Skip to main content
Claude Desktop on third-party (3P) is configured entirely through OS-native managed preferences: a .mobileconfig profile on macOS or registry policy on Windows. This page documents every supported key. For the desktop release each key first appeared in, see the configuration changelog. The easiest way to author a configuration is the in-app configuration window (Developer → Configure third-party inference), which validates values, shows per-provider requirements, and exports directly to .mobileconfig or .reg. Use this reference when you need to author policy by hand, audit an existing profile, or understand exactly what a key does.

How keys are read

PlatformManaged (MDM) locationLocal (user) location
macOS/Library/Managed Preferences/<user>/com.anthropic.claudefordesktop.plist~/Library/Application Support/Claude-3p/configLibrary/
WindowsHKLM\SOFTWARE\Policies\Claude (machine), HKCU\SOFTWARE\Policies\Claude (user)%LOCALAPPDATA%\Claude-3p\configLibrary\
The local location is a directory: _meta.json records which saved configuration is applied, and each configuration is a <id>.json file alongside it. The in-app configuration window writes here. When a managed source is present, it wins and locally written values are ignored. Configuration is read once at launch, so fully quit and reopen the app after any change. See Installation and setup for the full precedence rules.

Value types

All values are stored as strings in the OS preference store, even booleans and arrays.
Documented typeWhat to writeExample
stringPlain stringvertex
boolean"true" or "false" (or 1 / 0)"true"
integerDecimal string"3600"
string[] (JSON)JSON array encoded as a string (not a native plist/registry array)["claude-sonnet-4","claude-opus-4"]
object (JSON)JSON object mapping name to value, as a string{"X-Org-Id":"team1"}
object[] (JSON)JSON array of objects, as a stringsee managedMcpServers
The most common configuration mistake is writing array- or object-typed keys as native plist/registry structures. Keys like inferenceModels, inferenceGatewayOidc, managedMcpServers, coworkEgressAllowedHosts, and otlpHeaders must be JSON strings. In a .mobileconfig, that means a single <string> element containing [...] or {...} — not an <array>, not a <dict>, and not separate keys with dotted names like inferenceGatewayOidc.clientId.

Reference

The reference below is generated from the configuration schema and grouped to match the sidebar of the in-app configuration window. The Availability column shows whether a key can be set in an MDM profile, returned from a bootstrap server, or both.

Connection

KeyTypeAvailabilityDefaultDescription
inferenceCustomHeadersobjectMDM + BootstrapExtra HTTP headers sent on every inference request to the configured provider. For tenant routing, org IDs, Bedrock Guardrails, etc. Previously named inferenceGatewayHeaders.
inferenceSessionLifetimeSecintegerMDM + BootstrapHow long a sign-in stays valid under your IdP’s session policy. Shows a re-authenticate banner before it expires.
inferenceCredentialHelperstringMDM onlyAbsolute path to an executable that prints the credential, optionally with per-request headers.
inferenceCredentialHelperTtlSecintegerMDM only3600Helper output is cached for this many seconds. Re-runs at the next session start after expiry. Defaults to 3600.
inferenceCredentialHelperTimeoutSecintegerMDM only60Maximum wait for the helper executable to finish. Raise this if the helper opens a browser for interactive sign-in. Defaults to 60. Range: 1–600.
inferenceCredentialHelperSilentRefreshEnabledbooleanMDM onlytrueWhen a session’s credential expires, re-run the helper with CLAUDE_HELPER_CONTEXT=mid-session-refresh to recover silently. Turn this off if your helper can’t run non-interactively. Defaults to true.
inferenceProviderenumMDM + BootstrapSelects the inference backend. Setting this key activates third-party mode. One of: gateway, anthropic, bedrock, mantle, vertex, foundry.
inferenceCredentialKindenumMDM + BootstrapSelects the credential source. When set, only that source is used (no fallback). One of: static, helper-script, interactive, vendor-profile, oauth, workforce.

