Enterprise & Managed Settings

Key Principle

Org policy is enforced through managed settings that override local developer config — the outermost ring of the defense-in-depth stack (permissions → sandboxing → hooks), the only ring a developer cannot edit away (Section: Set up Claude Code for an organization). Deployment decisions go in order: (1) pick an API provider, (2) decide how settings reach devices, (3) decide what to enforce, (4) usage visibility, (5) data handling (Section: Deployment decisions).

Why This Matters

Without the managed-settings layer, every safety control is set per-developer and can be relaxed locally. Account-level concerns (SSO, SCIM, seat assignment) live in the Enterprise Administrator Guide, not in managed settings (p. 1).

Good Examples

Provider choice (Section: Choose API provider). Default recommendation: Claude for Teams / Enterprise (one per-seat subscription, no infra). Others: Claude Console (API/pay-as-you-go), Amazon Bedrock (AWS compliance), Google Vertex AI (GCP), Microsoft Foundry (Azure).

Caveat: Claude Code on the web, Routines, Code Review, Remote Control, and the Chrome extension are NOT available through Console API keys or cloud-provider credentials alone — they need a Claude.ai account (Section: Choose API provider).

Settings delivery — four sources, checked in priority order; first non-empty config wins (Section: How settings reach devices):

Array merge semantics: managed values override user/project settings, but array settings like permissions.allow / permissions.deny merge entries from all sources — developers can extend managed lists but cannot remove managed entries (p. 1).

What to enforce (Section: What to enforce):

• Permission rules: permissions.allow, permissions.deny; lockdown via allowManagedPermissionRulesOnly, permissions.disableBypassPermissionsMode.
• Sandboxing: sandbox.enabled, sandbox.network.allowedDomains (OS-enforced network domain allowlist).
• MCP control: allowedMcpServers, deniedMcpServers, allowManagedMcpServersOnly, or deployed managed-mcp.json.
• Plugin/customization lockdown: strictKnownMarketplaces, blockedMarketplaces, strictPluginOnlyCustomization.
• Hook restrictions: allowManagedHooksOnly, allowedHttpHookUrls.
• Version floor: minimumVersion; stronger range requiredMinimumVersion / requiredMaximumVersion (refuse to start outside an approved range).

Verify setting sources: run /status → Status tab → Setting sources line shows Enterprise managed settings with source in parens: (remote), (plist), (HKLM), (HKCU), or (file) (Section: Verify & troubleshoot).

Analytics dashboards by plan (Section: Track team usage with analytics):

Contribution metrics (public beta; Teams/Enterprise only): Owner enables at claude.ai/admin-settings/claude-code; a GitHub admin installs the app at github.com/apps/claude; enable the "GitHub analytics" toggle. Data appears within ~24h (p. 10).

PR attribution algorithm: on merge, extract added lines, find CC sessions editing matching files in the window, match lines, compute AI-assisted vs total. Time window: 21 days before to 2 days after the merge date. Attributed merged PRs get the GitHub label claude-code-assisted (query programmatically by searching this label). Code rewritten >20% by developers is not attributed (p. 10).

Counterpoints

• Server-managed requires Teams/Enterprise. Bedrock/Vertex/Foundry deployments must fall back to file-based or OS-level. Mixed-provider orgs need both (p. 1).
• HKCU is writable without elevation → a convenience default, not an enforcement channel. Use plist / HKLM (need admin) for tamper resistance (p. 1).
• WSL reads only /etc/claude-code by default. To extend Windows registry + C:\Program Files\ClaudeCode policy into WSL, set wslInheritsWindowsSettings: true in an admin-only Windows source (p. 1).
• Permissions vs sandboxing: denying WebFetch blocks Claude's fetch tool, but if Bash is allowed curl/wget still reach any URL — sandboxing closes that gap (p. 1).
• Contribution metrics are not available with Zero Data Retention (dashboard shows usage metrics only); cover only your claude.ai org, not Console API or third-party usage (p. 10).
• Per-user token counts and cost estimates are not in the dashboards — configure OpenTelemetry export (OTEL_*) (p. 10). Console spend figures are estimates; use the billing page for actual costs.

Key Commands & Config

/status                          # see Setting sources (remote|plist|HKLM|HKCU|file)
permissions.allow / permissions.deny           # merge across sources
allowManagedPermissionRulesOnly · permissions.disableBypassPermissionsMode
sandbox.enabled · sandbox.network.allowedDomains
allowedMcpServers · deniedMcpServers · allowManagedMcpServersOnly · managed-mcp.json
strictKnownMarketplaces · blockedMarketplaces · strictPluginOnlyCustomization
allowManagedHooksOnly · allowedHttpHookUrls · disableAgentView
minimumVersion · requiredMinimumVersion · requiredMaximumVersion
wslInheritsWindowsSettings: true
GitHub label: claude-code-assisted   (21-day window: -21d to +2d of merge)

Data handling: on Team/Enterprise/API/cloud-provider plans, Anthropic does not train on your code or prompts. Zero Data Retention (ZDR) available to qualified Enterprise accounts (p. 1).

Rules of Thumb

• Default to Claude for Teams / Enterprise unless you must inherit a cloud provider's billing/compliance.
• Enforce through plist / HKLM / file managed-settings, never HKCU.
• Use both permission rules AND sandboxing — they gate different layers.
• Wire OpenTelemetry for per-user visibility; dashboards alone won't give it.

Related References

• Authentication - how devices authenticate to the chosen provider
• Provider Deployment — Amazon Bedrock & Mantle - cloud-provider fallback for managed settings
• Permissions & Layered Safety - the inner rings of the defense-in-depth stack