.mobileconfig profile on macOS, registry policy on Windows, or a root-owned JSON file on Linux. This page documents every supported key. For the desktop release each key first appeared in, see the configuration changelog.
The easiest way to author a configuration is the in-app configuration window (Developer → Configure third-party inference), which validates values, shows per-provider requirements, and exports directly to .mobileconfig or .reg. Use this reference when you need to author policy by hand, audit an existing profile, or understand exactly what a key does.
How keys are read
| Platform | Managed (MDM) location | Local (user) location |
|---|---|---|
| macOS | /Library/Managed Preferences/<user>/com.anthropic.claudefordesktop.plist | ~/Library/Application Support/Claude-3p/configLibrary/ |
| Windows | HKLM\SOFTWARE\Policies\Claude (machine), HKCU\SOFTWARE\Policies\Claude (user) | %LOCALAPPDATA%\Claude-3p\configLibrary\ |
| Linux | /etc/claude-desktop/managed-settings.json | ~/.config/Claude-3p/configLibrary/ |
_meta.json records which saved configuration is applied, and each configuration is a <id>.json file alongside it. The in-app configuration window writes here.
When a managed source is present, it wins and locally written values are ignored. The exception is a managed source that sets only the update keys (disableAutoUpdates and autoUpdaterEnforcementHours): those two keys are enforced from the managed source, but the rest of the configuration stays local and user-editable. Configuration is read once at launch, so fully quit and reopen the app after any change. On Windows, the two policy hives are not merged: when machine policy is present under HKLM\SOFTWARE\Policies\Claude, the app ignores HKCU\SOFTWARE\Policies\Claude entirely; Deploy the configuration has the exact rule. See Deploy with MDM for the full precedence rules.
Value types
Write every value as a string in the OS preference store, even booleans and arrays.| Documented type | What to write | Example |
|---|---|---|
| string | Plain string | vertex |
| boolean | "true" or "false" (or 1 / 0) | "true" |
| integer | Decimal string | "3600" |
| string[] (JSON) | JSON array encoded as a string (not a native plist/registry array) | ["claude-sonnet-4","claude-opus-4"] |
| object (JSON) | JSON object mapping name to value, as a string | {"X-Org-Id":"team1"} |
| object[] (JSON) | JSON array of objects, as a string | see managedMcpServers |
REG_SZ, directly under the policy key rather than nested in a subkey (the app never reads subkeys). REG_DWORD is also accepted for boolean and integer keys and is read as its decimal value. Avoid REG_EXPAND_SZ: the app counts it toward machine policy being present but cannot read its contents. The app cannot see REG_QWORD, REG_MULTI_SZ, or REG_BINARY values at all.
Linux
The managed source on Linux is a single JSON file,/etc/claude-desktop/managed-settings.json, with keys at the top level exactly as named in the reference — no wrapper object, no nesting:
managed-settings.jsonmust be a regular file (not a symlink), owned by root, and not group- or world-writable./etc/claude-desktopitself must be a directory (not a symlink), owned by root, and not group- or world-writable.
main.log in the app’s logs directory — ~/.config/Claude/logs/ (or ~/.config/Claude-3p/logs/ once the app is running in 3P mode); search for managed-settings.json. The same log names any key that fails schema validation.
There is no per-user managed location on Linux; per-user configuration goes through the in-app configuration window, which writes to the local configLibrary directory above.
