Homebrew

The canonical install path for managed fleets and individual users on macOS / Linux.

Install

brew install pointfiveinc/tap/tokenshift

This produces a properly pinned build — ingest URL and public key are compiled in, so telemetry can ship as soon as an enrollment manifest is present. See Enrollment for the next step.

Auth requirement

The tap is private. Homebrew resolves the GitHub token at install time via gh auth token, so you need:

gh auth login        # log in against the pointfiveinc org
brew tap pointfiveinc/tap   # implicit when you install

The formula runs inside Homebrew’s sandbox, which strips most of $PATH and excludes /opt/homebrew/bin. Token resolution uses an absolute path to gh to work around that — you do not need to touch anything yourself, but be aware if you’re auditing the formula.

MDM rollout

Tip

For fleet rollouts, push gh to the machine first and either run gh auth login on first user setup, or pre-seed HOMEBREW_GITHUB_API_TOKEN via your MDM’s secret store before the TokenShift install step runs. The formula can’t prompt during an unattended install.

Cross-link: MDM rollout patterns covers Jamf, JumpCloud, Intune, and Ansible patterns for both the binary and the enrollment manifest.

Verify

tokenshift version
tokenshift doctor

doctor reports pinning, manifest, telemetry, and hook state.

Upgrade

brew upgrade pointfiveinc/tap/tokenshift

Uninstall

brew uninstall tokenshift

To also remove the agent hooks and local cache, run tokenshift uninstall before brew uninstall, then delete ~/.tokenshift/ and ~/.config/tokenshift/.

Next

• Enrollment — bind the binary to your tenant.
• Quickstart — the canonical first-run flow.