Cowork on third-party (3P) is configured entirely through OS-native managed preferences: a .mobileconfig profile on macOS or registry policy on Windows. This page documents every supported key.
The easiest way to author a configuration is the in-app configuration window (Developer → Configure third-party inference), which validates values, shows per-provider requirements, and exports directly to .mobileconfig or .reg. Use this reference when you need to author policy by hand, audit an existing profile, or understand exactly what a key does.
How keys are read
| Platform | Managed (MDM) location | Local (user) location |
|---|
| macOS | /Library/Managed Preferences/<user>/com.anthropic.claudefordesktop.plist | ~/Library/Application Support/Claude-3p/claude_desktop_config.json (enterpriseConfig key) |
| Windows | HKLM\SOFTWARE\Policies\Claude (machine), HKCU\SOFTWARE\Policies\Claude (user) | %APPDATA%\Claude-3p\claude_desktop_config.json (enterpriseConfig key) |
Value types
All values are stored as strings in the OS preference store, even booleans and arrays.
| Documented type | What to write | Example |
|---|
| string | Plain string | vertex |
| boolean | "true" or "false" (or 1 / 0) | "true" |
| integer | Decimal string | "3600" |
| string[] (JSON) | JSON array encoded as a string (not a native plist/registry array) | ["claude-sonnet-4","claude-opus-4"] |
| object[] (JSON) | JSON array of objects, as a string | see managedMcpServers |
The most common configuration mistake is writing array-typed keys as native arrays. Keys like inferenceModels, disabledBuiltinTools, and coworkEgressAllowedHosts must be JSON strings. In a .mobileconfig, that means a single <string> element containing [...], not an <array>.
Connection
Activation
| Setting | Type | Description |
|---|
Inference provider
inferenceProvider | string | Selects the inference backend. One of gateway, vertex, bedrock, foundry. 3P mode activates only when this key is set and the required credential keys for the selected provider are present and valid; otherwise the app launches in standard mode. |
Organization UUID
deploymentOrganizationUuid | string | A UUID you generate to identify your deployment, in standard xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx format. Used to attribute telemetry to your organization. |
Skip login-mode chooser
disableDeploymentModeChooser | boolean | When true, skips the sign-in choice screen at first launch and boots directly into the mode implied by this configuration — third-party when inferenceProvider is set. Users won’t see the option to sign in to Anthropic instead, and any previously persisted choice is ignored. |
Generate and set deploymentOrganizationUuid before rollout. Anthropic uses this value to locate crash reports and telemetry from your fleet when you open a support case. If it’s unset, your telemetry is tagged with a shared placeholder UUID (00000000-0000-4000-8000-000000000001) that every unconfigured deployment also uses, and Anthropic cannot distinguish your organization’s events from anyone else’s.
