Skip to main content
Most settings on this page are easier to configure in the in-app configuration window. Use this reference when you’re scripting an MDM policy or bootstrap response by hand.
Claude Desktop on third-party (3P) is configured entirely through OS-native managed preferences: a .mobileconfig profile on macOS, registry policy on Windows, or a root-owned JSON file on Linux. This page documents every supported key. For the desktop release each key first appeared in, see the configuration changelog. The easiest way to author a configuration is the in-app configuration window (Developer → Configure third-party inference), which validates values, shows per-provider requirements, and exports directly to .mobileconfig or .reg. Use this reference when you need to author policy by hand, audit an existing profile, or understand exactly what a key does.

How keys are read

PlatformManaged (MDM) locationLocal (user) location
macOS/Library/Managed Preferences/<user>/com.anthropic.claudefordesktop.plist~/Library/Application Support/Claude-3p/configLibrary/
WindowsHKLM\SOFTWARE\Policies\Claude (machine), HKCU\SOFTWARE\Policies\Claude (user)%LOCALAPPDATA%\Claude-3p\configLibrary\
Linux/etc/claude-desktop/managed-settings.json~/.config/Claude-3p/configLibrary/
The local location is a directory: _meta.json records which saved configuration is applied, and each configuration is a <id>.json file alongside it. The in-app configuration window writes here. When a managed source is present, it wins and locally written values are ignored. The exception is a managed source that sets only the update keys (disableAutoUpdates and autoUpdaterEnforcementHours): those two keys are enforced from the managed source, but the rest of the configuration stays local and user-editable. Configuration is read once at launch, so fully quit and reopen the app after any change. On Windows, the two policy hives are not merged: when machine policy is present under HKLM\SOFTWARE\Policies\Claude, the app ignores HKCU\SOFTWARE\Policies\Claude entirely; Deploy the configuration has the exact rule. See Deploy with MDM for the full precedence rules.

Value types

Write every value as a string in the OS preference store, even booleans and arrays.
Documented typeWhat to writeExample
stringPlain stringvertex
boolean"true" or "false" (or 1 / 0)"true"
integerDecimal string"3600"
string[] (JSON)JSON array encoded as a string (not a native plist/registry array)["claude-sonnet-4","claude-opus-4"]
object (JSON)JSON object mapping name to value, as a string{"X-Org-Id":"team1"}
object[] (JSON)JSON array of objects, as a stringsee managedMcpServers
The most common configuration mistake is writing array- or object-typed keys as native plist/registry structures. Keys like inferenceModels, inferenceGatewayOidc, managedMcpServers, coworkEgressAllowedHosts, and otlpHeaders must be JSON strings. In a .mobileconfig, that means a single <string> element containing [...] or {...} — not an <array>, not a <dict>, and not separate keys with dotted names like inferenceGatewayOidc.clientId.
On Windows, write registry values as REG_SZ, directly under the policy key rather than nested in a subkey (the app never reads subkeys). REG_DWORD is also accepted for boolean and integer keys and is read as its decimal value. Avoid REG_EXPAND_SZ: the app counts it toward machine policy being present but cannot read its contents. The app cannot see REG_QWORD, REG_MULTI_SZ, or REG_BINARY values at all.

Linux

The managed source on Linux is a single JSON file, /etc/claude-desktop/managed-settings.json, with keys at the top level exactly as named in the reference — no wrapper object, no nesting:
{
  "inferenceProvider": "gateway",
  "inferenceGatewayBaseUrl": "https://gateway.example.com/v1",
  "inferenceGatewayApiKey": "sk-example",
  "inferenceCustomHeaders": { "X-Tenant-Id": "acme" }
}
Because the file is real JSON, array- and object-typed keys use native JSON values — the string-encoding rule above applies to plist and registry sources only. (String-encoded values are also accepted, so a profile generated for another platform can be reused.) The file is only honored when it can’t be edited by the user it configures:
  • managed-settings.json must be a regular file (not a symlink), owned by root, and not group- or world-writable.
  • /etc/claude-desktop itself must be a directory (not a symlink), owned by root, and not group- or world-writable.
A file that fails these checks is ignored, and the reason is logged to main.log in the app’s logs directory — ~/.config/Claude/logs/ (or ~/.config/Claude-3p/logs/ once the app is running in 3P mode); search for managed-settings.json. The same log names any key that fails schema validation. There is no per-user managed location on Linux; per-user configuration goes through the in-app configuration window, which writes to the local configLibrary directory above.

Reference

The reference below is generated from the configuration schema and grouped to match the sidebar of the in-app configuration window. The Availability column shows whether a key can be set in an MDM profile, returned from a bootstrap server, or both.

