Insert a Script to an Application Group
You can control scripts using the Script application type. System administrators can apply Application Rules on scripts to allow installation and management of development tools; for example, Homebrew.
Supported script types include:
- bash (.sh)
- ruby (.rb)
- python (.py - xattr)
Matching criteria is case sensitive.
- Select the Application Group you want to add the script control to.
- In the right pane, select Actions > Add Application > Script.
- You need to configure the matching criteria for the script. You can configure:
- File or Folder Name matches
- File Hash (SHA-1 Fingerprint)
- Command Line Arguments
- Parent Process matches
- Click OK. The script is added to the Application Group.
For more information, please see Application Definitions in Privilege Management for Mac.
The Homebrew installer is a shell script which users can download to their machine and run. This script internally uses sudo to create folders on the system and set their ownership/permissions to be accessible by the installing user, reducing the need for further privileged sudo operations when users want to install packages.
Allow Standard Users to Install Homebrew via Privilege Management for Mac
Prepare a Script
The current installation script for Homebrew must be modified slightly to work with Privilege Management for Mac.
To achieve this, create a script that contains the following:
#!/bin/bash # Download the latest brew install script using curl curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh -o install.sh # The following command modifies the install.sh script, creating a backup of the original # as install.sh.bak, and does the following modifications # - replaces occurrences of "/usr/bin/sudo" with just "sudo" to allow customers using # the non-Apple sudo to continue # - Inserts a line "HAVE_SUDO_ACCESS=0" near the top of the file. This bypasses the # built-in have_sudo_access feature with the expectation that the PMFM plugin policy is # correctly configured to match this script sed -i .bak -e $'s^set -u^set -u\\\nHAVE_SUDO_ACCESS=0^' \ -e '/unset HAVE_SUDO_ACCESS/d' install.sh source install.sh rm install.sh rm install.sh.bak
Check the shasum of the file you created to ensure no copy and paste irregularities have introduced differences.
To check the shasum of the script, run the following command in Terminal:
shasum -a 1 <name of script>
Add the Script to Policy
To create a rule to match this script in the Policy Editor:
- Create an Application Group to add the script control.
- Right-click and select Insert Application > Script.
- Enter * as the file or folder name, as you're matching explicitly on hash.
- Enter a description of User Homebrew Installation.
- Set the File Hash to value <insert shasum here>.
Ensure this file hash is the same as the script you prepared earlier, in case you made any custom modifications.
- Click Finish. The script is added to the Application Group.
Add a sudo Command for Homebrew to Policy
In the same Application Group:
- Right-click and select Insert Application > Sudo Command.
- Enter * to represent any sudo command.
- Enter a description or accept the default, and click Next.
- Configure the Parent Process Matches to be the group which you are editing.
This keeps the configuration of Homebrew isolated within the policy and easier to navigate. Alternatively, you can separate the Script and Sudo application definitions.
- Click Finish. The sudo command is added to the Application Group.
Set Up an Application Rule for Homebrew
- Select the Workstyle that is appropriately filtered for users you want to allow to install Homebrew.
- Create an application assignment for the Application Group that contains the sudo command, of type Allow Execution, with your messaging and auditing preferences.