over Jamf to instal Brew without getting security involved.