Connection

SettingTypeAvailabilityDefaultDescription
Custom inference headers
inferenceCustomHeaders
objectMDM + BootstrapExtra HTTP headers sent on every inference request to the configured provider. For tenant routing, org IDs, Bedrock Guardrails, etc. Previously named inferenceGatewayHeaders.
Sign-in session lifetime
inferenceSessionLifetimeSec
integerMDM + BootstrapHow long a sign-in stays valid under your IdP’s session policy. Shows a re-authenticate banner before it expires.
Helper script
inferenceCredentialHelper
stringMDM onlyAbsolute path to an executable that prints the credential, optionally with per-request headers.
Helper script TTL
inferenceCredentialHelperTtlSec
integerMDM only3600Helper output is cached for this many seconds. Re-runs at the next session start after expiry. Defaults to 3600.
Credential helper timeout
inferenceCredentialHelperTimeoutSec
integerMDM only60Maximum wait for the helper executable to finish. Raise this if the helper opens a browser for interactive sign-in. Defaults to 60. Range: 1–600.
Re-run helper for silent refresh
inferenceCredentialHelperSilentRefreshEnabled
booleanMDM onlytrueWhen a session’s credential expires, re-run the helper with CLAUDE_HELPER_CONTEXT=mid-session-refresh to recover silently. Turn this off if your helper can’t run non-interactively. Defaults to true.
Inference provider
inferenceProvider
enumMDM + BootstrapSelects the inference backend. Setting this key activates third-party mode. One of: gateway, anthropic, bedrock, mantle, vertex, foundry.
Credential kind
inferenceCredentialKind
enumMDM + BootstrapSelects the credential source. When set, only that source is used (no fallback). One of: static, helper-script, interactive, vendor-profile, oauth, workforce.
Sent on every inference and model-discovery request (joined into the CLI’s ANTHROPIC_CUSTOM_HEADERS).Use this for fleet-wide constants. For per-user or per-session values, have the credential helper script emit JSON with a headers field; those are merged over these static entries (helper wins on conflict).
Claude runs the executable with no arguments and reads stdout (trimmed). Exit code must be 0; any output on stderr is logged but ignored. Stdout must contain only one of the formats below (no banners, prompts, or log lines).Output format is either:
  • a single bare token (the API key / bearer token), or
  • a JSON object {"token": "...", "headers": {"Name": "Value", ...}} when per-request headers are needed (merged over Custom inference headers, helper wins on conflict)
Result is cached for the TTL below. On TTL expiry the helper is re-invoked transparently (no user prompt, no relaunch).Expiry and refresh: the app checks the active credential’s expiry before each turn and refreshes silently when possible (re-runs the helper, or uses the stored refresh token for interactive sign-in kinds). If the provider returns HTTP 401 mid-turn, the same silent refresh is attempted before surfacing an error. When silent refresh fails, a prompt appears with a provider-specific action (re-sign-in for interactive kinds; admin-contact for static credentials). Applies to all providers and both tabs.Typical use: a shell script that pulls from Keychain, 1Password CLI, or an internal secret broker. Example:security find-generic-password -s anthropic-api -wIf this field is set, static credential fields (API key, bearer token) are ignored. The helper always wins.
The app activates 3P mode only when this is set and the required credential keys for the selected provider are present and valid; otherwise it launches in standard mode. Keys for providers other than the selected one are ignored. Each provider’s required keys are documented on its dedicated page under Inference providers.

Anthropic

SettingTypeAvailabilityDefaultDescription
Claude API key
inferenceAnthropicApiKey
stringMDM + BootstrapLeave blank to fetch a key via browser sign-in, or to supply the key via a credential helper.

Bedrock

SettingTypeAvailabilityDefaultDescription
AWS region
inferenceBedrockRegion
stringMDM + BootstrapAWS region for the Bedrock runtime endpoint.
Bedrock base URL
inferenceBedrockBaseUrl
stringMDM + BootstrapFor VPC endpoints or gateway proxies. Host origin only.
Bedrock service tier
inferenceBedrockServiceTier
enumMDM + BootstrapSent as the X-Amzn-Bedrock-Service-Tier header. Leave unset for on-demand. One of: flex, priority.
AWS bearer token
inferenceBedrockBearerToken
stringMDM + BootstrapStatic bearer token for inference. For providers that support profile or helper-script credentials, prefer those.
AWS SSO start URL
inferenceBedrockSsoStartUrl
stringMDM + BootstrapEnables in-app AWS sign-in (no AWS CLI needed). Set with the three SSO fields below.
AWS SSO region
inferenceBedrockSsoRegion
stringMDM + BootstrapIAM Identity Center home region.
AWS SSO account ID
inferenceBedrockSsoAccountId
stringMDM + Bootstrap12-digit AWS account ID assigned to users in IAM Identity Center.
AWS SSO role name
inferenceBedrockSsoRoleName
stringMDM + BootstrapIAM Identity Center permission-set name granting bedrock:InvokeModel* on the account above.
AWS profile name
inferenceBedrockProfile
stringMDM onlyAWS named profile to use for Bedrock inference credentials.
AWS config directory
inferenceBedrockAwsDir
stringMDM onlyFolder with AWS config/credentials. Defaults to ~/.aws when no bearer token is set.
AWS CLI path
inferenceBedrockAwsCliPath
stringMDM onlyAbsolute path to the aws executable. Leave unset to find it on PATH.
Tier availability varies by model and region. Reserved capacity uses a provisioned-throughput ARN as the model ID instead of this setting. Older bundled Claude Code CLI versions ignore this key.