Reference
The reference below is generated from the configuration schema and grouped to match the sidebar of the in-app configuration window. The Availability column shows whether a key can be set in an MDM profile, returned from a bootstrap server, or both.Connection
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Custom inference headersinferenceCustomHeaders | object | MDM + Bootstrap | — | Extra HTTP headers sent on every inference request to the configured provider. For tenant routing, org IDs, Bedrock Guardrails, etc. Previously named inferenceGatewayHeaders. |
Sign-in session lifetimeinferenceSessionLifetimeSec | integer | MDM + Bootstrap | — | How long a sign-in stays valid under your IdP’s session policy. Shows a re-authenticate banner before it expires. |
Helper scriptinferenceCredentialHelper | string | MDM only | — | Absolute path to an executable that prints the credential, optionally with per-request headers. |
Helper script TTLinferenceCredentialHelperTtlSec | integer | MDM only | 3600 | Helper output is cached for this many seconds. Re-runs at the next session start after expiry. Defaults to 3600. |
Credential helper timeoutinferenceCredentialHelperTimeoutSec | integer | MDM only | 60 | Maximum wait for the helper executable to finish. Raise this if the helper opens a browser for interactive sign-in. Defaults to 60. Range: 1–600. |
Re-run helper for silent refreshinferenceCredentialHelperSilentRefreshEnabled | boolean | MDM only | true | When a session’s credential expires, re-run the helper with CLAUDE_HELPER_CONTEXT=mid-session-refresh to recover silently. Turn this off if your helper can’t run non-interactively. Defaults to true. |
Inference providerinferenceProvider | enum | MDM + Bootstrap | — | Selects the inference backend. Setting this key activates third-party mode. One of: gateway, anthropic, bedrock, mantle, vertex, foundry. |
Credential kindinferenceCredentialKind | enum | MDM + Bootstrap | — | Selects the credential source. When set, only that source is used (no fallback). One of: static, helper-script, interactive, vendor-profile, oauth, workforce. |
inferenceCustomHeaders details
inferenceCustomHeaders details
ANTHROPIC_CUSTOM_HEADERS).Use this for fleet-wide constants. For per-user or per-session values, have the credential helper script emit JSON with a headers field; those are merged over these static entries (helper wins on conflict).inferenceCredentialHelper details
inferenceCredentialHelper details
0; any output on stderr is logged but ignored. Stdout must contain only one of the formats below (no banners, prompts, or log lines).Output format is either:- a single bare token (the API key / bearer token), or
- a JSON object
{"token": "...", "headers": {"Name": "Value", ...}}when per-request headers are needed (merged over Custom inference headers, helper wins on conflict)
security find-generic-password -s anthropic-api -wIf this field is set, static credential fields (API key, bearer token) are ignored. The helper always wins.inferenceProvider details
inferenceProvider details
Anthropic
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Claude API keyinferenceAnthropicApiKey | string | MDM + Bootstrap | — | Leave blank to fetch a key via browser sign-in, or to supply the key via a credential helper. |
Bedrock
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
AWS regioninferenceBedrockRegion | string | MDM + Bootstrap | — | AWS region for the Bedrock runtime endpoint. |
Bedrock base URLinferenceBedrockBaseUrl | string | MDM + Bootstrap | — | For VPC endpoints or gateway proxies. Host origin only. |
Bedrock service tierinferenceBedrockServiceTier | enum | MDM + Bootstrap | — | Sent as the X-Amzn-Bedrock-Service-Tier header. Leave unset for on-demand. One of: flex, priority. |
AWS bearer tokeninferenceBedrockBearerToken | string | MDM + Bootstrap | — | Static bearer token for inference. For providers that support profile or helper-script credentials, prefer those. |
AWS SSO start URLinferenceBedrockSsoStartUrl | string | MDM + Bootstrap | — | Enables in-app AWS sign-in (no AWS CLI needed). Set with the three SSO fields below. |
AWS SSO regioninferenceBedrockSsoRegion | string | MDM + Bootstrap | — | IAM Identity Center home region. |
AWS SSO account IDinferenceBedrockSsoAccountId | string | MDM + Bootstrap | — | 12-digit AWS account ID assigned to users in IAM Identity Center. |
AWS SSO role nameinferenceBedrockSsoRoleName | string | MDM + Bootstrap | — | IAM Identity Center permission-set name granting bedrock:InvokeModel* on the account above. |
AWS profile nameinferenceBedrockProfile | string | MDM only | — | AWS named profile to use for Bedrock inference credentials. |
AWS config directoryinferenceBedrockAwsDir | string | MDM only | — | Folder with AWS config/credentials. Defaults to ~/.aws when no bearer token is set. |