Provider credentials
Each provider has its own required keys. Keys for providers other than the one selected in inferenceProvider are ignored. Vertex AI
Bedrock
Azure Foundry
Gateway
| Setting | Required | Description |
|---|
GCP project ID
inferenceVertexProjectId | Yes | GCP project ID. |
GCP region
inferenceVertexRegion | Yes | GCP region (e.g. us-east5, europe-west4). On supported builds, global is also accepted. |
GCP credentials file path
inferenceVertexCredentialsFile | No | Absolute path to a service-account JSON or Application Default Credentials file. No ~ or environment-variable expansion. Required unless using OAuth (below) or a credential helper. |
Vertex AI base URL
inferenceVertexBaseUrl | No | Override the public regional endpoint, e.g. for Private Service Connect. Must be https://. |
Vertex OAuth client ID
inferenceVertexOAuthClientId | No | OAuth client ID for an interactive per-user Google sign-in, as an alternative to a shared service-account file. |
Vertex OAuth client secret
inferenceVertexOAuthClientSecret | No | OAuth client secret paired with the client ID above. |
Vertex OAuth scopes
inferenceVertexOAuthScopes | No | JSON string array of OAuth scopes to request. Defaults to the scope required for Vertex prediction. |
| Setting | Required | Description |
|---|
AWS region
inferenceBedrockRegion | Yes | AWS region (e.g. us-west-2, us-gov-west-1). |
AWS bearer token
inferenceBedrockBearerToken | One of token / profile | Bedrock API key from the Bedrock console or aws-bedrock-token-generator. If set, inferenceBedrockProfile is ignored. |
AWS profile name
inferenceBedrockProfile | One of token / profile | AWS named profile from ~/.aws/config. Use when credentials are managed by AWS CLI, SSO, or an enterprise credential process. |
AWS config directory
inferenceBedrockAwsDir | No | Absolute path to the directory containing AWS config/credentials files, if not the default ~/.aws. Copied into the sandbox so the named profile resolves there. |
Bedrock base URL
inferenceBedrockBaseUrl | No | Override the public regional endpoint, e.g. a PrivateLink VPC interface endpoint. Must be https://. |
The two auth methods require different IAM permissions. With inferenceBedrockBearerToken, the key’s underlying IAM principal must be allowed the bedrock:CallWithBearerToken action — without it, the key is created successfully but every inference request returns an authorization error. With inferenceBedrockProfile, the profile’s principal needs bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream on the inference profiles and underlying foundation models you use.
| Setting | Required | Description |
|---|
Azure AI Foundry resource name
inferenceFoundryResource | Yes | Azure Foundry resource name (2–64 chars, lowercase alphanumeric and hyphens). |
Azure AI Foundry API key
inferenceFoundryApiKey | Yes | Foundry API key. |
For LLM gateways (e.g. LiteLLM, Portkey, or an in-house proxy) that implement the Anthropic Messages API:
POST /v1/messages with streaming and tool use is required.GET /v1/models is optional. If the gateway implements it, Cowork on 3P auto-discovers available models; if not, set inferenceModels explicitly.
| Setting | Required | Description |
|---|
Gateway base URL
inferenceGatewayBaseUrl | Yes | Gateway base URL. Must be https://. |
Gateway API key
inferenceGatewayApiKey | Yes | API key sent to the gateway. The field cannot be empty, so if your gateway authenticates by network identity and has no key, set a placeholder value. |
Gateway auth scheme
inferenceGatewayAuthScheme | No | How the credential is sent: auto (default; uses x-api-key when the key starts with sk-, otherwise Authorization: Bearer), x-api-key, or bearer. |
Gateway extra headers
inferenceGatewayHeaders | No | JSON string array of extra HTTP headers sent on every inference request, in "Name: Value" form (e.g. ["X-Org-Id: team1"]). |
Credential helper
For environments where static API keys aren’t permitted, Cowork on 3P can invoke an executable you provide to fetch a short-lived credential at runtime.| Setting | Type | Description |
|---|
Credential helper script
inferenceCredentialHelper | string | Absolute path to an executable on the host. Its stdout is used as the inference credential, replacing the static API-key key for the chosen provider. |
Credential helper TTL
inferenceCredentialHelperTtlSec | integer | Cache the helper’s output for this many seconds before re-running it. Default 3600. |
Models
| Setting | Type | Description |
|---|
Model list
inferenceModels | (string | object)[] (JSON) | Models to expose in the picker. Use the provider’s exact model ID: Vertex publisher IDs (claude-sonnet-4@20250514), Bedrock inference-profile IDs (us.anthropic.claude-sonnet-4-...-v1:0), or Foundry deployment names. The first entry is the default. Required for Vertex, Bedrock, and Foundry; gateways auto-discover available models. Entries may be plain strings or objects of the form {"name": "<id>", "supports1m": true} — see below. |
Offering a 1M-token context variant
If your provider serves a model with the extended 1M-token context window, you can expose it as a separate picker entry by setting supports1m: true on that model’s entry:"inferenceModels": [
{ "name": "claude-opus-4", "supports1m": true },
"claude-sonnet-4"
]
supports1m is a capability assertion you make about your deployment — Cowork doesn’t probe the provider to verify it. Only set it for models you’ve confirmed support the extended window; selecting a 1M variant on a model that doesn’t will fail mid-session once the conversation grows past the model’s actual limit.Gateway: the name must be the exact ID your gateway’s /v1/models endpoint returns. If you set supports1m on an alias (sonnet) but discovery returns the full ID (claude-sonnet-4-6), the variant won’t appear.
