guidesSource-backedReview first Safety ✓ Privacy ✓

Server-Managed Claude Code Settings Rollout

Roll out Claude Code server-managed settings for Teams and Enterprise: configure JSON in Claude.ai Admin Settings, understand delivery and caching, verify with /permissions, and use forceRemoteSettingsRefresh when fail-closed startup is required.

by kiannidev·added 2026-06-16·

Claude Code

HarnessClaude Code

Install

Source

In Claude.ai Admin Settings > Claude Code > Managed settings, publish JSON policy, have users restart Claude Code or wait for hourly polling, verify with /permissions, and enable forceRemoteSettingsRefresh when startup must block until policy loads.

Readiness

TrustReview first
Sourcesource-backed
Safety notesPresent
ReviewedYes

Documentation Source repository Registry JSON · LLM text

Review first — review before installing

Open the source and read safety notes before installing.

Safety notes

Server-managed settings are client-side controls—users with admin access on unmanaged devices can tamper with caches; use endpoint-managed settings with MDM for stronger guarantees.
Hooks and shell commands in managed JSON trigger security approval dialogs on first apply.
Third-party model providers bypass server-managed settings per official platform availability table.

Privacy notes

Managed hooks may log file edits—document audit script behavior to users.
Audit log export requires compliance API access through your Anthropic account team.
Cached settings live at ~/.claude/remote-settings.json on client machines.

Prerequisites

Claude for Teams or Claude for Enterprise plan.
Claude Code 2.1.38+ (Teams) or 2.1.30+ (Enterprise).
Network access to api.anthropic.com for managed settings delivery.
Primary Owner or Owner role in Claude.ai admin console.

Schema details

Install type: copy
Reading time: 9 min
Difficulty score: 56
Troubleshooting: Yes
Breaking changes: No

Full copyable content

In Claude.ai Admin Settings > Claude Code > Managed settings, publish JSON policy, have users restart Claude Code or wait for hourly polling, verify with /permissions, and enable forceRemoteSettingsRefresh when startup must block until policy loads.

About this resource

TL;DR

Server-managed settings let Teams and Enterprise admins publish Claude Code configuration JSON from Claude.ai. Clients fetch policy at startup and poll hourly. Settings occupy the highest precedence tier. Use /permissions to verify delivery and forceRemoteSettingsRefresh when startup must block until fresh policy loads.

Prerequisites & Requirements

{"task": "Plan eligibility", "description": "Teams or Enterprise with supported Claude Code versions"}
{"task": "Admin role", "description": "Primary Owner or Owner can edit Managed settings"}
{"task": "Network path", "description": "Clients reach api.anthropic.com"}
{"task": "Pilot users", "description": "Small group validates policy before org-wide rollout"}

Core Concepts Explained

Server-managed vs endpoint-managed

Official docs compare server-managed delivery (Anthropic servers at authentication) with endpoint-managed plist/registry files for MDM-enrolled devices. MDM provides stronger OS-level enforcement.

Delivery precedence

Server-managed settings are checked before endpoint-managed sources. The first managed source delivering a non-empty configuration wins; sources do not merge.

Caching behavior

First launch without cache fetches asynchronously with a brief window before restrictions apply. Cached settings apply immediately on later launches while background refresh runs.

Step-by-Step Implementation Guide

Open admin console. Claude.ai → Admin Settings → Claude Code → Managed settings.
Draft JSON policy. Example permission deny list from official docs:

{
  "permissions": {
    "deny": [
      "Bash(curl *)",
      "Read(./.env)",
      "Read(./secrets/**)"
    ],
    "disableBypassPermissionsMode": "disable"
  },
  "allowManagedPermissionRulesOnly": true
}

Save and communicate restart. Users receive updates on next startup or hourly polling; ask pilot users to restart and approve security dialogs for hooks or custom env vars when present.
Verify delivery. Have users run /permissions to view effective managed rules; use /status to see which managed source is active.
Optional fail-closed startup. Add "forceRemoteSettingsRefresh": true when the CLI must block until a fresh fetch succeeds (requires reliable api.anthropic.com access).
Document limitations. Settings apply uniformly to all org users; per-group configs are not supported yet; managed-mcp.json files are not distributed—use allowedMcpServers / deniedMcpServers keys instead.
Plan audit access. Request compliance API or audit log export through your Anthropic account team for change tracking.