AWS CLI pathinferenceBedrockAwsCliPath | string | MDM only | — | Absolute path to the aws executable. Leave unset to find it on PATH. |
inferenceBedrockServiceTier details
inferenceBedrockServiceTier details
Foundry
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Azure AI Foundry resource nameinferenceFoundryResource | string | MDM + Bootstrap | — | Azure AI Foundry resource name used to construct the endpoint URL. |
Azure AI Foundry API keyinferenceFoundryApiKey | string | MDM + Bootstrap | — | API key for Azure AI Foundry inference. |
Entra ID tenant IDinferenceFoundryTenantId | string | MDM only | — | Directory (tenant) ID of the Entra ID app registration that has the Cognitive Services scope. |
Entra ID client IDinferenceFoundryClientId | string | MDM only | — | Application (client) ID of the Entra ID app registration. Device-code sign-in requires the app to allow public client flows. |
Entra ID sign-in flowinferenceFoundryAuthFlow | enum | MDM + Bootstrap | — | How interactive Entra ID sign-in runs: device-code (default) shows a code to enter at microsoft.com/devicelogin; browser opens the system browser for an authorization-code (PKCE) sign-in. One of: device-code, browser. |
inferenceFoundryAuthFlow details
inferenceFoundryAuthFlow details
Gateway
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Gateway base URLinferenceGatewayBaseUrl | string | MDM + Bootstrap | — | Full URL of the inference gateway endpoint. |
Gateway API keyinferenceGatewayApiKey | string | MDM + Bootstrap | — | API key for the configured inference gateway. |
Gateway auth schemeinferenceGatewayAuthScheme | enum | MDM + Bootstrap | bearer | How the gateway credential is sent on the wire (Authorization: Bearer vs x-api-key header). One of: bearer, x-api-key. Defaults to bearer. |
Gateway SSO IdP (OIDC)inferenceGatewayOidc | object | MDM + Bootstrap | — | External IdP for gateway sign-in. The user authenticates against this issuer; the resulting token (ID token by default) is sent to the gateway as the Bearer credential. Leave unset only if the gateway is its own OAuth authorization server. |
inferenceGatewayOidc details
inferenceGatewayOidc details
<issuer>/.well-known/openid-configuration, runs an OIDC authorization-code-with-PKCE flow in the system browser with clientId, and sends the resulting token as Authorization: Bearer on every inference request — see Bearer token type below for how the gateway validates it.Bearer token type. id_token (the default) sends the OIDC ID token — the gateway validates signature + iss + aud, where aud is the clientId configured here. access_token sends the OAuth access token — the gateway validates as an OAuth resource server against the audience/scope the IdP issued the token for; set scopes to the gateway’s registered API scope (required in this mode). Use access_token for gateways that expect a resource-server token (Portkey, Kong, Envoy JWT filter, AWS API Gateway authorizers).The gateway MUST validate iss AND aud, not just the signature. Signature + issuer alone accepts any token from the same tenant, including tokens issued to unrelated apps. In id_token mode the audience is the clientId:http://127.0.0.1:<port>/callback (RFC 8252 §7.3). Register 127.0.0.1; most IdPs do not treat localhost and 127.0.0.1 as interchangeable. Entra: register a public-client app, add a Mobile and desktop applications redirect URI of http://127.0.0.1/callback. (Microsoft’s docs say the path is wildcarded for loopback; in practice it is not: http://127.0.0.1 without /callback fails with AADSTS50011. The port IS wildcarded.) Grant openid profile email offline_access (delegated, no admin consent); in access_token mode also add the gateway API’s delegated permission under API permissions (and ensure the gateway’s own app registration exposes that scope via Expose an API) — without it Entra rejects the sign-in with AADSTS65001. Okta: register a Native app with the exact redirect URI http://127.0.0.1:<port>/callback and set redirectPort here to that port (Okta requires an exact match).Refresh: offline_access returns a refresh token; the app refreshes the bearer silently before expiry. When refresh fails (revoked, idle past the IdP’s window), the user re-authenticates in the browser. Google Workspace caveat (id_token mode only): Google never returns id_token on a refresh-token grant, so a Google-backed gateway in id_token mode will prompt a browser sign-in roughly once per ID-token TTL (~1h). Entra and Okta return a fresh id_token and are unaffected; access_token mode is unaffected on all IdPs.Leave this unset for a gateway that hosts its own RFC 8414 metadata at <baseUrl>/.well-known/oauth-authorization-server (the original gateway-as-AS path).| Field | Type | Default | Description |
|---|---|---|---|
clientId | string | — | |
issuer | string | — | |