Sandbox & workspace
| Setting | Type | Default | Description |
|---|
Disabled built-in tools
disabledBuiltinTools | string[] (JSON) | [] | Built-in tool names to remove from the agent entirely (e.g. ["WebSearch","Bash"]). Valid names: Bash, Read, Write, Edit, Glob, Grep, NotebookEdit, WebFetch, WebSearch, Task, TodoWrite, TaskCreate, TaskUpdate, TaskGet, TaskList, TaskStop, Skill, REPL, JavaScript, AskUserQuestion, ToolSearch, SendUserMessage. |
Allowed workspace folders
allowedWorkspaceFolders | string[] (JSON) | unrestricted | Absolute paths users may attach as workspace folders. Leading ~ expands to the user’s home. When set, any path outside this list is rejected. |
Allowed egress hosts
coworkEgressAllowedHosts | string[] (JSON) | inference endpoint only | Hostnames the Cowork sandbox may reach for web fetch, shell, and package installs. Supports *.example.com wildcards. ["*"] disables sandbox egress filtering. The configured inference endpoint is always allowed implicitly. |
Allow Claude Code tab
isClaudeCodeForDesktopEnabled | boolean | true | Show the Code tab. |
coworkEgressAllowedHosts governs the Cowork tab’s sandbox — web fetch, shell commands, and package installs run by the Cowork agent. It does not restrict the Code tab, which executes on the host with the user’s normal network access. To remove the Code tab, set isClaudeCodeForDesktopEnabled to false.
Connectors & extensions
| Setting | Type | Default | Description |
|---|
Managed MCP servers
managedMcpServers | object[] (JSON) | [] | Remote MCP servers deployed to all users. See schema. |
Allow user-added MCP servers
isLocalDevMcpEnabled | boolean | true | Allow users to add their own local MCP servers from Settings → Developer. End users cannot add remote MCP servers regardless of this setting. |
Allow desktop extensions
isDesktopExtensionEnabled | boolean | true | Allow installing local desktop extensions (.mcpb). |
Show extension directory
isDesktopExtensionDirectoryEnabled | boolean | true | Show the Anthropic extension directory in the Connectors UI. |
Require signed extensions
isDesktopExtensionSignatureRequired | boolean | false | Reject unsigned desktop extensions. |
managedMcpServers schema.managedMcpServers
A JSON-stringified array of server objects:| Field | Required | Description |
|---|
name | Yes | Unique display name. |
url | Yes | Server URL. Must be https://. |
transport | — | "http" (default) or "sse". |
headers | — | Static string→string header map. Mutually exclusive with oauth. |
headersHelper | — | Absolute path to an executable that prints a JSON header object on stdout, for short-lived auth tokens. Mutually exclusive with oauth. |
headersHelperTtlSec | — | Cache helper output for this many seconds. |
oauth | — | true to use a dynamic-registration PKCE flow; tokens stored in the OS keychain. Mutually exclusive with headers / headersHelper. |
toolPolicy | — | Map of tool name → "allow" / "ask" / "blocked". Locks the per-tool approval state for that server. |
Telemetry & updates
See Telemetry and egress for what each category sends and the network paths involved.Anthropic telemetry and updates
| Setting | Type | Default | Description |
|---|
Block essential telemetry
disableEssentialTelemetry | boolean | false | Block crash reports and error telemetry to Anthropic. Disabling this opts you into a manual support model in which your team collects and sends logs to Anthropic directly. |
Block nonessential telemetry
disableNonessentialTelemetry | boolean | false | Block product-usage analytics to Anthropic. |
Block nonessential services