Foundry

SettingTypeAvailabilityDefaultDescription
Azure AI Foundry resource name
inferenceFoundryResource
stringMDM + BootstrapAzure AI Foundry resource name used to construct the endpoint URL.
Azure AI Foundry API key
inferenceFoundryApiKey
stringMDM + BootstrapAPI key for Azure AI Foundry inference.
Entra ID tenant ID
inferenceFoundryTenantId
stringMDM onlyDirectory (tenant) ID of the Entra ID app registration that has the Cognitive Services scope.
Entra ID client ID
inferenceFoundryClientId
stringMDM onlyApplication (client) ID of the Entra ID app registration. Device-code sign-in requires the app to allow public client flows.
Entra ID sign-in flow
inferenceFoundryAuthFlow
enumMDM + BootstrapHow interactive Entra ID sign-in runs: device-code (default) shows a code to enter at microsoft.com/devicelogin; browser opens the system browser for an authorization-code (PKCE) sign-in. One of: device-code, browser.
The browser flow sends a loopback redirect URI, so the app registration must include “http://127.0.0.1/callback” under the “Mobile and desktop applications” platform (Entra ignores the loopback port, but not the path), and it works with “Allow public client flows” disabled. Conditional Access policies that block the device-code authentication flow do not affect the browser flow. App versions that predate this key always use device code.

Gateway

SettingTypeAvailabilityDefaultDescription
Gateway base URL
inferenceGatewayBaseUrl
stringMDM + BootstrapFull URL of the inference gateway endpoint.
Gateway API key
inferenceGatewayApiKey
stringMDM + BootstrapAPI key for the configured inference gateway.
Gateway auth scheme
inferenceGatewayAuthScheme
enumMDM + BootstrapbearerHow the gateway credential is sent on the wire (Authorization: Bearer vs x-api-key header). One of: bearer, x-api-key. Defaults to bearer.
Gateway SSO IdP (OIDC)
inferenceGatewayOidc
objectMDM + BootstrapExternal IdP for gateway sign-in. The user authenticates against this issuer; the resulting token (ID token by default) is sent to the gateway as the Bearer credential. Leave unset only if the gateway is its own OAuth authorization server.
External IdP mode. The app discovers <issuer>/.well-known/openid-configuration, runs an OIDC authorization-code-with-PKCE flow in the system browser with clientId, and sends the resulting token as Authorization: Bearer on every inference request — see Bearer token type below for how the gateway validates it.Bearer token type. id_token (the default) sends the OIDC ID token — the gateway validates signature + iss + aud, where aud is the clientId configured here. access_token sends the OAuth access token — the gateway validates as an OAuth resource server against the audience/scope the IdP issued the token for; set scopes to the gateway’s registered API scope (required in this mode). Use access_token for gateways that expect a resource-server token (Portkey, Kong, Envoy JWT filter, AWS API Gateway authorizers).The gateway MUST validate iss AND aud, not just the signature. Signature + issuer alone accepts any token from the same tenant, including tokens issued to unrelated apps. In id_token mode the audience is the clientId:
# LiteLLM example — `audience` is REQUIRED, not optional
general_settings:
  litellm_jwtauth:
    public_key_url: https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys
    audience: <clientId>           # ⚠ omitting this accepts any token from the tenant
IdP setup. The app’s loopback callback binds http://127.0.0.1:<port>/callback (RFC 8252 §7.3). Register 127.0.0.1; most IdPs do not treat localhost and 127.0.0.1 as interchangeable. Entra: register a public-client app, add a Mobile and desktop applications redirect URI of http://127.0.0.1/callback. (Microsoft’s docs say the path is wildcarded for loopback; in practice it is not: http://127.0.0.1 without /callback fails with AADSTS50011. The port IS wildcarded.) Grant openid profile email offline_access (delegated, no admin consent); in access_token mode also add the gateway API’s delegated permission under API permissions (and ensure the gateway’s own app registration exposes that scope via Expose an API) — without it Entra rejects the sign-in with AADSTS65001. Okta: register a Native app with the exact redirect URI http://127.0.0.1:<port>/callback and set redirectPort here to that port (Okta requires an exact match).Refresh: offline_access returns a refresh token; the app refreshes the bearer silently before expiry. When refresh fails (revoked, idle past the IdP’s window), the user re-authenticates in the browser. Google Workspace caveat (id_token mode only): Google never returns id_token on a refresh-token grant, so a Google-backed gateway in id_token mode will prompt a browser sign-in roughly once per ID-token TTL (~1h). Entra and Okta return a fresh id_token and are unaffected; access_token mode is unaffected on all IdPs.Leave this unset for a gateway that hosts its own RFC 8414 metadata at <baseUrl>/.well-known/oauth-authorization-server (the original gateway-as-AS path).
FieldTypeDefaultDescription
clientIdstring
issuerstring
authorizationUrlstring
tokenUrlstring
bearerTokenTypeenumid_tokenWhich token to send as the gateway bearer. Use access token for gateways that validate as an OAuth resource server. One of: id_token, access_token.
scopesstring
appendOfflineAccessbooleantrueAutomatically append offline_access to scopes so the IdP returns a refresh token for silent refresh. Turn off only if your authorization server rejects offline_access as an unknown scope; include the server’s own refresh-token scope in Scopes instead.
redirectPortinteger
additionalRedirectReferrerHostsstringSpace-separated hostnames also accepted as the referrer of the sign-in callback. Only needed when the IdP completes sign-in from a host other than the authorization URL’s; the rejected host is named in the app log.