authorizationUrl | string | — | |
tokenUrl | string | — | |
bearerTokenType | enum | id_token | Which token to send as the gateway bearer. Use access token for gateways that validate as an OAuth resource server. One of: id_token, access_token. |
scopes | string | — | |
appendOfflineAccess | boolean | true | Automatically append offline_access to scopes so the IdP returns a refresh token for silent refresh. Turn off only if your authorization server rejects offline_access as an unknown scope; include the server’s own refresh-token scope in Scopes instead. |
redirectPort | integer | — | |
additionalRedirectReferrerHosts | string | — | Space-separated hostnames also accepted as the referrer of the sign-in callback. Only needed when the IdP completes sign-in from a host other than the authorization URL’s; the rejected host is named in the app log. |
Models
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Model discoverymodelDiscoveryEnabled | boolean | MDM + Bootstrap | — | Auto-populate the model picker from the provider at launch. |
Model listinferenceModels | object[] | MDM + Bootstrap | — | Override the auto-discovered model list. First entry is the default. |
modelDiscoveryEnabled details
modelDiscoveryEnabled details
inferenceModels details
inferenceModels details
claude-sonnet-4@20250514), Bedrock inference-profile IDs (us.anthropic.claude-sonnet-4-...-v1:0), or Foundry deployment names. The first entry is the default. Entries may be plain ID strings or objects.Gateway: the name must be the exact ID your gateway’s /v1/models endpoint returns. If you set supports1m on an alias (sonnet) but discovery returns the full ID, the variant won’t appear.Extended context (supports1m) is a capability assertion you make about your deployment; only set it for models you’ve confirmed support the 1M-token window:labelOverride) is for IDs the picker can’t derive a friendly name from (Bedrock ARNs, gateway routing aliases). Display-only; name is still what the app sends:anthropicFamilyTier) tells the app which Claude tier (haiku/sonnet/opus/fable/mythos) an entry stands in for, so bare tier aliases (e.g. in the Code tab) resolve to your model. isFamilyDefault: true picks the winner when several entries share a tier:| Field | Type | Default | Description |
|---|---|---|---|
name | string | — | |
labelOverride | string | — | Shown in the model picker. Leave blank to auto-format from the ID. |
supports1m | boolean | — | |
anthropicFamilyTier | enum | — | Which Claude tier this model stands in for. Pins the bare alias (e.g. ‘opus’) and, for opus/fable, the refusal fallback. One of: sonnet, opus, haiku, fable, mythos. |
isFamilyDefault | boolean | — |
Vertex
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
GCP project IDinferenceVertexProjectId | string | MDM + Bootstrap | — | Google Cloud project ID for Vertex AI inference. |
GCP regioninferenceVertexRegion | string | MDM + Bootstrap | — | GCP region where your Vertex AI Claude models are deployed. |
Vertex AI base URLinferenceVertexBaseUrl | string | MDM + Bootstrap | — | PSC endpoint, if using one. |
Vertex OAuth client IDinferenceVertexOAuthClientId | string | MDM + Bootstrap | — | Desktop-app OAuth client ID. Enables Sign in with Google instead of a credentials file. |
Vertex OAuth client secretinferenceVertexOAuthClientSecret | string | MDM + Bootstrap | — | Secret for the Desktop-app OAuth client above. |
Vertex OAuth scopesinferenceVertexOAuthScopes | string | MDM + Bootstrap | — | Override the Google OAuth scopes (space-separated). Leave blank for the default. |
Vertex OAuth login hintinferenceVertexOAuthLoginHint | string | MDM + Bootstrap | — | Pre-fill Google’s account chooser and forward to your federated IdP. {username} expands to the OS login name. |
Workforce Identity audienceinferenceVertexWorkforceAudience | string | MDM + Bootstrap | — | Workforce-pool provider audience. When set, sign-in uses your own IdP plus a GCP STS exchange instead of a Google identity. |
Workforce Identity billing projectinferenceVertexWorkforceUserProject | string | MDM + Bootstrap | — | GCP project for STS billing and quota. Defaults to the Vertex project ID above. |
Workforce Identity IdP (OIDC)inferenceVertexWorkforceOidc | object | MDM + Bootstrap | — | Your organization’s OIDC IdP. The app runs an authorization-code-with-PKCE flow against this issuer and exchanges the returned ID token at GCP STS. |
GCP credentials file pathinferenceVertexCredentialsFile | string | MDM only | — | Absolute path to service-account JSON. Leave blank to fall back to ADC. |
inferenceVertexWorkforceOidc details
inferenceVertexWorkforceOidc details
| Field | Type | Default | Description |
|---|---|---|---|
clientId | string | — | |
issuer | string | — | |
authorizationUrl | string | — | |
tokenUrl | string | — | |
scopes | string | — | |
redirectPort | integer | — | |
