Set up Claude Code for your organization

A decision map for administrators deploying Claude Code, covering API providers, managed settings, policy enforcement, usage monitoring, and data handling.

Claude Code enforces organization policy through managed settings that take precedence over local developer configuration. You deliver those settings from the Claude admin console, your mobile device management (MDM) system, or a file on disk. The settings control which tools, commands, servers, and network destinations Claude can reach.

This page walks through the deployment decisions in order. Each row links to the section below and to the reference page for that area.

Decision	What you're choosing	Reference
Choose your API provider	Where Claude Code authenticates and how it's billed	Authentication, Bedrock, Vertex AI, Foundry
Decide how settings reach devices	How managed policy reaches developer machines	Server-managed settings, Settings files
Decide what to enforce	Which tools, commands, and integrations are allowed	Permissions, Sandboxing
Set up usage visibility	How you track spend and adoption	Analytics, Monitoring, Costs
Review data handling	Data retention and compliance posture	Data usage, Security

Choose your API provider

Claude Code connects to Claude through one of several API providers. Your choice affects billing, authentication, and which compliance posture you inherit.

Provider	Choose this when
Claude for Teams / Enterprise	You want Claude Code and claude.ai under one per-seat subscription with no infrastructure to run. This is the default recommendation.
Claude Console	You're API-first or want pay-as-you-go billing
Amazon Bedrock	You want to inherit existing AWS compliance controls and billing
Google Vertex AI	You want to inherit existing GCP compliance controls and billing
Microsoft Foundry	You want to inherit existing Azure compliance controls and billing

For the full provider comparison covering authentication, regions, and feature parity, see the enterprise deployment overview. Each provider's auth setup is in Authentication.

Proxy and firewall requirements in Network configuration apply regardless of provider. If you want a single endpoint in front of multiple providers or centralized request logging, see LLM gateway.

Decide how settings reach devices

Managed settings define policy that takes precedence over local developer configuration. Claude Code looks for them in four places and uses the first one it finds on a given device.

Mechanism	Delivery	Priority	Platforms
Server-managed	Claude.ai admin console	Highest	All
plist / registry policy	macOS: `com.anthropic.claudecode` plist Windows: `HKLM\SOFTWARE\Policies\ClaudeCode`	High	macOS, Windows
File-based managed	macOS: `/Library/Application Support/ClaudeCode/managed-settings.json` Linux and WSL: `/etc/claude-code/managed-settings.json` Windows: `C:\Program Files\ClaudeCode\managed-settings.json`	Medium	All
Windows user registry	`HKCU\SOFTWARE\Policies\ClaudeCode`	Lowest	Windows only

Server-managed settings reach devices at authentication time and refresh hourly during active sessions, with no endpoint infrastructure. They require a Claude for Teams or Enterprise plan, so deployments on other providers need one of the file-based or OS-level mechanisms instead.

If your organization mixes providers, configure server-managed settings for Claude.ai users plus a file-based or plist/registry fallback so other users still receive managed policy.

The plist and HKLM registry locations work with any provider and resist tampering because they require admin privileges to write. The Windows user registry at HKCU is writable without elevation, so treat it as a convenience default rather than an enforcement channel.

Whichever mechanism you choose, managed values take precedence over user and project settings. Array settings such as permissions.allow and permissions.deny merge entries from all sources, so developers can extend managed lists but not remove from them.

See Server-managed settings and Settings files and precedence.

Decide what to enforce

Managed settings can lock down tools, sandbox execution, restrict MCP servers and plugin sources, and control which hooks run. Each row is a control surface with the setting keys that drive it.

Control	What it does	Key settings
Permission rules	Allow, ask, or deny specific tools and commands	`permissions.allow`, `permissions.deny`
Permission lockdown	Only managed permission rules apply; disable `--dangerously-skip-permissions`	`allowManagedPermissionRulesOnly`, `permissions.disableBypassPermissionsMode`
Sandboxing	OS-level filesystem and network isolation with domain allowlists	`sandbox.enabled`, `sandbox.network.allowedDomains`
Managed policy CLAUDE.md	Org-wide instructions loaded in every session, cannot be excluded	File at the managed policy path
MCP server control	Restrict which MCP servers users can add or connect to	`allowedMcpServers`, `deniedMcpServers`, `allowManagedMcpServersOnly`
Plugin marketplace control	Restrict which marketplace sources users can add	`strictKnownMarketplaces`, `blockedMarketplaces`
Hook restrictions	Only managed hooks load; restrict HTTP hook URLs	`allowManagedHooksOnly`, `allowedHttpHookUrls`
Version floor	Prevent auto-update from installing below an org-wide minimum	`minimumVersion`

Permission rules and sandboxing cover different layers. Denying WebFetch blocks Claude's fetch tool, but if Bash is allowed, curl and wget can still reach any URL. Sandboxing closes that gap with a network domain allowlist enforced at the OS level.