Models

SettingTypeAvailabilityDefaultDescription
Model discovery
modelDiscoveryEnabled
booleanMDM + BootstrapAuto-populate the model picker from the provider at launch.
Model list
inferenceModels
object[]MDM + BootstrapOverride the auto-discovered model list. First entry is the default.
Auto-populate the model picker from the provider’s model-list endpoint at launch. For gateway and Anthropic providers, a config that doesn’t set this key skips discovery automatically when the model list below already makes it unnecessary; the toggle here only sets it explicitly on or off. Turn off if the endpoint isn’t reachable from your network, or to use a fixed list. When off, the model list below is required and must use full model IDs (aliases like sonnet/opus are resolved via discovery).
Use the provider’s exact model ID: Vertex publisher IDs (claude-sonnet-4@20250514), Bedrock inference-profile IDs (us.anthropic.claude-sonnet-4-...-v1:0), or Foundry deployment names. The first entry is the default. Entries may be plain ID strings or objects.Gateway: the name must be the exact ID your gateway’s /v1/models endpoint returns. If you set supports1m on an alias (sonnet) but discovery returns the full ID, the variant won’t appear.Extended context (supports1m) is a capability assertion you make about your deployment; only set it for models you’ve confirmed support the 1M-token window:
[{"name": "claude-opus-4", "supports1m": true}, "claude-sonnet-4"]
Display label (labelOverride) is for IDs the picker can’t derive a friendly name from (Bedrock ARNs, gateway routing aliases). Display-only; name is still what the app sends:
[{"name": "arn:aws:bedrock:us-east-1:123:application-inference-profile/abc", "labelOverride": "Claude Opus (Prod)"}]
Tier mapping (anthropicFamilyTier) tells the app which Claude tier (haiku/sonnet/opus/fable/mythos) an entry stands in for, so bare tier aliases (e.g. in the Code tab) resolve to your model. isFamilyDefault: true picks the winner when several entries share a tier:
[{"name": "us.anthropic.claude-opus-4-...-v1:0", "anthropicFamilyTier": "opus"}]
FieldTypeDefaultDescription
namestring
labelOverridestringShown in the model picker. Leave blank to auto-format from the ID.
supports1mboolean
anthropicFamilyTierenumWhich Claude tier this model stands in for. Pins the bare alias (e.g. ‘opus’) and, for opus/fable, the refusal fallback. One of: sonnet, opus, haiku, fable, mythos.
isFamilyDefaultboolean

Vertex

SettingTypeAvailabilityDefaultDescription
GCP project ID
inferenceVertexProjectId
stringMDM + BootstrapGoogle Cloud project ID for Vertex AI inference.
GCP region
inferenceVertexRegion
stringMDM + BootstrapGCP region where your Vertex AI Claude models are deployed.
Vertex AI base URL
inferenceVertexBaseUrl
stringMDM + BootstrapPSC endpoint, if using one.
Vertex OAuth client ID
inferenceVertexOAuthClientId
stringMDM + BootstrapDesktop-app OAuth client ID. Enables Sign in with Google instead of a credentials file.
Vertex OAuth client secret
inferenceVertexOAuthClientSecret
stringMDM + BootstrapSecret for the Desktop-app OAuth client above.
Vertex OAuth scopes
inferenceVertexOAuthScopes
stringMDM + BootstrapOverride the Google OAuth scopes (space-separated). Leave blank for the default.
Vertex OAuth login hint
inferenceVertexOAuthLoginHint
stringMDM + BootstrapPre-fill Google’s account chooser and forward to your federated IdP. {username} expands to the OS login name.
Workforce Identity audience
inferenceVertexWorkforceAudience
stringMDM + BootstrapWorkforce-pool provider audience. When set, sign-in uses your own IdP plus a GCP STS exchange instead of a Google identity.
Workforce Identity billing project
inferenceVertexWorkforceUserProject
stringMDM + BootstrapGCP project for STS billing and quota. Defaults to the Vertex project ID above.
Workforce Identity IdP (OIDC)
inferenceVertexWorkforceOidc
objectMDM + BootstrapYour organization’s OIDC IdP. The app runs an authorization-code-with-PKCE flow against this issuer and exchanges the returned ID token at GCP STS.
GCP credentials file path
inferenceVertexCredentialsFile
stringMDM onlyAbsolute path to service-account JSON. Leave blank to fall back to ADC.
FieldTypeDefaultDescription
clientIdstring
issuerstring
authorizationUrlstring
tokenUrlstring
scopesstring
redirectPortinteger
omitOfflineAccessbooleanOnly enable if your IdP rejects the offline_access scope on this client. Without it the app cannot refresh silently and will prompt for sign-in each time the IdP token expires.
additionalRedirectReferrerHostsstringSpace-separated hostnames also accepted as the referrer of the sign-in callback. Only needed when the IdP completes sign-in from a host other than the authorization URL’s; the rejected host is named in the app log.