omitOfflineAccess | boolean | — | Only enable if your IdP rejects the offline_access scope on this client. Without it the app cannot refresh silently and will prompt for sign-in each time the IdP token expires. |
additionalRedirectReferrerHosts | string | — | Space-separated hostnames also accepted as the referrer of the sign-in callback. Only needed when the IdP completes sign-in from a host other than the authorization URL’s; the rejected host is named in the app log. |
Workspace restrictions
Authentication
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Disable Claude.ai sign-indisableDeploymentModeChooser | boolean | MDM only | false | Users see only this provider at the login screen. The option to sign in to Claude.ai is hidden. Defaults to false. |
Disable claude:// deep-link handlingdisableDeepLinkRegistration | boolean | MDM only | false | Stop external apps and websites from opening Cowork via claude:// links. Defaults to false. |
Chat surface
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Allow Chat tabchatTabEnabled | boolean | MDM + Bootstrap · Beta | — | Enable the Chat tab. Quick questions and drafting. |
Advanced file analysischatAdvancedFileAnalysisEnabled | boolean | MDM + Bootstrap · Beta | — | Allow Claude to run code in a local sandbox to analyze attached files it can’t read natively — like Excel and PowerPoint — and perform inline data analysis. The sandbox can only read files attached to the conversation and has no network access. Off by default. |
Code surface
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Allow Claude Code tabisClaudeCodeForDesktopEnabled | boolean | MDM + Bootstrap | true | Enable the Code tab. Claude writes and runs code. Defaults to true. |
Cowork surface
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Allow Cowork tabcoworkTabEnabled | boolean | MDM + Bootstrap | true | Enable the Cowork tab. Claude works on longer tasks like research, analysis, and documents. Defaults to true. |
Workspace
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Disabled built-in toolsdisabledBuiltinTools | string[] | MDM + Bootstrap | — | Built-in tools removed from Cowork. |
Disable bundled skills and workflowsdisableBundledSkills | boolean | MDM + Bootstrap | — | Disables Claude Code’s bundled skills and workflows (deep-research and similar). Use where they cannot function, for instance when WebFetch is egress-blocked and the gateway does not forward the WebSearch server tool. |
Built-in tool policybuiltinToolPolicy | object | MDM + Bootstrap | — | Per-tool approval policy. “ask” requires user approval before each call; “allow” is the default. Use Disabled built-in tools to remove a tool entirely. |
Allow Auto modeautoModeEnabled | boolean | MDM + Bootstrap | false | Offer Auto mode in the Cowork and Code permission selectors. Claude decides which actions need approval. Defaults to false. |
Allowed workspace foldersallowedWorkspaceFolders | object[] | MDM + Bootstrap | — | Folders users may attach as a workspace. Leave unset for unrestricted access. Supports ~ and a fixed set of environment variables. |
Allowed egress hostscoworkEgressAllowedHosts | string[] | MDM + Bootstrap | — | Hostnames the agent’s tools may reach from the Cowork and Code tabs. Also surfaced under Egress Requirements. |
Require full VM sandboxrequireCoworkFullVmSandbox | boolean | MDM + Bootstrap · Deprecated | false | Runs tools inside an isolated VM instead of the host. Stronger isolation; slower file access and no host-process tools. Defaults to false. |
autoModeEnabled details
autoModeEnabled details
builtinToolPolicy and this key may both be set; Auto mode is a user-selectable option alongside the default policy, not a replacement for it.In the Code tab, a separately deployed Claude Code managed-settings file that sets disableAutoMode to "disable" overrides this key and keeps Auto mode hidden.allowedWorkspaceFolders details
allowedWorkspaceFolders details
~ and these environment variables, expanded per user: %OneDrive%, %OneDriveCommercial%, %OneDriveConsumer%, %APPDATA%, %LOCALAPPDATA%, %USERNAME%, %XDG_DOCUMENTS_DIR%. The set is fixed; an entry that references any other %VAR%, or one that is unset on the device, is ignored.| Field | Type | Default | Description |
|---|---|---|---|
path | string | — | |
isDefaultSelected | boolean | — | Shows as a folder chip on the new-task page and skips the trust prompt. Users can remove it. |
coworkEgressAllowedHosts details
coworkEgressAllowedHosts details
api.github.com), wildcards (*.corp.com matches one subdomain level), and * to allow all. *.corp.com matches docs.corp.com but not corp.com itself; add both if you need the apex. IP literals and localhost always resolve regardless of this list; this is a public-egress filter, not a sandbox.Hosts you add here also need to be open on your network firewall. See Egress Requirements for the full allowlist.Connectors & extensions
