Recommended rollout
For most organizations, we recommend the following rollout:Evaluate on a single machine
An admin installs Claude Desktop on their own device and uses the in-app configuration window to build and test a working configuration against your inference provider.
Allow required network egress
Open the hostnames your configuration requires on your perimeter firewall. The configuration window lists them for the exact settings you’ve chosen.
Export and deploy via MDM
From the configuration window, export the validated configuration as a
.mobileconfig (macOS) or .reg (Windows) file and distribute it through Jamf, Intune, Group Policy, or your MDM of choice.1. Build a configuration in the app
Launch Claude Desktop. Do not sign in or create an Anthropic account — stay on the login screen.- macOS
- Windows
From the macOS menu bar at the top of the screen:
- Go to Help → Troubleshooting → Enable Developer Mode to reveal the Developer menu.
- Then go to Developer → Configure third-party inference to open the configuration window.
| Section | What you set |
|---|---|
| Connection |
|
| Workspace restrictions |
|
| Connectors & extensions |
|
| Telemetry & updates |
|
| Usage limits |
|
| Appearance |
|
| Plugins & skills |
|
| Egress Requirements |
|
| Source |
|
When a managed (MDM-delivered) configuration is already present on the device, the configuration window opens read-only. It shows what the admin deployed but won’t let the user change or override it. To author a new configuration, use a device without a managed profile, or temporarily remove the profile. (Profiles that set only the two update keys are an exception; see how the update keys are treated.)
2. Export the profile
Once your configuration tests successfully, click Export and choose a format:| Format | Platform | Deploy with |
|---|---|---|
.mobileconfig | macOS | Jamf, Kandji, Mosyle, Workspace ONE, or any Apple MDM |
.reg | Windows | Group Policy (import into a GPO), Intune (via custom ADMX or script), or any MDM that can write registry policy |
.zip (ADMX template) | Windows | Schema-only template for Intune or Group Policy; you enter values in the management console |
.plist (Profile Manifest) | macOS | Schema-only template for Jamf, ProfileCreator, or similar macOS tools |
- Apply locally writes the selected configuration to your own machine’s Claude settings and relaunches the app, so you can test it end to end before deploying it.
- Export writes a
.mobileconfigor.regfile and leaves your local settings untouched.
Creating profiles for multiple user groups
Many organizations deploy distinct configurations to different populations: for example, a permissive profile for an engineering pilot group and a restricted profile for the broader rollout, or per-region profiles that point at different inference endpoints. The configuration window can hold multiple named configurations. Use the picker in the top-right of the window:- New configuration creates an empty configuration.
- Duplicate copies the current configuration as a starting point for a variant.
- Rename and Delete manage the list.
- Reveal in Finder opens the on-disk location where saved configurations are stored.
3. Allow required network egress
The hosts the app needs to reach depend on the configuration you built: your inference provider’s endpoint is always required, and each telemetry, update, and service setting you leave enabled adds its own hosts. The configuration window shows the exact allowlist for your settings and can export it as a text file for your network team. Open these hosts on your perimeter firewall before rolling out to devices. See Telemetry and egress for the full list of hosts grouped by the setting that controls each one, and for the distinction between the perimeter firewall and the in-app sandbox allowlist.4. Deploy the configuration
Push the exported configuration through your MDM. The app reads from these locations:- macOS
- Windows
| Source | Path | Precedence |
|---|---|---|
| Managed (per-user) | /Library/Managed Preferences/<user>/com.anthropic.claudefordesktop.plist | Highest |
| Managed (machine) | /Library/Managed Preferences/com.anthropic.claudefordesktop.plist | |
| Local (user) | ~/Library/Application Support/Claude-3p/configLibrary/ | Lowest |
.mobileconfig profile delivered by MDM lands in the Managed Preferences locations automatically. Both managed paths are read; where a key appears in both, the per-user value wins.configLibrary/ are ignored.
Update keys and managed precedence
The update keysdisableAutoUpdates and autoUpdaterEnforcementHours are treated specially, so you can set an update policy from MDM without managing the whole configuration. When a managed source sets only these keys (one or both), the device keeps its locally authored configuration and the configuration window stays editable. The update keys themselves are still enforced as a pair: both are resolved from the managed source alone, so a locally set value for either key is ignored even if the profile only sets the other one.
If the managed profile sets any other recognized key, the normal rule above applies and the whole configuration is managed.