Workspace restrictions

Authentication

SettingTypeAvailabilityDefaultDescription
Disable Claude.ai sign-in
disableDeploymentModeChooser
booleanMDM onlyfalseUsers see only this provider at the login screen. The option to sign in to Claude.ai is hidden. Defaults to false.
Disable claude:// deep-link handling
disableDeepLinkRegistration
booleanMDM onlyfalseStop external apps and websites from opening Cowork via claude:// links. Defaults to false.

Chat surface

SettingTypeAvailabilityDefaultDescription
Allow Chat tab
chatTabEnabled
booleanMDM + Bootstrap · BetaEnable the Chat tab. Quick questions and drafting.
Advanced file analysis
chatAdvancedFileAnalysisEnabled
booleanMDM + Bootstrap · BetaAllow Claude to run code in a local sandbox to analyze attached files it can’t read natively — like Excel and PowerPoint — and perform inline data analysis. The sandbox can only read files attached to the conversation and has no network access. Off by default.

Code surface

SettingTypeAvailabilityDefaultDescription
Allow Claude Code tab
isClaudeCodeForDesktopEnabled
booleanMDM + BootstraptrueEnable the Code tab. Claude writes and runs code. Defaults to true.

Cowork surface

SettingTypeAvailabilityDefaultDescription
Allow Cowork tab
coworkTabEnabled
booleanMDM + BootstraptrueEnable the Cowork tab. Claude works on longer tasks like research, analysis, and documents. Defaults to true.

Workspace

SettingTypeAvailabilityDefaultDescription
Disabled built-in tools
disabledBuiltinTools
string[]MDM + BootstrapBuilt-in tools removed from Cowork.
Disable bundled skills and workflows
disableBundledSkills
booleanMDM + BootstrapDisables Claude Code’s bundled skills and workflows (deep-research and similar). Use where they cannot function, for instance when WebFetch is egress-blocked and the gateway does not forward the WebSearch server tool.
Built-in tool policy
builtinToolPolicy
objectMDM + BootstrapPer-tool approval policy. “ask” requires user approval before each call; “allow” is the default. Use Disabled built-in tools to remove a tool entirely.
Allow Auto mode
autoModeEnabled
booleanMDM + BootstrapfalseOffer Auto mode in the Cowork and Code permission selectors. Claude decides which actions need approval. Defaults to false.
Allowed workspace folders
allowedWorkspaceFolders
object[]MDM + BootstrapFolders users may attach as a workspace. Leave unset for unrestricted access. Supports ~ and a fixed set of environment variables.
Allowed egress hosts
coworkEgressAllowedHosts
string[]MDM + BootstrapHostnames the agent’s tools may reach from the Cowork and Code tabs. Also surfaced under Egress Requirements.
Require full VM sandbox
requireCoworkFullVmSandbox
booleanMDM + Bootstrap · DeprecatedfalseRuns tools inside an isolated VM instead of the host. Stronger isolation; slower file access and no host-process tools. Defaults to false.
When enabled, users can select Auto mode (Code tab) / Act without asking (Cowork tab). Claude runs a safety classifier on each action and only prompts for approval on actions it judges risky, instead of following the static per-tool policy.Requires a model that supports the classifier (Claude 4.6+). Older models show the option greyed out. builtinToolPolicy and this key may both be set; Auto mode is a user-selectable option alongside the default policy, not a replacement for it.In the Code tab, a separately deployed Claude Code managed-settings file that sets disableAutoMode to "disable" overrides this key and keeps Auto mode hidden.
Paths can reference ~ and these environment variables, expanded per user: %OneDrive%, %OneDriveCommercial%, %OneDriveConsumer%, %APPDATA%, %LOCALAPPDATA%, %USERNAME%, %XDG_DOCUMENTS_DIR%. The set is fixed; an entry that references any other %VAR%, or one that is unset on the device, is ignored.
FieldTypeDefaultDescription
pathstring
isDefaultSelectedbooleanShows as a folder chip on the new-task page and skips the trust prompt. Users can remove it.
Applies to both the Cowork and Code tabs. In the Cowork tab it governs the sandbox’s web fetch, shell commands, and package installs. In the Code tab it is translated into Claude Code’s network sandbox allowlist; a separately deployed Claude Code managed-settings file on the endpoint takes precedence by default.Does not apply to Web Search, which runs server-side at your inference provider rather than from the sandbox.Only affects tool calls. Inference and MCP traffic are covered by their own allowlists elsewhere. When unset, only the inference endpoint is reachable from the sandbox; the agent’s package installs (pip/npm) and web fetches will fail with a 403.Accepts exact hostnames (api.github.com), wildcards (*.corp.com matches one subdomain level), and * to allow all. *.corp.com matches docs.corp.com but not corp.com itself; add both if you need the apex. IP literals and localhost always resolve regardless of this list; this is a public-egress filter, not a sandbox.Hosts you add here also need to be open on your network firewall. See Egress Requirements for the full allowlist.