For the threat model these controls defend against, see Security.

Set up usage visibility

Choose monitoring based on what you need to report on.

Capability	What you get	Availability	Where to start
Usage monitoring	OpenTelemetry export of sessions, tools, and tokens	All providers	Monitoring usage
Analytics dashboard	Per-user metrics, contribution tracking, leaderboard	Anthropic only	Analytics
Cost tracking	Spend limits, rate limits, and usage attribution	Anthropic only	Costs

Cloud providers expose spend through AWS Cost Explorer, GCP Billing, or Azure Cost Management. Claude for Teams and Enterprise plans include a usage dashboard at claude.ai/analytics/claude-code.

Review data handling

On Team, Enterprise, Claude API, and cloud provider plans, Anthropic does not train models on your code or prompts. Your API provider determines retention and compliance posture.

Topic	What to know	Where to start
Data usage policy	What Anthropic collects, how long it's retained, what's never used for training	Data usage
Zero Data Retention (ZDR)	Nothing stored after the request completes. Available on Claude for Enterprise	Zero data retention
Security architecture	Network model, encryption, authentication, audit trail	Security

If you need request-level audit logging or to route traffic by data sensitivity, place an LLM gateway between developers and your provider. For regulatory requirements and certifications, see Legal and compliance.

Verify and onboard

After configuring managed settings, have a developer run /status inside Claude Code. The output includes a line beginning with Enterprise managed settings followed by the source in parentheses, one of (remote), (plist), (HKLM), (HKCU), or (file). See Verify active settings.

Share these resources to help developers get started:

Quickstart: first-session walkthrough from install to working with a project
Common workflows: patterns for everyday tasks like code review, refactoring, and debugging
Claude 101 and Claude Code in Action: self-paced Anthropic Academy courses

For login issues, point developers to authentication troubleshooting. The most common fixes are:

Run /logout then /login to switch accounts
Run claude update if the enterprise auth option is missing
Restart the terminal after updating

If a developer sees "You haven't been added to your organization yet," their seat doesn't include Claude Code access and needs to be updated in the admin console.

Next steps

With provider and delivery mechanism chosen, move on to detailed configuration:

Server-managed settings: deliver managed policy from the Claude admin console
Settings reference: every setting key, file location, and precedence rule
Amazon Bedrock, Google Vertex AI, Microsoft Foundry: provider-specific deployment
Claude Enterprise Administrator Guide: SSO, SCIM, seat management, and rollout playbook

admin-setup.md +130 −0 created

1> ## Documentation Index

2> Fetch the complete documentation index at: https://code.claude.com/docs/llms.txt

3> Use this file to discover all available pages before exploring further.

5# Set up Claude Code for your organization

7> A decision map for administrators deploying Claude Code, covering API providers, managed settings, policy enforcement, usage monitoring, and data handling.

9Claude Code enforces organization policy through managed settings that take precedence over local developer configuration. You deliver those settings from the Claude admin console, your mobile device management (MDM) system, or a file on disk. The settings control which tools, commands, servers, and network destinations Claude can reach.

11This page walks through the deployment decisions in order. Each row links to the section below and to the reference page for that area.

13<Note>

14 SSO, SCIM provisioning, and seat assignment are configured at the Claude account level. See the [Claude Enterprise Administrator Guide](https://claude.com/resources/tutorials/claude-enterprise-administrator-guide) and [seat assignment](https://support.claude.com/en/articles/11845131-use-claude-code-with-your-team-or-enterprise-plan) for those steps.

