Choose an authentication approach
Mantle supports a bearer token only. There is no in-app AWS sign-in or named-profile support for this provider; if you need per-user IAM Identity Center authentication, use the standard Bedrock provider instead.| Scenario | Use | Notes |
|---|---|---|
| Any Mantle deployment | Bearer token (inferenceBedrockBearerToken) | A long-lived token distributed in the managed profile. |
| Token must not be stored statically | Credential helper (inferenceCredentialHelper) | An executable that prints the bearer token to stdout at runtime. |
Set up AWS
Enable Claude models in Amazon Bedrock for the region you will set asinferenceBedrockRegion, and obtain a Mantle bearer token for that account. See Set up AWS on the Bedrock page for the model-access step; the IAM Identity Center steps there are not needed for Mantle.
Prepare devices
Bearer token
No per-device preparation is required. Place the Mantle bearer token in the managed configuration asinferenceBedrockBearerToken.
The app reaches bedrock-mantle.<region>.api.aws (or the host in inferenceBedrockBaseUrl if you set one). This host is included automatically in the Egress Requirements section of the in-app configuration window. The .api.aws zone has no FIPS endpoint variant.
Configure the app
Open the in-app configuration window (Developer → Configure third-party inference). In the Connection section, set Inference provider to Bedrock Mantle, then fill in the credentials card:| Field | Value |
|---|---|
| AWS region | e.g. us-east-1 |
| AWS bearer token | your Mantle bearer token |
| Bedrock base URL | optional |
/anthropic path (for example https://bedrock-mantle.us-east-1.api.aws/anthropic); it replaces the default bedrock-mantle.<region>.api.aws/anthropic endpoint.
Under Models, add at least one Model list entry. Mantle has no model-list endpoint, so model discovery is not available and inferenceModels is required.
Then click Export to produce a .mobileconfig (macOS) or .reg (Windows) file for your MDM. See Installation and setup for the export and deployment workflow.
Configuration keys
Mantle reuses the Bedrock key names. OnlyinferenceBedrockRegion, inferenceBedrockBearerToken, and inferenceBedrockBaseUrl apply; the other Bedrock keys below (inferenceBedrockProfile, inferenceBedrockSso*, inferenceBedrockAwsDir, inferenceBedrockAwsCliPath, inferenceBedrockServiceTier) are ignored for this provider.
| Key | Type | Availability | Default | Description |
|---|---|---|---|---|
inferenceBedrockRegion | string | MDM + Bootstrap | — | AWS region for the Bedrock runtime endpoint. |
inferenceBedrockBaseUrl | string | MDM + Bootstrap | — | For VPC endpoints or gateway proxies. Host origin only. |
inferenceBedrockServiceTier | enum | MDM + Bootstrap | — | Sent as the X-Amzn-Bedrock-Service-Tier header. Leave unset for on-demand. One of: flex, priority. |
inferenceBedrockBearerToken | string | MDM + Bootstrap | — | |
inferenceBedrockSsoStartUrl | string | MDM + Bootstrap | — | Enables in-app AWS sign-in (no AWS CLI needed). Set with the three SSO fields below. |
inferenceBedrockSsoRegion | string | MDM + Bootstrap | — | IAM Identity Center home region. |
inferenceBedrockSsoAccountId | string | MDM + Bootstrap | — | 12-digit AWS account ID assigned to users in IAM Identity Center. |
inferenceBedrockSsoRoleName | string | MDM + Bootstrap | — | IAM Identity Center permission-set name granting bedrock:InvokeModel* on the account above. |
inferenceBedrockProfile | string | MDM only | — | |
inferenceBedrockAwsDir | string | MDM only | — | Folder with AWS config/credentials. Defaults to ~/.aws when no bearer token is set. |
inferenceBedrockAwsCliPath | string | MDM only | — | Absolute path to the aws executable. Leave unset to find it on PATH. |
inferenceModels. As with the standard Bedrock provider, server-side Web Search is not supported. See the Configuration reference.