Authentication
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Microsoft 365 native sign-in brokermicrosoftAuthBroker | enum | MDM only | auto | Set to “disabled” to force browser-based Microsoft 365 sign-in instead of the native Company Portal / Windows account broker. One of: auto, disabled. Defaults to auto. |
Extensions
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Allow desktop extensionsisDesktopExtensionEnabled | boolean | MDM + Bootstrap | false | .dxt and .mcpb installs. Defaults to false. Previously named isDxtEnabled. |
Require signed extensionsisDesktopExtensionSignatureRequired | boolean | MDM + Bootstrap | false | Reject desktop extensions that are not signed by a trusted publisher. Defaults to false. Previously named isDxtSignatureRequired. |
isDesktopExtensionEnabled details
isDesktopExtensionEnabled details
MCP
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Managed MCP serversmanagedMcpServers | object[] | MDM + Bootstrap | — | Org-pushed MCP servers: remote (HTTP/SSE) or local (stdio command). May embed bearer tokens. |
Allow user-added MCP serversisLocalDevMcpEnabled | boolean | MDM + Bootstrap | true | Local stdio servers added via the Developer settings. Remote servers come from the managed list above, or plugins mounted to a user’s computer by an organization admin. Defaults to true. |
managedMcpServers details
managedMcpServers details
http://<callbackHost>:<callbackPort>/callback; register that exact value with the OAuth provider. Tokens refresh automatically during a session, so users aren’t interrupted when the initial access token expires.toolPolicy locks the per-tool approval state, keyed by tool name. Keys may contain * wildcards ("read_*" matches every tool whose name starts with read_; matching is anchored and * is the only wildcard, identical to Claude Code permission-rule globs). An exact-name key wins over matching wildcard keys, with two exceptions in the stricter direction: in the Code tab, forwarded blocked/ask wildcard rules take precedence over a less strict exact key, and in chat approval flows and always-allow persistence a wildcard ask key keeps every matching tool behind a per-call prompt (no persistent always-allow) even when a more permissive exact-name key matches — for direct (imperative) tool invocations such as artifact or widget tool calls, the exact-name key still decides. When several wildcard keys match a tool, the strictest applies (blocked > ask > allow). "blocked" removes the tool from the session and labels it admin-blocked. "ask" requires approval on every call (Allow once / Deny only; no persistent always-allow). "allow" pre-approves. Tools not listed follow the user’s choice: the prompt offers a persistent Always allow, except for tools that can modify data, which instead show a session-scoped Allow for this task alongside Allow for all tasks with a malicious-instruction warning. In the Code tab, blocked/ask are forwarded as Claude Code permission rules; allow is not.For the bundled Microsoft 365 connector, the send tools (outlook_send_mail, outlook_send_draft, outlook_forward_mail, outlook_create_event, outlook_update_event) cannot be loosened below ask — an allow setting resolves to ask.| Field | Type | Default | Description |
|---|---|---|---|
name | string | — | |
server | string | — | One of: microsoft365, websearch. |
tenantId | string | — | Your organization’s Microsoft Entra directory (tenant) ID. |
clientId | string | — | Entra public-client (PKCE) app registration ID. |
azureCloud | enum | — | Microsoft cloud for sign-in and Graph. Leave as global for commercial Microsoft 365; US Government clouds require your own app registration (Client ID). One of: global, us-gov-high, us-gov-dod. |
scope | string | — | What the server may request at sign-in. If blank, Desktop’s default read set is used. |
toolPolicy | object | — | Lock the approval state for specific tools. Unlisted tools stay user-controlled. |
headers | object | — | |
headersHelper | string | — | Script that prints the auth header as a JSON object to stdout. Runs before each request (cached for the TTL below) so the key can come from a secrets manager instead of being stored inline. |
headersHelperTtlSec | integer | — | |
provider | enum | — | Runs search from the desktop, for inference providers without native web search (Bedrock, custom gateways). On Anthropic API and Vertex, the model’s built-in web search is available without this. Set the provider’s auth header below — Brave: X-Subscription-Token, Exa: x-api-key, Tavily: Authorization (Bearer …). One of: brave, tavily, exa, custom. |
customUrl | string | — | POST endpoint accepting {q} JSON and returning a results[] array. Only used when provider is Custom. |