Troubleshooting

User still has old permissions

Wait for hourly poll or restart Claude Code; check /status for active managed source.

Startup exits with forceRemoteSettingsRefresh

Confirm api.anthropic.com reachable; users can run claude auth login exempt from check per v2.1.139 docs.

Settings bypassed unexpectedly

Third-party providers (Bedrock, Vertex, Foundry, custom ANTHROPIC_BASE_URL) bypass server-managed settings per platform availability section.

Source Verification Notes

Verified against https://code.claude.com/docs/en/server-managed-settings on 2026-06-16:

Requires Teams/Enterprise and Claude Code 2.1.38+ (Teams) or 2.1.30+ (Enterprise).
Admin console path: Admin Settings > Claude Code > Managed settings.
Fetch at startup with hourly polling; cached at ~/.claude/remote-settings.json.
Hooks, shell commands, and non-allowlisted env vars trigger security approval dialogs.
forceRemoteSettingsRefresh blocks startup until fresh fetch when enabled.
Invalid entries are stripped with tolerant parsing on v2.1.169+.

Duplicate Check

Complements enterprise settings and permissions guides. No existing guide walks through server-managed settings admin console rollout and delivery verification using official server-managed-settings documentation.

References

Configure server-managed settings - https://code.claude.com/docs/en/server-managed-settings

#claude-code #server-managed-settings #enterprise #governance #teams

Source citations

Add this badge to your README

Show that Server-Managed Claude Code Settings Rollout is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

[![Listed on HeyClaude](https://heyclau.de/badge/guides/server-managed-claude-code-settings-rollout.svg)](https://heyclau.de/entry/guides/server-managed-claude-code-settings-rollout)