Connectors & extensions

Authentication

SettingTypeAvailabilityDefaultDescription
Microsoft 365 native sign-in broker
microsoftAuthBroker
enumMDM onlyautoSet to “disabled” to force browser-based Microsoft 365 sign-in instead of the native Company Portal / Windows account broker. One of: auto, disabled. Defaults to auto.

Extensions

SettingTypeAvailabilityDefaultDescription
Allow desktop extensions
isDesktopExtensionEnabled
booleanMDM + Bootstrapfalse.dxt and .mcpb installs. Defaults to false. Previously named isDxtEnabled.
Require signed extensions
isDesktopExtensionSignatureRequired
booleanMDM + BootstrapfalseReject desktop extensions that are not signed by a trusted publisher. Defaults to false. Previously named isDxtSignatureRequired.
1P builds default to enabled at runtime unless this is explicitly set. In 3P, enabling this allows loading extensions; local install additionally requires an org policy backend.

MCP

SettingTypeAvailabilityDefaultDescription
Managed MCP servers
managedMcpServers
object[]MDM + BootstrapOrg-pushed MCP servers: remote (HTTP/SSE) or local (stdio command). May embed bearer tokens.
Allow user-added MCP servers
isLocalDevMcpEnabled
booleanMDM + BootstraptrueLocal stdio servers added via the Developer settings. Remote servers come from the managed list above, or plugins mounted to a user’s computer by an organization admin. Defaults to true.
For OAuth-authenticated entries, the app builds the redirect URI as http://<callbackHost>:<callbackPort>/callback; register that exact value with the OAuth provider. Tokens refresh automatically during a session, so users aren’t interrupted when the initial access token expires.toolPolicy locks the per-tool approval state, keyed by tool name. Keys may contain * wildcards ("read_*" matches every tool whose name starts with read_; matching is anchored and * is the only wildcard, identical to Claude Code permission-rule globs). An exact-name key wins over matching wildcard keys, with two exceptions in the stricter direction: in the Code tab, forwarded blocked/ask wildcard rules take precedence over a less strict exact key, and in chat approval flows and always-allow persistence a wildcard ask key keeps every matching tool behind a per-call prompt (no persistent always-allow) even when a more permissive exact-name key matches — for direct (imperative) tool invocations such as artifact or widget tool calls, the exact-name key still decides. When several wildcard keys match a tool, the strictest applies (blocked > ask > allow). "blocked" removes the tool from the session and labels it admin-blocked. "ask" requires approval on every call (Allow once / Deny only; no persistent always-allow). "allow" pre-approves. Tools not listed follow the user’s choice: the prompt offers a persistent Always allow, except for tools that can modify data, which instead show a session-scoped Allow for this task alongside Allow for all tasks with a malicious-instruction warning. In the Code tab, blocked/ask are forwarded as Claude Code permission rules; allow is not.For the bundled Microsoft 365 connector, the send tools (outlook_send_mail, outlook_send_draft, outlook_forward_mail, outlook_create_event, outlook_update_event) cannot be loosened below ask — an allow setting resolves to ask.
FieldTypeDefaultDescription
namestring
serverstringOne of: microsoft365, websearch.
tenantIdstringYour organization’s Microsoft Entra directory (tenant) ID.
clientIdstringEntra public-client (PKCE) app registration ID.
azureCloudenumMicrosoft cloud for sign-in and Graph. Leave as global for commercial Microsoft 365; US Government clouds require your own app registration (Client ID). One of: global, us-gov-high, us-gov-dod.
scopestringWhat the server may request at sign-in. If blank, Desktop’s default read set is used.
toolPolicyobjectLock the approval state for specific tools. Unlisted tools stay user-controlled.
headersobject
headersHelperstringScript that prints the auth header as a JSON object to stdout. Runs before each request (cached for the TTL below) so the key can come from a secrets manager instead of being stored inline.
headersHelperTtlSecinteger
providerenumRuns search from the desktop, for inference providers without native web search (Bedrock, custom gateways). On Anthropic API and Vertex, the model’s built-in web search is available without this. Set the provider’s auth header below — Brave: X-Subscription-Token, Exa: x-api-key, Tavily: Authorization (Bearer …). One of: brave, tavily, exa, custom.
customUrlstringPOST endpoint accepting {q} JSON and returning a results[] array. Only used when provider is Custom.
transportenumOne of: http, sse, stdio.
urlstring
oauthobject
oauth.clientIdstring
oauth.clientSecretstringOnly for IdPs whose token endpoint requires a client secret (e.g. Box). Leave blank for PKCE-only public clients.
oauth.clientSecretHelperstringExecutable that prints the client secret on stdout. Overrides the inline value.
oauth.authorizationServerstring[]Issuer URLs the OAuth sign-in may use, as a JSON array. Pre-filled by presets; ask your IdP admin if unsure.
oauth.tenantIdstringRequired for single-tenant Entra apps. Leave blank for multi-tenant or non-Microsoft IdPs.
oauth.scopestring
oauth.appendOfflineAccessbooleanAdds offline_access to the authorize request so the IdP returns a refresh token for silent renewal. Leave off if Scope already includes it or the server rejects it.
oauth.callbackHostenumUse localhost only if your IdP’s registered redirect URI specifies it. One of: 127.0.0.1, localhost.
oauth.callbackPortintegerOnly set if your IdP requires an exact-match redirect port. Entra accepts any.
commandstringAbsolute path to the server executable, run on the user’s machine.
argsstring[]
envobject
startupTimeoutSecinteger120Maximum wait in seconds for the server to start and list its tools.

