Skip to main content
Setup and access
Set up Claude Code for your organization
A decision map for administrators deploying Claude Code, covering API providers, managed settings, policy enforcement, usage monitoring, and data handling.
Claude Code enforces organization policy through managed settings that take precedence over local developer configuration. You deliver those settings from the Claude admin console, your mobile device management (MDM) system, or a file on disk. The settings control which tools, commands, servers, and network destinations Claude can reach.
This page walks through the deployment decisions in order. Each row links to the section below and to the reference page for that area.
For the full provider comparison covering authentication, regions, and feature parity, see the enterprise deployment overview. Each provider’s auth setup is in Authentication.
Proxy and firewall requirements in Network configuration apply regardless of provider. If you want a single endpoint in front of multiple providers or centralized request logging, see LLM gateway.
Server-managed settings reach devices at authentication time and refresh hourly during active sessions, with no endpoint infrastructure. They require a Claude for Teams or Enterprise plan, so deployments on other providers need one of the file-based or OS-level mechanisms instead.
If your organization mixes providers, configure server-managed settings for Claude.ai users plus a file-based or plist/registry fallback so other users still receive managed policy.
The plist and HKLM registry locations work with any provider and resist tampering because they require admin privileges to write. The Windows user registry at HKCU is writable without elevation, so treat it as a convenience default rather than an enforcement channel.
By default WSL reads only the Linux file path at
Permission rules and sandboxing cover different layers. Denying WebFetch blocks Claude’s fetch tool, but if Bash is allowed,
Cloud providers expose spend through AWS Cost Explorer, GCP Billing, or Azure Cost Management. Claude for Teams and Enterprise plans include a usage dashboard at claude.ai/analytics/claude-code.
If you need request-level audit logging or to route traffic by data sensitivity, place an LLM gateway between developers and your provider. For regulatory requirements and certifications, see Legal and compliance.
SSO, SCIM provisioning, and seat assignment are configured at the Claude account level. See the Claude Enterprise Administrator Guide and seat assignment for those steps.
Choose your API provider
Claude Code connects to Claude through one of several API providers. Your choice affects billing, authentication, and which compliance posture you inherit.| Provider | Choose this when |
|---|---|
| Claude for Teams / Enterprise | You want Claude Code and claude.ai under one per-seat subscription with no infrastructure to run. This is the default recommendation. |
| Claude Console | You’re API-first or want pay-as-you-go billing |
| Amazon Bedrock | You want to inherit existing AWS compliance controls and billing |
| Google Vertex AI | You want to inherit existing GCP compliance controls and billing |
| Microsoft Foundry | You want to inherit existing Azure compliance controls and billing |
Decide how settings reach devices
Managed settings define policy that takes precedence over local developer configuration. Claude Code looks for them in four places and uses the first one it finds on a given device.| Mechanism | Delivery | Priority | Platforms |
|---|---|---|---|
| Server-managed | Claude.ai admin console | Highest | All |
| plist / registry policy | macOS: com.anthropic.claudecode plistWindows: HKLM\SOFTWARE\Policies\ClaudeCode | High | macOS, Windows |
| File-based managed | macOS: /Library/Application Support/ClaudeCode/managed-settings.jsonLinux and WSL: /etc/claude-code/managed-settings.jsonWindows: C:\Program Files\ClaudeCode\managed-settings.json | Medium | All |
| Windows user registry | HKCU\SOFTWARE\Policies\ClaudeCode | Lowest | Windows only |
/etc/claude-code. To extend your Windows registry and C:\Program Files\ClaudeCode policy to WSL on the same machine, set wslInheritsWindowsSettings: true in either of those admin-only Windows sources.
Whichever mechanism you choose, managed values take precedence over user and project settings. Array settings such as permissions.allow and permissions.deny merge entries from all sources, so developers can extend managed lists but not remove from them.
See Server-managed settings and Settings files and precedence.
Decide what to enforce
Managed settings can lock down tools, sandbox execution, restrict MCP servers and plugin sources, and control which hooks run. Each row is a control surface with the setting keys that drive it.| Control | What it does | Key settings |
|---|---|---|
| Permission rules | Allow, ask, or deny specific tools and commands | permissions.allow, permissions.deny |
| Permission lockdown | Only managed permission rules apply; disable --dangerously-skip-permissions | allowManagedPermissionRulesOnly, permissions.disableBypassPermissionsMode |
| Sandboxing | OS-level filesystem and network isolation with domain allowlists | sandbox.enabled, sandbox.network.allowedDomains |
| Managed policy CLAUDE.md | Org-wide instructions loaded in every session, cannot be excluded | File at the managed policy path |
| MCP server control | Restrict which MCP servers users can add or connect to | allowedMcpServers, deniedMcpServers, allowManagedMcpServersOnly |
| Plugin marketplace control | Restrict which marketplace sources users can add and install from | strictKnownMarketplaces, blockedMarketplaces |
| Hook restrictions | Only managed hooks load; restrict HTTP hook URLs | allowManagedHooksOnly, allowedHttpHookUrls |
| Version floor | Prevent auto-update from installing below an org-wide minimum | minimumVersion |
curl and wget can still reach any URL. Sandboxing closes that gap with a network domain allowlist enforced at the OS level.
For the threat model these controls defend against, see Security.
Set up usage visibility
Choose monitoring based on what you need to report on.| Capability | What you get | Availability | Where to start |
|---|---|---|---|
| Usage monitoring | OpenTelemetry export of sessions, tools, and tokens | All providers | Monitoring usage |
| Analytics dashboard | Per-user metrics, contribution tracking, leaderboard | Anthropic only | Analytics |
| Cost tracking | Spend limits, rate limits, and usage attribution | Anthropic only | Costs |
Review data handling
On Team, Enterprise, Claude API, and cloud provider plans, Anthropic does not train models on your code or prompts. Your API provider determines retention and compliance posture.Verify and onboard
After configuring managed settings, have a developer run/status inside Claude Code. The output includes a line beginning with Enterprise managed settings followed by the source in parentheses, one of (remote), (plist), (HKLM), (HKCU), or (file). See Verify active settings.
Share these resources to help developers get started:
- Quickstart: first-session walkthrough from install to working with a project
- Common workflows: patterns for everyday tasks like code review, refactoring, and debugging
- Claude 101 and Claude Code in Action: self-paced Anthropic Academy courses
- Run
/logoutthen/loginto switch accounts - Run
claude updateif the enterprise auth option is missing - Restart the terminal after updating
Next steps
With provider and delivery mechanism chosen, move on to detailed configuration:- Server-managed settings: deliver managed policy from the Claude admin console
- Settings reference: every setting key, file location, and precedence rule
- Amazon Bedrock, Google Vertex AI, Microsoft Foundry: provider-specific deployment
- Claude Enterprise Administrator Guide: SSO, SCIM, seat management, and rollout playbook