transport | enum | — | One of: http, sse, stdio. |
url | string | — | |
oauth | object | — | |
oauth.clientId | string | — | |
oauth.clientSecret | string | — | Only for IdPs whose token endpoint requires a client secret (e.g. Box). Leave blank for PKCE-only public clients. |
oauth.clientSecretHelper | string | — | Executable that prints the client secret on stdout. Overrides the inline value. |
oauth.authorizationServer | string[] | — | Issuer URLs the OAuth sign-in may use, as a JSON array. Pre-filled by presets; ask your IdP admin if unsure. |
oauth.tenantId | string | — | Required for single-tenant Entra apps. Leave blank for multi-tenant or non-Microsoft IdPs. |
oauth.scope | string | — | |
oauth.appendOfflineAccess | boolean | — | Adds offline_access to the authorize request so the IdP returns a refresh token for silent renewal. Leave off if Scope already includes it or the server rejects it. |
oauth.callbackHost | enum | — | Use localhost only if your IdP’s registered redirect URI specifies it. One of: 127.0.0.1, localhost. |
oauth.callbackPort | integer | — | Only set if your IdP requires an exact-match redirect port. Entra accepts any. |
command | string | — | Absolute path to the server executable, run on the user’s machine. |
args | string[] | — | |
env | object | — | |
startupTimeoutSec | integer | 120 | Maximum wait in seconds for the server to start and list its tools. |
Telemetry & updates
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Organization UUIDdeploymentOrganizationUuid | string | MDM + Bootstrap | — | A UUID you generate. Tags telemetry so Anthropic support can locate your fleet’s events. If unset, a shared placeholder UUID is sent and your events can’t be distinguished from other unconfigured deployments. Not used for auth. |
Block essential telemetrydisableEssentialTelemetry | boolean | MDM only | false | Crash and performance reports to Anthropic. Defaults to false. |
Block nonessential telemetrydisableNonessentialTelemetry | boolean | MDM + Bootstrap | false | Product-usage analytics and diagnostic-report uploads. No message content. Defaults to false. |
Block nonessential servicesdisableNonessentialServices | boolean | MDM + Bootstrap | false | Favicon fetch and the artifact-preview iframe origin. Artifacts will not render. Defaults to false. |
disableEssentialTelemetry details
disableEssentialTelemetry details
disableNonessentialTelemetry details
disableNonessentialTelemetry details
claude.ai. Already listed under Egress Requirements → Nonessential telemetry.Auto update
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Block auto-updatesdisableAutoUpdates | boolean | MDM + Bootstrap | false | Stop Cowork from fetching updates. You’ll need to push new versions yourself. Defaults to false. |
Auto-update enforcement windowautoUpdaterEnforcementHours | integer | MDM + Bootstrap | — | Hours before a downloaded update force-installs. Blank = 72-hour default. Range: 1–72. |
OTLP
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
OpenTelemetry collector endpointotlpEndpoint | string | MDM + Bootstrap | — | Where Cowork sends OpenTelemetry logs and metrics. Leave blank to disable. |
OpenTelemetry exporter protocolotlpProtocol | enum | MDM + Bootstrap | http/protobuf | grpc or http/protobuf. One of: http/protobuf, http/json, grpc. Defaults to http/protobuf. |
OpenTelemetry exporter headersotlpHeaders | object | MDM + Bootstrap | — | Optional auth headers for the collector. |
OpenTelemetry resource attributesotlpResourceAttributes | object | MDM + Bootstrap | — | Extra resource attributes to attach to every span/metric. |
Desktop telemetry export levelotlpDesktopLogLevel | enum | MDM + Bootstrap | error | Controls the Claude Desktop application’s events, separate from Cowork and Code sessions. Defaults to error. One of: off, error, warn, info, debug. Defaults to error. |
Content capture categoriesotlpContentCapture | enum[] | MDM + Bootstrap | — | Content categories the desktop exporter sends unredacted to your collector. Leave empty to redact all content (default). One of: userPrompts, assistantResponses, toolDetails, toolContent, rawApiBodies. |
otlpContentCapture details
otlpContentCapture details
userPrompts — user-typed prompt text. assistantResponses — assistant message text. toolDetails — tool input arguments, e.g. the web-search query string. toolContent — tool output content, e.g. fetched page text or command stdout. rawApiBodies — full inference API request and response bodies. These mirror Claude Code’s OTEL_LOG_* env vars; see the Claude Code monitoring docs.Usage limits
Token limits
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Max tokens per windowinferenceMaxTokensPerWindow | integer | MDM + Bootstrap | — | Per-user soft cap, counted client-side over the duration below. Not a server-enforced quota. |
