enterprise/managed-configuration.md +180 −0 added
1# Managed configuration
2
3Enterprise admins can control local Codex behavior in two ways:
4
5- **Requirements**: admin-enforced constraints that users can't override.
6- **Managed defaults**: starting values applied when Codex launches. Users can still change settings during a session; Codex reapplies managed defaults the next time it starts.
7
8## Admin-enforced requirements (requirements.toml)
9
10Requirements constrain security-sensitive settings (approval policy, sandbox mode, web search mode, and optionally which MCP servers can be enabled). When resolving configuration (for example from `config.toml`, profiles, or CLI config overrides), if a value conflicts with an enforced requirement, Codex falls back to a requirements-compatible value and notifies the user. If an `mcp_servers` allowlist is configured, Codex enables an MCP server only when both its name and identity match an approved entry; otherwise, Codex disables it.
11
12For the exact key list, see the [`requirements.toml` section in Configuration Reference](https://developers.openai.com/codex/config-reference#requirementstoml).
13
14### Locations and precedence
15
16Requirements layers are applied in this order (earlier wins per field):
17
181. Cloud-managed requirements (ChatGPT Business or Enterprise)
192. macOS managed preferences (MDM) via `com.openai.codex:requirements_toml_base64`
203. System `requirements.toml` (`/etc/codex/requirements.toml` on Unix systems, including Linux/macOS)
21
22Across layers, requirements are merged per field: if an earlier layer sets a field (including an empty list), later layers do not override that field, but lower layers can still fill fields that remain unset.
23
24For backwards compatibility, Codex also interprets legacy `managed_config.toml` fields `approval_policy` and `sandbox_mode` as requirements (allowing only that single value).
25
26### Cloud-managed requirements
27
28When you sign in with ChatGPT on a Business or Enterprise plan, Codex can also fetch admin-enforced requirements from the Codex service. This is another source of `requirements.toml`-compatible requirements. This applies across Codex surfaces, including the CLI, App, and IDE Extension.
29
30#### Configure cloud-managed requirements
31
32Go to the [Codex managed-config page](https://chatgpt.com/codex/settings/managed-configs).
33
34Create a new managed requirements file using the same format and keys as `requirements.toml`.
35
36```toml
37enforce_residency = "us"
38allowed_approval_policies = ["on-request"]
39allowed_sandbox_modes = ["read-only", "workspace-write"]
40
41[rules]
42prefix_rules = [
43 { pattern = [{ any_of = ["bash", "sh", "zsh"] }], decision = "prompt", justification = "Require explicit approval for shell entrypoints" },
44]
45```
46
47Save the configuration. Once saved, the updated managed requirements apply immediately for matching users.
48For more examples, see [Example requirements.toml](#example-requirementstoml).
49
50#### Assign requirements to groups
51
52Admins can configure different managed requirements for different user groups, and also set a default fallback requirements policy.
53
54If a user matches multiple group-specific rules, the first matching rule applies. Codex does not fill unset requirement fields from later matching group rules.
55
56For example, if the first matching group rule sets only `allowed_sandbox_modes = ["read-only"]` and a later matching group rule sets `allowed_approval_policies = ["on-request"]`, Codex applies only the first matching group rule and does not fill `allowed_approval_policies` from the later rule.
57
58#### How Codex applies cloud-managed requirements locally
59
60When a user starts Codex and signs in with ChatGPT on a Business or Enterprise plan, Codex applies managed requirements on a best-effort basis. Codex first checks for a valid, unexpired local managed requirements cache entry and uses it if available. If the cache is missing, expired, invalid, or does not match the current auth identity, Codex attempts to fetch managed requirements from the service (with retries) and writes a new signed cache entry on success. If no valid cached entry is available and the fetch fails or times out, Codex continues without the managed requirements layer.
61
62After cache resolution, managed requirements are enforced as part of the normal requirements layering described above.
