Insert a Script

Use the Script application type to target a script that is trying to run privileged operations using sudo. System administrators can apply Application Rules on scripts to allow installation and management of development tools; for example, Homebrew.

Supported script types include:

bash (.sh)
ruby (.rb)
python (.py - xattr)

Matching criteria is case sensitive.

Select the Application Group you want to add the script control to.
Right-click and select Insert Application > Script.
Enter a File or Folder Name.
Enter a description or accept the default and click Next. You can leave the Description blank to match on all scripts.
You must configure the matching criteria for the binary. You can configure:
- File or Folder Name matches
- File Hash (SHA-1 Fingerprint)
- File Hash (SHA-256) matches
- Command Line Arguments
- Parent Process matches
Click Finish. The script is added to the Application Group.

For more information, see the following:

Install Homebrew

The Homebrew installer is a shell script which users can download to their machine and run. This script internally uses sudo to create folders on the system and set their ownership/permissions to be accessible by the installing user, reducing the need for further privileged sudo operations when users want to install packages.

Allow Standard Users to Install Homebrew vian Endpoint Privilege Management for Mac

Prepare a Script

The current installation script for Homebrew must be modified slightly to work with Endpoint Privilege Management for Mac.

To achieve this, create a script that contains the following:

#!/bin/bash

# Download the latest brew install script using curl
curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh -o install.sh

# The following command modifies the install.sh script, creating a backup of the original
# as install.sh.bak, and does the following modifications
#  - replaces occurrences of "/usr/bin/sudo" with just "sudo" to allow customers using
#    the non-Apple sudo to continue
#  - Inserts a line "HAVE_SUDO_ACCESS=0" near the top of the file. This bypasses the
#    built-in have_sudo_access feature with the expectation that the PMFM plugin policy is
#    correctly configured to match this script

sed -i .bak -e $'s^set -u^set -u\\\nHAVE_SUDO_ACCESS=0^' \ 
    -e '/unset HAVE_SUDO_ACCESS/d' install.sh

source install.sh
                
rm install.sh
rm install.sh.bak

Check the shasum of the file you created to ensure no copy and paste irregularities have introduced differences.

To check the shasum of the script, run the following command in Terminal:

shasum -a 1 <name of script>

Add the Script to Policy

To create a rule to match this script in the Policy Editor:

Create an Application Group to add the script control.
Right-click and select Insert Application > Script.
Enter * as the file or folder name, as you're matching explicitly on hash.
Enter a description of User Homebrew Installation.
Set the File Hash to value <insert shasum here>.
Ensure this file hash is the same as the script you prepared earlier, in case you made any custom modifications.
Click Finish. The script is added to the Application Group.

Add a sudo Command for Homebrew to Policy

In the same Application Group:

Right-click and select Insert Application > Sudo Command.
Enter * to represent any sudo command.
Enter a description or accept the default, and click Next.
Configure the Parent Process Matches to be the group which you are editing.
This keeps the configuration of Homebrew isolated within the policy and easier to navigate. Alternatively, you can separate the Script and Sudo application definitions.
Click Finish. The sudo command is added to the Application Group.

Set Up an Application Rule for Homebrew

Select the Workstyle that is appropriately filtered for users you want to allow to install Homebrew.
Create an application assignment for the Application Group that contains the sudo command, of type Allow Execution, with your messaging and auditing preferences.