15</Note>

17| Decision | What you're choosing | Reference |

18| :---------------------------------------------------------------------- | :-------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------- |

19| [Choose your API provider](#choose-your-api-provider) | Where Claude Code authenticates and how it's billed | [Authentication](/en/authentication), [Bedrock](/en/amazon-bedrock), [Vertex AI](/en/google-vertex-ai), [Foundry](/en/microsoft-foundry) |

20| [Decide how settings reach devices](#decide-how-settings-reach-devices) | How managed policy reaches developer machines | [Server-managed settings](/en/server-managed-settings), [Settings files](/en/settings#settings-files) |

21| [Decide what to enforce](#decide-what-to-enforce) | Which tools, commands, and integrations are allowed | [Permissions](/en/permissions), [Sandboxing](/en/sandboxing) |

22| [Set up usage visibility](#set-up-usage-visibility) | How you track spend and adoption | [Analytics](/en/analytics), [Monitoring](/en/monitoring-usage), [Costs](/en/costs) |

23| [Review data handling](#review-data-handling) | Data retention and compliance posture | [Data usage](/en/data-usage), [Security](/en/security) |

25## Choose your API provider

27Claude Code connects to Claude through one of several API providers. Your choice affects billing, authentication, and which compliance posture you inherit.

29| Provider | Choose this when |

30| :---------------------------- | :------------------------------------------------------------------------------------------------------------------------------------ |

31| Claude for Teams / Enterprise | You want Claude Code and claude.ai under one per-seat subscription with no infrastructure to run. This is the default recommendation. |

32| Claude Console | You're API-first or want pay-as-you-go billing |

33| Amazon Bedrock | You want to inherit existing AWS compliance controls and billing |

34| Google Vertex AI | You want to inherit existing GCP compliance controls and billing |

35| Microsoft Foundry | You want to inherit existing Azure compliance controls and billing |

37For the full provider comparison covering authentication, regions, and feature parity, see the [enterprise deployment overview](/en/third-party-integrations). Each provider's auth setup is in [Authentication](/en/authentication).

39Proxy and firewall requirements in [Network configuration](/en/network-config) apply regardless of provider. If you want a single endpoint in front of multiple providers or centralized request logging, see [LLM gateway](/en/llm-gateway).

41## Decide how settings reach devices

43Managed settings define policy that takes precedence over local developer configuration. Claude Code looks for them in four places and uses the first one it finds on a given device.

46| :---------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | :------------- |

47| Server-managed | Claude.ai admin console | Highest | All |

49| File-based managed | macOS: `/Library/Application Support/ClaudeCode/managed-settings.json`<br />Linux and WSL: `/etc/claude-code/managed-settings.json`<br />Windows: `C:\Program Files\ClaudeCode\managed-settings.json` | Medium | All |

52Server-managed settings reach devices at authentication time and refresh hourly during active sessions, with no endpoint infrastructure. They require a Claude for Teams or Enterprise plan, so deployments on other providers need one of the file-based or OS-level mechanisms instead.

54If your organization mixes providers, configure [server-managed settings](/en/server-managed-settings) for Claude.ai users plus a [file-based or plist/registry fallback](/en/settings#settings-files) so other users still receive managed policy.

56The plist and HKLM registry locations work with any provider and resist tampering because they require admin privileges to write. The Windows user registry at HKCU is writable without elevation, so treat it as a convenience default rather than an enforcement channel.

58Whichever mechanism you choose, managed values take precedence over user and project settings. Array settings such as `permissions.allow` and `permissions.deny` merge entries from all sources, so developers can extend managed lists but not remove from them.

60See [Server-managed settings](/en/server-managed-settings) and [Settings files and precedence](/en/settings#settings-files).

62## Decide what to enforce

64Managed settings can lock down tools, sandbox execution, restrict MCP servers and plugin sources, and control which hooks run. Each row is a control surface with the setting keys that drive it.

66| Control | What it does | Key settings |

67| :------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------- | :---------------------------------------------------------------------------- |

68| [Permission rules](/en/permissions) | Allow, ask, or deny specific tools and commands | `permissions.allow`, `permissions.deny` |

69| [Permission lockdown](/en/permissions#managed-only-settings) | Only managed permission rules apply; disable `--dangerously-skip-permissions` | `allowManagedPermissionRulesOnly`, `permissions.disableBypassPermissionsMode` |

70| [Sandboxing](/en/sandboxing) | OS-level filesystem and network isolation with domain allowlists | `sandbox.enabled`, `sandbox.network.allowedDomains` |

