macOS - Software Lifecycle - Install Brave Browser

What the Brave deployment Worklet does

This Automox Worklet™ deploys the Brave Browser to macOS endpoints from the Automox software cache. The evaluation script tests for /Applications/Brave Browser.app and exits 0 when the application bundle is already present. When the bundle is missing, the script exits 1 and Automox schedules the remediation script for the next agent check-in.

The remediation script calls /usr/local/bin/wdk ottopm download Brave to fetch the installer through the Automox Worklet Developer Kit, then pipes the JSON result through wdk ottoq json '.steps[].downloaded_file_path // empty' to read the DMG path. It mounts the DMG with hdiutil attach, runs rsync -av on "/Volumes/Brave Browser/Brave Browser.app" into /Applications, detaches /Volumes/Brave Browser, retries the detach once after a five-second sleep when the volume is busy, and re-checks /Applications/Brave Browser.app to confirm the install landed.

The package itself is pulled from Automox-managed storage rather than the public laptop-updates.brave.com CDN, so a single signed build is delivered to every macOS endpoint in the policy. The Worklet ships as FixNow-compatible, which lets you run an on-demand deployment from the Automox console against a single endpoint or an entire group without waiting on the standard policy cadence.

Why standardize Brave Browser on every Mac under management

Mac browser inventory drifts when employees self-install Brave to cut advertising trackers, others stay on bundled Safari, and managed installers push stale Chromium builds. That drift leaves the browser that touches every SaaS console, identity provider, and internal admin portal on an unknown baseline. Pushing a single signed Brave build through Automox replaces the drift with a known version that ships with Brave Shields, HTTPS upgrades, fingerprint randomization, and third-party tracker blocking on by default.

Apply this Worklet to your macOS group on the Automox policy cadence. The [[ -d /Applications/Brave Browser.app ]] test exits in a single shell call, the wdk ottopm download flow only fires where the bundle is absent, and each install or skip writes to the Activity Log so the endpoint inventory view stays accurate.

How Brave deployment works

1. Evaluation phase: The evaluation.sh script tests for the directory /Applications/Brave Browser.app. If the bundle is present, the script echoes a compliance message and exits 0. If the bundle is absent, the script echoes that remediation will be scheduled and exits 1, which marks the endpoint non-compliant in the Automox console.

2. Remediation phase: The remediation.sh script runs the install_brave function. It calls /usr/local/bin/wdk ottopm download Brave to pull the signed installer through the Automox software cache, extracts the downloaded_file_path from the JSON output, runs hdiutil attach against the DMG, then rsync -av "/Volumes/Brave Browser/Brave Browser.app" "/Applications/" to stage the bundle. The script attempts hdiutil detach on /Volumes/Brave Browser, retries once after five seconds if the first detach fails, and re-checks /Applications/Brave Browser.app before exiting 0 on a confirmed install or 1 on failure.

Brave deployment requirements

• macOS 10.15 (Catalina) or later on an Intel or Apple Silicon Mac

• Automox agent version 1.42.22 or later, which ships the /usr/local/bin/wdk Worklet Developer Kit used to fetch the installer

• Outbound HTTPS access from the endpoint to the Automox software cache (the agent reaches api.automox.com on port 443 by default)

• Approximately 400 MB of free disk space for the DMG download and the staged /Applications/Brave Browser.app bundle

• Root context for the Automox agent so hdiutil can mount the DMG and rsync can write into /Applications (the default agent context already meets this)

• No conflicting MDM payload that pins the macOS managed app set, restricts /Applications writes, or blocks unsigned DMG mounts

Expected state after Brave deployment

After a successful remediation run, /Applications/Brave Browser.app exists on the endpoint and the Automox activity log records a remediation exit code of 0 with the message that Brave Browser was successfully installed. The next evaluation cycle finds the bundle in place, exits 0 with the already-installed message, and the endpoint reports compliant on the policy. Brave Shields, HTTPS upgrades, and the default tracker and ad blocking lists run on first launch without further configuration.

Validate the deployment with ls -ld "/Applications/Brave Browser.app" to confirm the bundle, mdls -name kMDItemVersion "/Applications/Brave Browser.app" to read the installed version, and codesign -dv --verbose=2 "/Applications/Brave Browser.app" to confirm the bundle is signed by Brave Software, Inc. For end user verification, launch Brave and navigate to brave://settings/shields to confirm Shields are enabled, then visit brave://version to capture the version string for the audit log. The volume /Volumes/Brave Browser should not appear in diskutil list after the run; if it does, the second hdiutil detach failed and the next evaluation will retry the install.