enterprise/admin-setup.md +145 −87
1# Admin Setup1# Admin Setup
2 2
3Set up Codex for your ChatGPT Enterprise workspace
4
5This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.3This guide is for ChatGPT Enterprise admins who want to set up Codex for their workspace.
6 4
5Use this page as the step-by-step rollout guide. It focuses on setup order and decision points. For detailed policy, configuration, and monitoring details, use the linked pages: [Authentication](https://developers.openai.com/codex/auth), [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security), [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), and [Governance](https://developers.openai.com/codex/enterprise/governance).
6
7## Enterprise-grade security and privacy7## Enterprise-grade security and privacy
8 8
9Codex supports ChatGPT Enterprise security features, including:9Codex supports ChatGPT Enterprise security features, including:
10 10
11- No training on enterprise data11- No training on enterprise data
1212- Zero data retention for the CLI and IDE- Zero data retention for the App, CLI, and IDE (code remains in developer environment)
1313- Residency and retention follow ChatGPT Enterprise policies- Residency and retention that follow ChatGPT Enterprise policies
14- Granular user access controls14- Granular user access controls
1515- Data encryption at rest (AES 256) and in transit (TLS 1.2+)- Data encryption at rest (AES-256) and in transit (TLS 1.2+)
16 16
1717For more, see [Security](https://developers.openai.com/codex/security).For security controls and runtime protections, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security). Refer to [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) for more details.
18 18
19## Local vs. cloud setup19## Local vs. cloud setup
20 20
21Codex operates in two environments: local and cloud.21Codex operates in two environments: local and cloud.
22 22
23231. Local use includes the Codex app, CLI, and IDE extension. The agent runs on the developer’s computer in a sandbox.1. **Codex local** includes the Codex app, CLI, and IDE extension. The agent runs on the developer’s computer in a sandbox.
24242. Use in the cloud includes Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack). The agent runs remotely in a hosted container with your codebase.2. **Codex cloud** includes hosted Codex features (including Codex cloud, iOS, Code Review, and tasks created by the [Slack integration](https://developers.openai.com/codex/integrations/slack) or [Linear integration](https://developers.openai.com/codex/integrations/linear)). The agent runs remotely in a hosted container with your codebase.
25 25
2626Use separate permissions and role-based access control (RBAC) to control access to local and cloud features. You can enable local, cloud, or both for all users or for specific groups.You can enable local, cloud, or both, and control access with workspace settings and role-based access control (RBAC).
27 27
2828## Codex local setup## Step 0: Owners and rollout decision
29 29
3030### Enable Codex app, CLI, and IDE extension in workspace settingsEnsure you have the following owners:
31 31
3232To enable Codex locally for workspace members, go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings). Turn on **Allow members to use Codex Local**. This setting doesn’t require the GitHub connector.- Workspace owner with access to ChatGPT Enterprise
33- IT management owner for managed configuration
34- Governance owner for analytics / compliance review
33 35
3436After you turn this on, users can sign in to use the Codex app, CLI, and IDE extension with their ChatGPT account. If you turn off this setting, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”A rollout decision:
35 37
3638## Team Config- Codex local only (Codex app, CLI, and IDE extension)
39- Codex cloud only (Codex web, GitHub code review)
40- Both local + cloud
37 41
3842Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.Review [authentication](https://developers.openai.com/codex/auth) before rollout:
39 43
4044| Type | Path | Use it to |- Codex local supports ChatGPT sign-in or API keys. Confirm MFA/SSO requirements and any managed login restrictions in authentication
4145| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |- Codex cloud requires ChatGPT sign-in
42| [Config basics](https://developers.openai.com/codex/config-basic) | `config.toml` | Set defaults for sandbox mode, approvals, model, reasoning effort, and more. |
43| [Rules](https://developers.openai.com/codex/rules) | `rules/` | Control which commands Codex can run outside the sandbox. |
44| [Skills](https://developers.openai.com/codex/skills) | `skills/` | Make shared skills available to your team. |
45 46
4647For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).## Step 1: Enable workspace toggles
48
49Turn on only the Codex features you plan to roll out in this phase.
50
51Go to [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).
52
53### Codex local
54
55Turn on **Allow members to use Codex Local**.