Token cap windowinferenceTokenWindowHours | integer | MDM + Bootstrap | — | Tumbling window length for the token cap. Max 720 hours (30 days). Range: 1–720. |
Appearance
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Organization bannerbanner | object | MDM + Bootstrap | — | A persistent banner across the top of the app window after sign-in. |
Plugins & skills
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Organization plugins endpointorganizationPluginsUrl | string | MDM + Bootstrap | — | Typically supplied by your bootstrap server. Ignored when bootstrap is disabled. |
Organization plugin settingsorgPluginSettings | object[] | MDM + Bootstrap | — | Admin policy applied to plugin-delivered MCP servers. |
Plugin marketplacesallowedPluginMarketplaces | object[] | MDM + Bootstrap · Beta | — | Git repositories to surface as plugin marketplaces in the Directory’s Organization tab. Users can browse and install plugins from these sources; the app re-clones each repository periodically to pick up updates. |
orgPluginSettings details
orgPluginSettings details
toolPolicy locks to MCP servers that arrive via the org-plugins directory, keyed by server name. Either shape is accepted; when hand-authoring a profile, use the legacy record shape until your fleet floor parses the canonical array form:toolPolicy (if any) applies; the entry here for that name is ignored.| Field | Type | Default | Description |
|---|---|---|---|
serverName | string | — | |
tools | object[] | — | |
tools.toolName | string | — | |
tools.permission | enum | — | One of: allow, ask, blocked. |
allowedPluginMarketplaces details
allowedPluginMarketplaces details
| Field | Type | Default | Description |
|---|---|---|---|
source | string | — | One of: github, git. |
repo | string | — | |
ref | string | — | Commit SHA, branch, or tag. Leave empty to track the default branch. |
path | string | — | Folder within the repository that contains the marketplace, when it isn’t at the root. |
expectedName | string | — | Rejects the marketplace if its manifest name differs. |
installationPreference | enum | — | Whether users install plugins themselves or get them automatically. One of: available, auto_install, required. |
credentialKind | enum | — | How clones authenticate: anonymously, with the user’s git credentials, or via a helper executable. One of: anonymous, userGit, credentialHelper. |
credentialHelper | string | — | Executable that prints an access token for this repository. |
url | string | — |
Source
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Claude.ai data importclaudeAiImport | object | Bootstrap only | — | Export endpoint and OAuth client for importing a user’s Claude.ai conversation history into this deployment. Delivered by the bootstrap server only. |
claudeAiImport details
claudeAiImport details
| Field | Type | Default | Description |
|---|---|---|---|
url | string | — | |
oauthIssuer | string | — | |
oauthClientId | string | — |
Bootstrap
| Setting | Type | Availability | Default | Description |
|---|---|---|---|---|
Use bootstrap configbootstrapEnabled | boolean | MDM only | true | Fetch and apply the URL above at launch. Turn off to keep the URL saved but skip the fetch. Defaults to true. |
Bootstrap config URLbootstrapUrl | string | MDM only | — | HTTPS endpoint that returns a per-user JSON config overlay. Values from the response override local settings and become read-only. |
Bootstrap OIDC parametersbootstrapOidc | object | MDM only | — | When set, the bootstrap request sends a Bearer token from a browser sign-in (authorization-code-with-PKCE). |
bootstrapOidc details
bootstrapOidc details
bootstrapOidc.clientId. Writing the sub-fields as separate registry values causes the app to silently fall through to device-code mode.| Field | Type | Default | Description |
|---|---|---|---|
clientId | string | — | |
issuer | string | — | |
authorizationUrl | string | — | |
tokenUrl | string | — | |
scopes | string | — | Space-separated; the token’s audience must match what your bootstrap server validates. |
redirectPort | integer | — | |
additionalRedirectReferrerHosts | string | — | Space-separated hostnames also accepted as the referrer of the sign-in callback. Only needed when the IdP completes sign-in from a host other than the authorization URL’s; the rejected host is named in the app log. |
Guides
Recommended security profiles
The profiles below are illustrative examples rather than built-in presets, and the labels are descriptive only. Use them as starting points and adjust for your environment. Layer the inference-provider keys for your cloud on top of whichever profile you choose.- Standard
- Restricted
- Locked down
| Key | Value |
|---|---|
deploymentOrganizationUuid | <your-org-uuid> |
autoUpdaterEnforcementHours | 24 |
isDesktopExtensionSignatureRequired | true |
otlpEndpoint | <your-collector> |