Telemetry & updates

SettingTypeAvailabilityDefaultDescription
Organization UUID
deploymentOrganizationUuid
stringMDM + BootstrapA UUID you generate. Tags telemetry so Anthropic support can locate your fleet’s events. If unset, a shared placeholder UUID is sent and your events can’t be distinguished from other unconfigured deployments. Not used for auth.
Block essential telemetry
disableEssentialTelemetry
booleanMDM onlyfalseCrash and performance reports to Anthropic. Defaults to false.
Block nonessential telemetry
disableNonessentialTelemetry
booleanMDM + BootstrapfalseProduct-usage analytics and diagnostic-report uploads. No message content. Defaults to false.
Block nonessential services
disableNonessentialServices
booleanMDM + BootstrapfalseFavicon fetch and the artifact-preview iframe origin. Artifacts will not render. Defaults to false.
“Essential” means the signals Anthropic needs to keep your deployment working: crash stacks, startup failure reasons, and version/OS metadata. No prompts, completions, file contents, or identifiers beyond a random install ID.What you lose when this is on: when a Cowork build hits a bug that only reproduces on your OS version or locale, Anthropic can’t see it unless a user manually reports. Fixes ship slower.Why this is discouraged, not blocked: some air-gapped environments require zero outbound telemetry as a matter of policy. The switch exists for them. If you don’t have that constraint, leave it off.
“Nonessential” covers two things: product-usage analytics (which features get used, navigation patterns; no prompts or completions) and the Send action in Help → Generate Diagnostic Report. Turning this on stops both.Destination for both: claude.ai. Already listed under Egress Requirements → Nonessential telemetry.

Auto update

SettingTypeAvailabilityDefaultDescription
Block auto-updates
disableAutoUpdates
booleanMDM + BootstrapfalseStop Cowork from fetching updates. You’ll need to push new versions yourself. Defaults to false.
Auto-update enforcement window
autoUpdaterEnforcementHours
integerMDM + BootstrapHours before a downloaded update force-installs. Blank = 72-hour default. Range: 1–72.

OTLP

SettingTypeAvailabilityDefaultDescription
OpenTelemetry collector endpoint
otlpEndpoint
stringMDM + BootstrapWhere Cowork sends OpenTelemetry logs and metrics. Leave blank to disable.
OpenTelemetry exporter protocol
otlpProtocol
enumMDM + Bootstraphttp/protobufgrpc or http/protobuf. One of: http/protobuf, http/json, grpc. Defaults to http/protobuf.
OpenTelemetry exporter headers
otlpHeaders
objectMDM + BootstrapOptional auth headers for the collector.
OpenTelemetry resource attributes
otlpResourceAttributes
objectMDM + BootstrapExtra resource attributes to attach to every span/metric.
Desktop telemetry export level
otlpDesktopLogLevel
enumMDM + BootstraperrorControls the Claude Desktop application’s events, separate from Cowork and Code sessions. Defaults to error. One of: off, error, warn, info, debug. Defaults to error.
Content capture categories
otlpContentCapture
enum[]MDM + BootstrapContent categories the desktop exporter sends unredacted to your collector. Leave empty to redact all content (default). One of: userPrompts, assistantResponses, toolDetails, toolContent, rawApiBodies.
Each category enables a class of raw content in OpenTelemetry events sent to your collector (this data never reaches Anthropic). userPrompts — user-typed prompt text. assistantResponses — assistant message text. toolDetails — tool input arguments, e.g. the web-search query string. toolContent — tool output content, e.g. fetched page text or command stdout. rawApiBodies — full inference API request and response bodies. These mirror Claude Code’s OTEL_LOG_* env vars; see the Claude Code monitoring docs.