disableNonessentialServices | boolean | false | Block non-critical third-party services: connector favicons and the artifact-preview iframe. |
Block auto-updates
disableAutoUpdates | boolean | false | Block update checks and downloads from Anthropic. Your IT team must redistribute new builds. |
Auto-update enforcement window
autoUpdaterEnforcementHours | integer | 72 | Force a pending update to install after this many hours (1–72). Ignored when auto-updates are disabled. |
OpenTelemetry export
Export full session activity to your own collector. See Monitoring for the event schema.| Setting | Type | Description |
|---|
OpenTelemetry collector endpoint
otlpEndpoint | string | Base URL of your OTLP collector. When set, sessions export logs and metrics (prompts, tool calls, token counts). The endpoint host is automatically added to the sandbox network allowlist. |
OpenTelemetry exporter protocol
otlpProtocol | string | http/protobuf (default), http/json, or grpc. |
OpenTelemetry exporter headers
otlpHeaders | string | Comma-separated key=value pairs sent on every OTLP request (standard OTEL_EXPORTER_OTLP_HEADERS format). |
Usage limits
| Setting | Type | Description |
|---|
Max tokens per window
inferenceMaxTokensPerWindow | integer | Total input + output tokens permitted per device per window. When reached, the app refuses new messages until the window resets. Enforced locally; persists across restarts. |
Token cap window
inferenceTokenWindowHours | integer | Length of the tumbling window for the cap above, 1–720 hours. |
Plugins & skills
Plugins and skills have no configuration keys. They are distributed by placing plugin bundles in the org-plugins directory on each device, which the configuration window’s Plugins & skills section displays for reference.
Recommended security profiles
The profiles below are illustrative examples rather than built-in presets, and the labels are descriptive only. Use them as starting points and adjust for your environment. Layer the inference-provider keys for your cloud on top of whichever profile you choose.
Standard
Restricted
Locked down
Recommended for most enterprise deployments. Telemetry and auto-updates stay on so Anthropic can diagnose issues and ship fixes; users can extend Cowork with their own connectors.| Key | Value |
|---|
deploymentOrganizationUuid | <your-org-uuid> |
autoUpdaterEnforcementHours | 24 |
isDesktopExtensionSignatureRequired | true |
otlpEndpoint | <your-collector> |
For regulated environments that need to control what users can connect Cowork to, while keeping Anthropic supportability.| Key | Value |
|---|
deploymentOrganizationUuid | <your-org-uuid> |
disableNonessentialTelemetry | true |
disableNonessentialServices | true |
isLocalDevMcpEnabled | false |
isDesktopExtensionEnabled | false |
isDesktopExtensionDirectoryEnabled | false |
allowedWorkspaceFolders | ["~/Documents/Claude"] |
coworkEgressAllowedHosts | ["*.your-org.com"] |
otlpEndpoint | <your-collector> |
For air-gapped or maximally restricted environments. The only traffic leaving the device goes to your inference endpoint and OTLP collector. With this profile, Anthropic has zero remote visibility, so your team owns log collection and update distribution.| Key | Value |
|---|
disableEssentialTelemetry | true |
disableNonessentialTelemetry | true |
disableNonessentialServices | true |
disableAutoUpdates | true |
isLocalDevMcpEnabled | false |
isDesktopExtensionEnabled | false |
isDesktopExtensionDirectoryEnabled | false |
disabledBuiltinTools | ["WebSearch","WebFetch"] |
coworkEgressAllowedHosts | [] |
allowedWorkspaceFolders | ["~/Documents/Claude"] |
otlpEndpoint | <your-collector> |