Anthropic

KeyTypeAvailabilityDefaultDescription
inferenceAnthropicApiKeystringMDM + BootstrapLeave blank to fetch a key via browser sign-in, or to supply the key via a credential helper.

Bedrock

KeyTypeAvailabilityDefaultDescription
inferenceBedrockRegionstringMDM + BootstrapAWS region for the Bedrock runtime endpoint.
inferenceBedrockBaseUrlstringMDM + BootstrapFor VPC endpoints or gateway proxies. Host origin only.
inferenceBedrockServiceTierenumMDM + BootstrapSent as the X-Amzn-Bedrock-Service-Tier header. Leave unset for on-demand. One of: flex, priority.
inferenceBedrockBearerTokenstringMDM + Bootstrap
inferenceBedrockSsoStartUrlstringMDM + BootstrapEnables in-app AWS sign-in (no AWS CLI needed). Set with the three SSO fields below.
inferenceBedrockSsoRegionstringMDM + BootstrapIAM Identity Center home region.
inferenceBedrockSsoAccountIdstringMDM + Bootstrap12-digit AWS account ID assigned to users in IAM Identity Center.
inferenceBedrockSsoRoleNamestringMDM + BootstrapIAM Identity Center permission-set name granting bedrock:InvokeModel* on the account above.
inferenceBedrockProfilestringMDM only
inferenceBedrockAwsDirstringMDM onlyFolder with AWS config/credentials. Defaults to ~/.aws when no bearer token is set.
inferenceBedrockAwsCliPathstringMDM onlyAbsolute path to the aws executable. Leave unset to find it on PATH.

Foundry

KeyTypeAvailabilityDefaultDescription
inferenceFoundryResourcestringMDM + BootstrapAzure AI Foundry resource name used to construct the endpoint URL.
inferenceFoundryApiKeystringMDM + Bootstrap
inferenceFoundryTenantIdstringMDM onlyDirectory (tenant) ID of the Entra ID app registration that has the Cognitive Services scope.
inferenceFoundryClientIdstringMDM onlyApplication (client) ID of the Entra ID app registration. The app must allow public client flows for device code.

Gateway

KeyTypeAvailabilityDefaultDescription
inferenceGatewayBaseUrlstringMDM + BootstrapFull URL of the inference gateway endpoint.
inferenceGatewayApiKeystringMDM + Bootstrap
inferenceGatewayAuthSchemeenumMDM + BootstrapbearerHow the gateway credential is sent on the wire (Authorization: Bearer vs x-api-key header). One of: bearer, x-api-key. Defaults to bearer.
inferenceGatewayOidcobjectMDM + BootstrapExternal IdP for gateway sign-in. The user authenticates against this issuer; the resulting token (ID token by default) is sent to the gateway as the Bearer credential. Leave unset only if the gateway is its own OAuth authorization server.

Models

KeyTypeAvailabilityDefaultDescription
modelDiscoveryEnabledbooleanMDM + BootstrapAuto-populate the model picker from the provider at launch.
inferenceModelsobject[]MDM + BootstrapOverride the auto-discovered model list. First entry is the default.

Vertex

KeyTypeAvailabilityDefaultDescription
inferenceVertexProjectIdstringMDM + Bootstrap
inferenceVertexRegionstringMDM + BootstrapGCP region where your Vertex AI Claude models are deployed.
inferenceVertexBaseUrlstringMDM + BootstrapPSC endpoint, if using one.
inferenceVertexOAuthClientIdstringMDM + BootstrapDesktop-app OAuth client ID. Enables Sign in with Google instead of a credentials file.
inferenceVertexOAuthClientSecretstringMDM + BootstrapSecret for the Desktop-app OAuth client above.
inferenceVertexOAuthScopesstringMDM + BootstrapOverride the Google OAuth scopes (space-separated). Leave blank for the default.
inferenceVertexOAuthLoginHintstringMDM + BootstrapPre-fill Google’s account chooser and forward to your federated IdP. {username} expands to the OS login name.
inferenceVertexWorkforceAudiencestringMDM + BootstrapWorkforce-pool provider audience. When set, sign-in uses your own IdP plus a GCP STS exchange instead of a Google identity.
inferenceVertexWorkforceUserProjectstringMDM + BootstrapGCP project for STS billing and quota. Defaults to the Vertex project ID above.
inferenceVertexWorkforceOidcobjectMDM + BootstrapYour organization’s OIDC IdP. The app runs an authorization-code-with-PKCE flow against this issuer and exchanges the returned ID token at GCP STS.
inferenceVertexCredentialsFilestringMDM onlyAbsolute path to service-account JSON. Leave blank to fall back to ADC.