Usage limits

Token limits

SettingTypeAvailabilityDefaultDescription
Max tokens per window
inferenceMaxTokensPerWindow
integerMDM + BootstrapPer-user soft cap, counted client-side over the duration below. Not a server-enforced quota.
Token cap window
inferenceTokenWindowHours
integerMDM + BootstrapTumbling window length for the token cap. Max 720 hours (30 days). Range: 1–720.

Appearance

SettingTypeAvailabilityDefaultDescription
Organization banner
banner
objectMDM + BootstrapA persistent banner across the top of the app window after sign-in.

Plugins & skills

SettingTypeAvailabilityDefaultDescription
Organization plugins endpoint
organizationPluginsUrl
stringMDM + BootstrapTypically supplied by your bootstrap server. Ignored when bootstrap is disabled.
Organization plugin settings
orgPluginSettings
object[]MDM + BootstrapAdmin policy applied to plugin-delivered MCP servers.
Plugin marketplaces
allowedPluginMarketplaces
object[]MDM + Bootstrap · BetaGit repositories to surface as plugin marketplaces in the Directory’s Organization tab. Users can browse and install plugins from these sources; the app re-clones each repository periodically to pick up updates.
Applies toolPolicy locks to MCP servers that arrive via the org-plugins directory, keyed by server name. Either shape is accepted; when hand-authoring a profile, use the legacy record shape until your fleet floor parses the canonical array form:
{"mcpServers": {"internal-search": {"toolPolicy": {"delete_document": "blocked"}}}}
If a Managed MCP servers entry and an org-plugin server share a name, the Managed MCP servers entry wins and its toolPolicy (if any) applies; the entry here for that name is ignored.
FieldTypeDefaultDescription
serverNamestring
toolsobject[]
tools.toolNamestring
tools.permissionenumOne of: allow, ask, blocked.
FieldTypeDefaultDescription
sourcestringOne of: github, git.
repostring
refstringCommit SHA, branch, or tag. Leave empty to track the default branch.
pathstringFolder within the repository that contains the marketplace, when it isn’t at the root.
expectedNamestringRejects the marketplace if its manifest name differs.
installationPreferenceenumWhether users install plugins themselves or get them automatically. One of: available, auto_install, required.
credentialKindenumHow clones authenticate: anonymously, with the user’s git credentials, or via a helper executable. One of: anonymous, userGit, credentialHelper.
credentialHelperstringExecutable that prints an access token for this repository.
urlstring

Source

SettingTypeAvailabilityDefaultDescription
Claude.ai data import
claudeAiImport
objectBootstrap onlyExport endpoint and OAuth client for importing a user’s Claude.ai conversation history into this deployment. Delivered by the bootstrap server only.
FieldTypeDefaultDescription
urlstring
oauthIssuerstring
oauthClientIdstring

Bootstrap

SettingTypeAvailabilityDefaultDescription
Use bootstrap config
bootstrapEnabled
booleanMDM onlytrueFetch and apply the URL above at launch. Turn off to keep the URL saved but skip the fetch. Defaults to true.
Bootstrap config URL
bootstrapUrl
stringMDM onlyHTTPS endpoint that returns a per-user JSON config overlay. Values from the response override local settings and become read-only.
Bootstrap OIDC parameters
bootstrapOidc
objectMDM onlyWhen set, the bootstrap request sends a Bearer token from a browser sign-in (authorization-code-with-PKCE).
Set this to use a separate identity provider (Microsoft Entra ID, Okta, Ping, or any compliant OIDC provider) for the bootstrap sign-in. The app runs an authorization-code-with-PKCE flow in the system browser. Omit to use device-code mode against the bootstrap server’s own origin.This is an object-typed key — in an MDM profile it is a single JSON-string value, not separate keys with dotted names like bootstrapOidc.clientId. Writing the sub-fields as separate registry values causes the app to silently fall through to device-code mode.
FieldTypeDefaultDescription
clientIdstring
issuerstring
authorizationUrlstring
tokenUrlstring
scopesstringSpace-separated; the token’s audience must match what your bootstrap server validates.
redirectPortinteger
additionalRedirectReferrerHostsstringSpace-separated hostnames also accepted as the referrer of the sign-in callback. Only needed when the IdP completes sign-in from a host other than the authorization URL’s; the rejected host is named in the app log.

Guides

The profiles below are illustrative examples rather than built-in presets, and the labels are descriptive only. Use them as starting points and adjust for your environment. Layer the inference-provider keys for your cloud on top of whichever profile you choose.
Recommended for most enterprise deployments. Telemetry and auto-updates stay on so Anthropic can diagnose issues and ship fixes; users can extend Claude Desktop with their own connectors.