47 56
4857## Codex cloud setupThis enables use of the Codex app, CLI, and IDE extension for allowed users.
58
59If this toggle is off, users who attempt to use the Codex app, CLI, or IDE will see the following error: “403 - Unauthorized. Contact your ChatGPT administrator for access.”
60
61#### Enable device code authentication for Codex CLI
62
63Allow developers to sign in with device codes when using Codex CLI in a non-interactive environment. More details in [authentication](https://developers.openai.com/codex/auth/).
64
65
66
67### Codex cloud
49 68
50### Prerequisites69### Prerequisites
51 70
59 78
60Start by turning on the ChatGPT GitHub Connector in the Codex section of [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).79Start by turning on the ChatGPT GitHub Connector in the Codex section of [Workspace Settings > Settings and Permissions](https://chatgpt.com/admin/settings).
61 80
6281To enable Codex cloud for your workspace, turn on **Allow members to use Codex cloud**.To enable Codex cloud for your workspace, turn on **Allow members to use Codex cloud**. Once enabled, users can access Codex directly from the left-hand navigation panel in ChatGPT.
82
83Note that it may take up to 10 minutes for Codex to appear in ChatGPT.
84
85#### Allow members to administer Codex
86
87Allows users to view overall Codex [workspace analytics](https://chatgpt.com/codex/settings/analytics), access [cloud-managed requirements](https://chatgpt.com/codex/settings/managed-configs), and manage Cloud environments (edit and delete).
88
89Codex cloud not required.
90
91#### Enable Codex Slack app to post answers on task completion
92
93Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.
94
95To learn more, see [Codex in Slack](https://developers.openai.com/codex/integrations/slack).
63 96
6497Once enabled, users can access Codex directly from the left-hand navigation panel in ChatGPT.#### Enable Codex agent to access the internet
98
99By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.
100
101This setting enables users to use an allowlist for common software dependency domains, add more domains and trusted sites, and specify allowed HTTP methods.
102
103For security implications of internet access and runtime controls, see [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
65 104
66105
67 106
68107After you turn on Codex in your Enterprise workspace settings, it may take up## Step 2: Set up custom roles (RBAC)
69to 10 minutes for Codex to appear in ChatGPT.
70 108
71109### Configure the GitHub Connector IP allow listUse RBAC to control which users or groups can access Codex local and Codex cloud.
72 110
73111To control which IP addresses can connect to your ChatGPT GitHub connector, configure these IP ranges:### What RBAC lets you do
74 112
75113- [ChatGPT egress IP ranges](https://openai.com/chatgpt-actions.json)Workspace Owners can use RBAC in ChatGPT admin settings to:
76- [Codex container egress IP ranges](https://openai.com/chatgpt-agents.json)
77 114
78115These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.- Set a default role for users who are not assigned any custom role
116- Create custom roles with granular permissions
117- Assign one or more custom roles to Groups (including SCIM-synced groups)
118- Manage roles centrally from the Custom Roles tab
79 119
80120### Allow members to administer CodexUsers can inherit multiple roles, and permissions resolve to the maximum allowed across those roles.
81 121
82122This toggle allows users to view Codex workspace analytics and manage environments (edit and delete).### Important behavior to plan for
83 123
84124Codex supports role-based access (see [Role-based access (RBAC)](#role-based-access-rbac)), so you can turn on this toggle for a specific subset of users.Users in any custom role group do not use the workspace default permissions.
85 125
86126### Enable Codex Slack app to post answers on task completionIf you are gradually rolling out Codex, one suggestion is to have a “Codex Users” group and a second “Codex Admin” group that has the “Allow members to administer Codex” toggle enabled.
87 127
88128Codex integrates with Slack. When a user mentions `@Codex` in Slack, Codex starts a cloud task, gets context from the Slack thread, and responds with a link to a PR to review in the thread.For RBAC setup details and the full permission model, see the [OpenAI RBAC Help Center article](https://help.openai.com/en/articles/11750701-rbac).
89 129
90130To allow the Slack app to post answers on task completion, turn on **Allow Codex Slack app to post answers on task completion**. When enabled, Codex posts its full answer back to Slack when the task completes. Otherwise, Codex posts only a link to the task.## Step 3: Configure Codex local managed settings
91 131
92132To learn more, see [Codex in Slack](https://developers.openai.com/codex/integrations/slack).For Codex local, set an admin-approved baseline for local behavior before broader rollout.