Workspace restrictions

Authentication

KeyTypeAvailabilityDefaultDescription
disableDeploymentModeChooserbooleanMDM onlyfalseUsers see only this provider at the login screen. The option to sign in to Claude.ai is hidden. Defaults to false.
disableDeepLinkRegistrationbooleanMDM onlyfalseStop external apps and websites from opening Cowork via claude:// links. Defaults to false.

Chat Surface

KeyTypeAvailabilityDefaultDescription
chatTabEnabledbooleanMDM + Bootstrap · BetaEnable the Chat tab. Quick questions and drafting.
chatAdvancedFileAnalysisEnabledbooleanMDM + Bootstrap · BetaAllow Claude to run code in a local sandbox to analyze attached files it can’t read natively — like Excel and PowerPoint — and perform inline data analysis. The sandbox can only read files attached to the conversation and has no network access. Off by default.

Code Surface

KeyTypeAvailabilityDefaultDescription
isClaudeCodeForDesktopEnabledbooleanMDM + BootstraptrueEnable the Code tab. Claude writes and runs code. Defaults to true.

Cowork Surface

KeyTypeAvailabilityDefaultDescription
coworkTabEnabledbooleanMDM + BootstraptrueEnable the Cowork tab. Claude works on longer tasks like research, analysis, and documents. Defaults to true.

Workspace

KeyTypeAvailabilityDefaultDescription
disabledBuiltinToolsstring[]MDM + BootstrapBuilt-in tools removed from Cowork.
builtinToolPolicyobjectMDM + BootstrapPer-tool approval policy. “ask” requires user approval before each call; “allow” is the default. Use Disabled built-in tools to remove a tool entirely.
autoModeEnabledbooleanMDM + BootstrapfalseOffer Auto mode in the Cowork and Code permission selectors. Claude decides which actions need approval. Defaults to false.
allowedWorkspaceFoldersobject[]MDM + BootstrapFolders users may attach as a workspace. Leave unset for unrestricted access. Supports ~ and a fixed set of environment variables.
coworkEgressAllowedHostsstring[]MDM + BootstrapHostnames the agent’s tools may reach from the Cowork and Code tabs. Also surfaced under Egress Requirements.
requireCoworkFullVmSandboxbooleanMDM + Bootstrap · DeprecatedfalseRuns tools inside an isolated VM instead of the host. Stronger isolation; slower file access and no host-process tools. Defaults to false.

Connectors & extensions

Extensions

KeyTypeAvailabilityDefaultDescription
isDesktopExtensionEnabledbooleanMDM + Bootstraptrue.dxt and .mcpb installs. Defaults to true. Previously named isDxtEnabled.
isDesktopExtensionSignatureRequiredbooleanMDM + BootstrapfalseReject desktop extensions that are not signed by a trusted publisher. Defaults to false. Previously named isDxtSignatureRequired.

Mcp

KeyTypeAvailabilityDefaultDescription
managedMcpServersobject[]MDM + BootstrapOrg-pushed MCP servers: remote (HTTP/SSE) or local (stdio command). May embed bearer tokens.
isLocalDevMcpEnabledbooleanMDM + BootstraptrueLocal stdio servers added via the Developer settings. Remote servers come from the managed list above, or plugins mounted to a user’s computer by an organization admin. Defaults to true.

