SpyBara
Go Premium

Documentation 2026-06-16 20:00 UTC to 2026-06-17 17:02 UTC

2 files changed +9 −19. View all changes and history on the product overview
2026
Wed 17 17:02 Tue 16 20:00 Mon 15 19:59 Sun 14 16:58 Sat 13 00:58 Fri 12 18:02 Thu 11 20:02 Wed 10 20:00 Tue 9 18:50 Sat 6 00:58 Fri 5 18:45 Thu 4 01:09 Wed 3 19:27 Tue 2 19:22
Details

162 162 

163Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).163Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).

164 164 

165Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, network access requirements, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).165Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).

166 166 

167<div class="max-w-1xl mx-auto py-1">167<div class="max-w-1xl mx-auto py-1">

168 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"168 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"

226computer_use = false226computer_use = false

227```227```

228 228 

229Example: define administrator-owned network requirements:

230 

231```toml

232experimental_network.enabled = true

233experimental_network.dangerously_allow_all_unix_sockets = true

234experimental_network.allow_local_binding = true

235experimental_network.allowed_domains = [

236 "api.openai.com",

237 "*.example.com",

238]

239experimental_network.denied_domains = [

240 "blocked.example.com",

241 "*.exfil.example.com",

242]

243```

244 

245Example: add a restrictive command rule when you want admins to block or gate specific commands:229Example: add a restrictive command rule when you want admins to block or gate specific commands:

246 230 

247```toml231```toml

Details

259 259 

260### Configure network access requirements260### Configure network access requirements

261 261 

262<WarningTip>

263 `[experimental_network]` is experimental and may change. Do not enable these

264 requirements broadly across an enterprise deployment without validating them

265 on the Codex client versions and operating systems your users run. Windows

266 support is still limited; avoid applying this policy to Windows users unless

267 you have tested it in your environment.

268</WarningTip>

269 

262Use `[experimental_network]` in `requirements.toml` when administrators should270Use `[experimental_network]` in `requirements.toml` when administrators should

263define network access requirements centrally. These requirements are separate271define network access requirements centrally. These requirements are separate

264from the user `features.network_proxy` toggle: they can configure sandboxed272from the user `features.network_proxy` toggle: they can configure sandboxed

267 275 

268```toml276```toml

269experimental_network.enabled = true277experimental_network.enabled = true

270experimental_network.dangerously_allow_all_unix_sockets = true

271experimental_network.allow_local_binding = true

272experimental_network.allowed_domains = [278experimental_network.allowed_domains = [

273 "api.openai.com",279 "api.openai.com",

274 "*.example.com",280 "*.example.com",