How it compares

Server-Managed Claude Code Settings Rollout side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field	Server-Managed Claude Code Settings Rollout Roll out Claude Code server-managed settings for Teams and Enterprise: configure JSON in Claude.ai Admin Settings, understand delivery and caching, verify with /permissions, and use forceRemoteSettingsRefresh when fail-closed startup is required. Open dossier	Permission Modes for Claude Code Teams A practical walkthrough of Claude Code permission modes for teams: what each mode allows, how to switch and default them, protected paths, and how administrators enforce or lock modes with managed settings. Open dossier	Usage Analytics for Claude Code Team Rollout Guide to Claude Code usage analytics for team rollouts: dashboard metrics, adoption KPIs, monitoring usage docs, and privacy-aware reporting. Open dossier	Auditing MCP Client Configuration Before Team Rollout Source-backed checklist for reviewing Claude Code MCP client configuration before a team rollout, covering scopes, transports, commands, secrets, allowlists, denylists, approvals, and rollback. Open dossier
Trust
Install risk	Review first	Review first	Review first	Review first
Notes	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓	Safety ✓ Privacy ✓
Category	guides	guides	guides	guides
Source	source-backed	source-backed	source-backed	source-backed
Author	kiannidev	JPette1783	kiannidev	YB0y
Added	2026-06-16	2026-06-05	2026-06-14	2026-06-10
Platforms	Claude Code	Claude Code	Claude Code	Claude Code
Source repo	—	—	—	—
Safety notes	✓Server-managed settings are client-side controls—users with admin access on unmanaged devices can tamper with caches; use endpoint-managed settings with MDM for stronger guarantees. Hooks and shell commands in managed JSON trigger security approval dialogs on first apply. Third-party model providers bypass server-managed settings per official platform availability table.	✓bypassPermissions skips permission prompts and safety checks and should only run in isolated containers or VMs, never on a developer's primary machine. auto mode reduces prompts via a background classifier but is a research preview and is not a guarantee of safety; keep review on sensitive operations. Protected paths (such as .git, .claude, and shell config files) are never auto-approved except under bypassPermissions; preserve that boundary. Administrators can disable auto mode and bypassPermissions with managed settings (disableAutoMode, disableBypassPermissionsMode) so individuals cannot enable them.	✓Do not use analytics to surveil individual keystrokes or punish experimental usage during learning phases. Align analytics review with workplace monitoring policy and union agreements where applicable. Treat sudden usage drops as potential configuration or access issues—not purely performance judgments.	✓Local stdio MCP servers execute commands with the user's privileges, so review the exact command, arguments, package runner, file paths, and network behavior before sharing a config. Remote MCP servers can expose model-controlled tools for production systems; require least-privilege scopes, explicit approval for write tools, and a rollback path before team rollout. Do not rely on server names alone for enforcement because names are user-assigned labels; use command or URL allowlist entries when policy must control what actually runs.
Privacy notes	✓Managed hooks may log file edits—document audit script behavior to users. Audit log export requires compliance API access through your Anthropic account team. Cached settings live at ~/.claude/remote-settings.json on client machines.	✓Permission modes govern tool execution, not data flow; code and context are still sent to the model provider regardless of mode. Looser modes let Claude run more commands unattended, widening what could touch local files or credentials; scope accordingly. Managed settings are the place to enforce mode policy centrally without exposing individual developer configuration.	✓Analytics may aggregate per-user activity; restrict dashboard access to roles with legitimate need. Avoid exporting analytics with employee names into public slides. Document retention period for analytics exports stored internally.	✓MCP client configuration can reveal server URLs, internal hostnames, command paths, environment-variable names, header names, OAuth client IDs, and tool availability. Do not store API keys, bearer tokens, client secrets, tenant IDs, or personal credentials in shared `.mcp.json`, managed-mcp.json, PR bodies, issue comments, logs, or screenshots. Tool arguments, tool results, resources, prompts, logs, traces, and OAuth metadata can expose private repositories, tickets, databases, user identities, and workspace data.
Prerequisites	Claude for Teams or Claude for Enterprise plan. Claude Code 2.1.38+ (Teams) or 2.1.30+ (Enterprise). Network access to api.anthropic.com for managed settings delivery. Primary Owner or Owner role in Claude.ai admin console.	Claude Code installed for each team member. Access to user settings (~/.claude/settings.json) and, for org enforcement, managed settings. A shared understanding of which work is sensitive enough to require manual review.	Admin or analytics viewer access to Claude Code team analytics per official docs. Rollout timeline with baseline week before broad enablement. Agreement with legal/HR on which metrics may be shared with managers. Champion network to contextualize quantitative dips or spikes.	A draft `.mcp.json`, `~/.claude.json` entry, plugin-provided MCP server, claude.ai connector plan, or managed-mcp.json deployment to review. The server documentation, package or repository source, expected transport, command or URL, environment variables, headers, OAuth behavior, and tool list. A test machine or disposable Claude Code profile where the configuration can be loaded with non-production data. A named owner who can approve the rollout, publish the final configuration, and revoke credentials or block servers if the rollout fails.
Install	—	—	`label:claude-code-assisted`	—
Config	—	—	—	—
Citations	Source repositorygithub.com 2026-06-16T22:24:35+00:00 Documentationcode.claude.com Submitted by kiannidev2026-06-16	Source repositorygithub.com 2026-06-16T22:24:35+00:00 Documentationcode.claude.com Submitted by JPette17832026-06-05	Source repositorygithub.com 2026-06-16T22:24:35+00:00 Documentationcode.claude.com Submitted by kiannidev2026-06-14	Source repositorygithub.com 2026-06-16T22:24:35+00:00 Documentationcode.claude.com Submitted by YB0y2026-06-10
Claim	Unclaimed	Unclaimed	Unclaimed	Unclaimed

Signals

Loading live community signals…