71| [Managed policy CLAUDE.md](/en/memory#deploy-organization-wide-claude-md) | Org-wide instructions loaded in every session, cannot be excluded | File at the managed policy path |

72| [MCP server control](/en/mcp#managed-mcp-configuration) | Restrict which MCP servers users can add or connect to | `allowedMcpServers`, `deniedMcpServers`, `allowManagedMcpServersOnly` |

73| [Plugin marketplace control](/en/plugin-marketplaces#managed-marketplace-restrictions) | Restrict which marketplace sources users can add | `strictKnownMarketplaces`, `blockedMarketplaces` |

74| [Hook restrictions](/en/settings#hook-configuration) | Only managed hooks load; restrict HTTP hook URLs | `allowManagedHooksOnly`, `allowedHttpHookUrls` |

75| [Version floor](/en/settings) | Prevent auto-update from installing below an org-wide minimum | `minimumVersion` |

77Permission rules and sandboxing cover different layers. Denying WebFetch blocks Claude's fetch tool, but if Bash is allowed, `curl` and `wget` can still reach any URL. Sandboxing closes that gap with a network domain allowlist enforced at the OS level.

79For the threat model these controls defend against, see [Security](/en/security).

81## Set up usage visibility

83Choose monitoring based on what you need to report on.

86| :------------------ | :--------------------------------------------------- | :------------- | :--------------------------------------- |

91Cloud providers expose spend through AWS Cost Explorer, GCP Billing, or Azure Cost Management. Claude for Teams and Enterprise plans include a usage dashboard at [claude.ai/analytics/claude-code](https://claude.ai/analytics/claude-code).

93## Review data handling

95On Team, Enterprise, Claude API, and cloud provider plans, Anthropic does not train models on your code or prompts. Your API provider determines retention and compliance posture.

97| Topic | What to know | Where to start |

98| :------------------------ | :------------------------------------------------------------------------------ | :--------------------------------------------- |

99| Data usage policy | What Anthropic collects, how long it's retained, what's never used for training | [Data usage](/en/data-usage) |

100| Zero Data Retention (ZDR) | Nothing stored after the request completes. Available on Claude for Enterprise | [Zero data retention](/en/zero-data-retention) |

101| Security architecture | Network model, encryption, authentication, audit trail | [Security](/en/security) |

102

103If you need request-level audit logging or to route traffic by data sensitivity, place an [LLM gateway](/en/llm-gateway) between developers and your provider. For regulatory requirements and certifications, see [Legal and compliance](/en/legal-and-compliance).

104

105## Verify and onboard

106

107After configuring managed settings, have a developer run `/status` inside Claude Code. The output includes a line beginning with `Enterprise managed settings` followed by the source in parentheses, one of `(remote)`, `(plist)`, `(HKLM)`, `(HKCU)`, or `(file)`. See [Verify active settings](/en/settings#verify-active-settings).

108

109Share these resources to help developers get started:

110

111* [Quickstart](/en/quickstart): first-session walkthrough from install to working with a project

112* [Common workflows](/en/common-workflows): patterns for everyday tasks like code review, refactoring, and debugging

113* [Claude 101](https://anthropic.skilljar.com/claude-101) and [Claude Code in Action](https://anthropic.skilljar.com/claude-code-in-action): self-paced Anthropic Academy courses

114

115For login issues, point developers to [authentication troubleshooting](/en/troubleshooting#authentication-issues). The most common fixes are:

116

117* Run `/logout` then `/login` to switch accounts

118* Run `claude update` if the enterprise auth option is missing

119* Restart the terminal after updating

120

121If a developer sees "You haven't been added to your organization yet," their seat doesn't include Claude Code access and needs to be updated in the admin console.

122

123## Next steps

124

125With provider and delivery mechanism chosen, move on to detailed configuration:

126

127* [Server-managed settings](/en/server-managed-settings): deliver managed policy from the Claude admin console

128* [Settings reference](/en/settings): every setting key, file location, and precedence rule

129* [Amazon Bedrock](/en/amazon-bedrock), [Google Vertex AI](/en/google-vertex-ai), [Microsoft Foundry](/en/microsoft-foundry): provider-specific deployment

130* [Claude Enterprise Administrator Guide](https://claude.com/resources/tutorials/claude-enterprise-administrator-guide): SSO, SCIM, seat management, and rollout playbook