enterprise/admin-setup.md +18 −2
163 163
164Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).164Codex Admins can deploy admin-enforced `requirements.toml` policies from the Codex [Policies page](https://chatgpt.com/codex/settings/policies).
165 165
166166Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).Use this page when you want to apply different local Codex constraints to different groups without distributing device-level files first. The managed policy uses the same `requirements.toml` format described in [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration), so you can define allowed approval policies, sandbox modes, web search behavior, network access requirements, MCP server allowlists, feature pins, and restrictive command rules. To disable Browser Use, the in-app browser, or Computer Use, see [Pin feature flags](https://developers.openai.com/codex/enterprise/managed-configuration#pin-feature-flags).
167 167
168<div class="max-w-1xl mx-auto py-1">168<div class="max-w-1xl mx-auto py-1">
169 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"169 <img src="https://developers.openai.com/images/codex/enterprise/policies_and_configurations_page.png"
209computer_use = false209computer_use = false
210```210```
211 211
212Example: define administrator-owned network requirements:
213
214```toml
215experimental_network.enabled = true
216experimental_network.dangerously_allow_all_unix_sockets = true
217experimental_network.allow_local_binding = true
218experimental_network.allowed_domains = [
219 "api.openai.com",
220 "*.example.com",
221]
222experimental_network.denied_domains = [
223 "blocked.example.com",
224 "*.exfil.example.com",
225]
226```
227
212Example: add a restrictive command rule when you want admins to block or gate specific commands:228Example: add a restrictive command rule when you want admins to block or gate specific commands:
213 229
214```toml230```toml
218]234]
219```235```
220 236
221237You can use either example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).You can use any example on its own or combine them in a single managed policy for a group. For exact keys, precedence, and more examples, see [Managed configuration](https://developers.openai.com/codex/enterprise/managed-configuration) and [Agent approvals & security](https://developers.openai.com/codex/agent-approvals-security).
222 238
223### Checking user policies239### Checking user policies
224 240