93 133
94134### Enable Codex agent to access the internet### Use managed configuration for two different goals
95 135
96136By default, Codex cloud agents have no internet access during runtime to help protect against security and safety risks like prompt injection.- **Requirements** (`requirements.toml`): Admin-enforced constraints users cannot override
137- **Managed defaults** (`managed_config.toml`): Starting values applied when Codex launches
97 138
98139As an admin, you can allow users to enable agent internet access in their environments. To enable it, turn on **Allow Codex agent to access the internet**.### Team Config
99 140
100141When this setting is on, users can use an allow list for common software dependency domains, add more domains and trusted sites, and specify allowed HTTP methods.Teams who want to standardize Codex across an organization can use Team Config to share defaults, rules, and skills without duplicating setup on every local configuration.
101 142
102143### Enable code review with Codex cloud| Type | Path | Use it to |
144| ------------------------------------ | ------------- | ---------------------------------------------------------------------------- |
145| [Config basics](https://developers.openai.com/codex/config-basic) | `config.toml` | Set defaults for sandbox mode, approvals, model, reasoning effort, and more. |
146| [Rules](https://developers.openai.com/codex/rules) | `rules/` | Control which commands Codex can run outside the sandbox. |
147| [Skills](https://developers.openai.com/codex/skills) | `skills/` | Make shared skills available to your team. |
148
149For locations and precedence, see [Config basics](https://developers.openai.com/codex/config-basic#configuration-precedence).
150
151### Recommended first decisions for local rollout
152
153Define a baseline for your pilot:
154
155- Approval policy posture
156- Sandbox mode posture
157- Web search posture
158- MCP / connectors policy
159- Local logging and telemetry posture
103 160
104161To allow Codex to do code reviews, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).For exact keys, precedence, MDM deployment, and examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
105 162
106163Users can specify whether they want Codex to review their pull requests. Users can also configure whether code review runs for all contributors to a repository.If you plan to restrict login method or workspace for local clients, see the admin-managed authentication restrictions in [Authentication](https://developers.openai.com/codex/auth).
107 164
108165Codex supports two types of code reviews:## Step 4: Configure Codex cloud usage (if enabled)
109 166
1101671. Automatically triggered code reviews when a user opens a PR for review.This step covers repository and environment setup after the Codex cloud workspace toggle is enabled.
1112. Reactive code reviews when a user mentions @Codex to look at issues. For example, “@Codex fix this CI error” or “@Codex address that feedback.”
112 168
113169## Role-based access (RBAC)### Connect Codex cloud to repositories
114 170
115171Codex supports role-based access. RBAC is a security and permissions model used to control access to systems or resources based on a user’s role assignments.1. Navigate to [Codex](https://chatgpt.com/codex) and select **Get started**
1722. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven't already connected GitHub to ChatGPT
1733. Install or authorize the ChatGPT GitHub Connector
1744. Choose an installation target for the ChatGPT Connector (typically your main organization)
1755. Allow the repositories you want to connect to Codex
116 176
117177To enable RBAC for Codex, navigate to Settings & Permissions → Custom Roles in [ChatGPT’s admin page](https://chatgpt.com/admin/settings) and assign roles to groups created in the Groups tab.For more, see [Cloud environments](https://developers.openai.com/codex/cloud/environments).
118 178
119179This simplifies permission management for Codex and improves security in your ChatGPT workspace. To learn more, see the [Help Center article](https://help.openai.com/en/articles/11750701-rbac).Codex uses short-lived, least-privilege GitHub App installation tokens for each operation and respects the user's existing GitHub repository permissions and branch protection rules.
180
181### Configure IP addresses (as needed)
182
183Configure connector / IP allow lists if required by your network policy with these [egress IP ranges](https://openai.com/chatgpt-agents.json).
184
185These IP ranges can change. Consider checking them automatically and updating your allow list based on the latest values.
186
187### Enable code review with Codex cloud
120 188
121189## Set up your first Codex cloud environmentTo allow Codex to perform code reviews on GitHub, go to [Settings → Code review](https://chatgpt.com/codex/settings/code-review).