Telemetry & updates

KeyTypeAvailabilityDefaultDescription
deploymentOrganizationUuidstringMDM + BootstrapA UUID you generate. Tags telemetry so Anthropic support can locate your fleet’s events. If unset, a shared placeholder UUID is sent and your events can’t be distinguished from other unconfigured deployments. Not used for auth.
disableEssentialTelemetrybooleanMDM onlyfalseCrash and performance reports to Anthropic. Defaults to false.
disableNonessentialTelemetrybooleanMDM + BootstrapfalseProduct-usage analytics and diagnostic-report uploads. No message content. Defaults to false.
disableNonessentialServicesbooleanMDM + BootstrapfalseFavicon fetch and the artifact-preview iframe origin. Artifacts will not render. Defaults to false.

Auto Update

KeyTypeAvailabilityDefaultDescription
disableAutoUpdatesbooleanMDM + BootstrapfalseStop Cowork from fetching updates. You’ll need to push new versions yourself. Defaults to false.
autoUpdaterEnforcementHoursintegerMDM + BootstrapHours before a downloaded update force-installs. Blank = 72-hour default. Range: 1–72.

Otlp

KeyTypeAvailabilityDefaultDescription
otlpEndpointstringMDM + BootstrapWhere Cowork sends OpenTelemetry logs and metrics. Leave blank to disable.
otlpProtocolenumMDM + Bootstraphttp/protobufgrpc or http/protobuf. One of: http/protobuf, http/json, grpc. Defaults to http/protobuf.
otlpHeadersobjectMDM + BootstrapOptional auth headers for the collector.
otlpResourceAttributesobjectMDM + BootstrapExtra resource attributes to attach to every span/metric.
otlpDesktopLogLevelenumMDM + BootstraperrorControls the Claude Desktop application’s events, separate from Cowork and Code sessions. Defaults to error. One of: off, error, warn, info, debug. Defaults to error.

Usage limits

Token Limits

KeyTypeAvailabilityDefaultDescription
inferenceMaxTokensPerWindowintegerMDM + BootstrapPer-user soft cap, counted client-side over the duration below. Not a server-enforced quota.
inferenceTokenWindowHoursintegerMDM + BootstrapTumbling window length for the token cap. Max 720 hours (30 days). Range: 1–720.

Appearance

KeyTypeAvailabilityDefaultDescription
bannerobjectMDM + BootstrapA persistent banner across the top of the app window after sign-in.

Plugins & skills

KeyTypeAvailabilityDefaultDescription
organizationPluginsUrlstringMDM + BootstrapTypically supplied by your bootstrap server. Ignored when bootstrap is disabled.
orgPluginSettingsobject[]MDM + BootstrapAdmin policy applied to plugin-delivered MCP servers.

Source

KeyTypeAvailabilityDefaultDescription
claudeAiImportobjectBootstrap only

Bootstrap

KeyTypeAvailabilityDefaultDescription
bootstrapEnabledbooleanMDM onlytrueFetch and apply the URL above at launch. Turn off to keep the URL saved but skip the fetch. Defaults to true.
bootstrapUrlstringMDM onlyHTTPS endpoint that returns a per-user JSON config overlay. Values from the response override local settings and become read-only.
bootstrapOidcobjectMDM onlyWhen set, the bootstrap request sends a Bearer token from a browser sign-in (authorization-code-with-PKCE).

Guides

The profiles below are illustrative examples rather than built-in presets, and the labels are descriptive only. Use them as starting points and adjust for your environment. Layer the inference-provider keys for your cloud on top of whichever profile you choose.
Recommended for most enterprise deployments. Telemetry and auto-updates stay on so Anthropic can diagnose issues and ship fixes; users can extend Claude Desktop with their own connectors.
KeyValue
deploymentOrganizationUuid<your-org-uuid>
autoUpdaterEnforcementHours24
isDesktopExtensionSignatureRequiredtrue
otlpEndpoint<your-collector>