122 190
1231911. Go to Codex cloud and select **Get started**.Code review can be configured at the repository level. Users can also enable auto review for their PRs and choose when Codex automatically triggers a review. More details on [GitHub](https://developers.openai.com/codex/integrations/github) integration page.
1242. Select **Connect to GitHub** to install the ChatGPT GitHub Connector if you haven’t already connected GitHub to ChatGPT.
125 - Allow the ChatGPT Connector for your account.
126 - Choose an installation target for the ChatGPT Connector (typically your main organization).
127 - Allow the repositories you want to connect to Codex (a GitHub admin may need to approve this).
1283. Create your first environment by selecting the repository most relevant to your developers, then select **Create environment**.
129 - Add the email addresses of any environment collaborators to give them edit access.
1304. Start a few starter tasks (for example, writing tests, fixing bugs, or exploring code).
131 192
132193You have now created your first environment. Users who connect to GitHub can create tasks using this environment. Users who have access to the repository can also push pull requests generated from their tasks.Additional integration docs for [Slack](https://developers.openai.com/codex/integrations/slack), [GitHub](https://developers.openai.com/codex/integrations/github), and [Linear](https://developers.openai.com/codex/integrations/linear).
133 194
134195### Environment management## Step 5: Set up governance and observability
135 196
136197As a ChatGPT workspace administrator, you can edit and delete Codex environments in your workspace.Codex gives enterprise teams several options for visibility into adoption and impact. Set up governance early so your team can monitor adoption, investigate issues, and support compliance workflows.
137 198
138199### Connect more GitHub repositories with Codex cloud### Codex governance typically uses
139 200
1402011. Select **Environments**, or open the environment selector and select **Manage Environments**.- Analytics Dashboard for quick, self-serve visibility
1412022. Select **Create Environment**.- Analytics API for programmatic reporting and BI integration
1422033. Select the repository you want to connect.- Compliance API for audit and investigation workflows
1434. Enter a name and description.
1445. Select the environment visibility.
1456. Select **Create Environment**.
146 204
147205Codex automatically optimizes your environment setup by reviewing your codebase. Avoid advanced environment configuration until you observe specific performance issues. For more, see [Codex cloud](https://developers.openai.com/codex/cloud).### Recommended minimum setup
148 206
149207### Share setup instructions with users- Assign an owner for adoption reporting
208- Assign an owner for audit and compliance review
209- Define a review cadence
210- Decide what success looks like
150 211
151212You can share these steps with end users:For details and examples, see [Governance](https://developers.openai.com/codex/enterprise/governance).
152 213
1532141. Go to [Codex](https://chatgpt.com/codex) in the left-hand panel of ChatGPT.## Step 6: Confirm and validate setup
1542. Select **Connect to GitHub** in the prompt composer if you’re not already connected.
155 - Sign in to GitHub.
1563. You can now use shared environments with your workspace or create your own environment.
1574. Try a task in both Ask and Code mode. For example:
158 - Ask: Find bugs in this codebase.
159 - Write code: Improve test coverage following the existing test patterns.
160 215
161216## Track Codex usage### What to verify
162 217
163218- For workspaces with rate limits, use [Settings → Usage](https://chatgpt.com/codex/settings/usage) to view workspace metrics for Codex.- Users can sign in to Codex local (ChatGPT or API key)
164219- For more detail on enterprise governance, refer to the [Governance](https://developers.openai.com/codex/enterprise/governance) page.- (If enabled) Users can sign in to Codex cloud (ChatGPT sign-in required)
165220- For enterprise workspaces with flexible pricing, you can see credit usage in the ChatGPT workspace billing console.- MFA and SSO requirements match your enterprise security policy
221- RBAC and workspace toggles produce the expected access behavior
222- Managed configuration is applied for users
223- Governance data is visible for admins
166 224
167225## Zero data retention (ZDR)For authentication options and enterprise login restrictions, see [Authentication](https://developers.openai.com/codex/auth).
168 226
169227Codex supports OpenAI organizations with [Zero Data Retention (ZDR)](https://platform.openai.com/docs/guides/your-data#zero-data-retention) enabled.Once your team is confident with setup, you can confidently roll Codex out to additional teams and organizations.