63
64### Example requirements.toml
65
66This example blocks `--ask-for-approval never` and `--sandbox danger-full-access` (including `--yolo`):
67
68```toml
69allowed_approval_policies = ["untrusted", "on-request"]
70allowed_sandbox_modes = ["read-only", "workspace-write"]
71```
72
73You can also constrain web search mode:
74
75```toml
76allowed_web_search_modes = ["cached"] # "disabled" remains implicitly allowed
77```
78
79`allowed_web_search_modes = []` effectively allows only `"disabled"`.
80For example, `allowed_web_search_modes = ["cached"]` prevents live web search even in `danger-full-access` sessions.
81
82### Enforce command rules from requirements
83
84Admins can also enforce restrictive command rules from `requirements.toml`
85using a `[rules]` table. These rules merge with regular `.rules` files, and the
86most restrictive decision still wins.
87
88Unlike `.rules`, requirements rules must specify `decision`, and that decision
89must be `"prompt"` or `"forbidden"` (not `"allow"`).
90
91```toml
92[rules]
93prefix_rules = [
94 { pattern = [{ token = "rm" }], decision = "forbidden", justification = "Use git clean -fd instead." },
95 { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "Require review before mutating history." },
96]
97```
98
99To restrict which MCP servers Codex can enable, add an `mcp_servers` approved list. For stdio servers, match on `command`; for streamable HTTP servers, match on `url`:
100
101```toml
102[mcp_servers.docs]
103identity = { command = "codex-mcp" }
104
105[mcp_servers.remote]
106identity = { url = "https://example.com/mcp" }
107```
108
109If `mcp_servers` is present but empty, Codex disables all MCP servers.
110
111## Managed defaults (`managed_config.toml`)
112
113Managed defaults merge on top of a user's local `config.toml` and take precedence over any CLI `--config` overrides, setting the starting values when Codex launches. Users can still change those settings during a session; Codex reapplies managed defaults the next time it starts.
114
115Make sure your managed defaults meet your requirements; Codex rejects disallowed values.
116
117### Precedence and layering
118
119Codex assembles the effective configuration in this order (top overrides bottom):
120
121- Managed preferences (macOS MDM; highest precedence)
122- `managed_config.toml` (system/managed file)
123- `config.toml` (user's base configuration)
124
125CLI `--config key=value` overrides apply to the base, but managed layers override them. This means each run starts from the managed defaults even if you provide local flags.
126
127Cloud-managed requirements affect the requirements layer (not managed defaults). See the Admin-enforced requirements section above for precedence.
128
129### Locations
130
131- Linux/macOS (Unix): `/etc/codex/managed_config.toml`
132- Windows/non-Unix: `~/.codex/managed_config.toml`
133
134If the file is missing, Codex skips the managed layer.
135
136### macOS managed preferences (MDM)
137
138On macOS, admins can push a device profile that provides base64-encoded TOML payloads at:
139
140- Preference domain: `com.openai.codex`
141- Keys:
142 - `config_toml_base64` (managed defaults)
143 - `requirements_toml_base64` (requirements)
144
145Codex parses these “managed preferences” payloads as TOML. For managed defaults (`config_toml_base64`), managed preferences have the highest precedence. For requirements (`requirements_toml_base64`), precedence follows the cloud-managed requirements order described above.
146
147### MDM setup workflow
148
149Codex honors standard macOS MDM payloads, so you can distribute settings with tooling like `Jamf Pro`, `Fleet`, or `Kandji`. A lightweight deployment looks like:
150
1511. Build the managed payload TOML and encode it with `base64` (no wrapping).
1522. Drop the string into your MDM profile under the `com.openai.codex` domain at `config_toml_base64` (managed defaults) or `requirements_toml_base64` (requirements).
1533. Push the profile, then ask users to restart Codex and confirm the startup config summary reflects the managed values.
1544. When revoking or changing policy, update the managed payload; the CLI reads the refreshed preference the next time it launches.
155
156Avoid embedding secrets or high-churn dynamic values in the payload. Treat the managed TOML like any other MDM setting under change control.
157
158### Example managed_config.toml
159
160```toml
161# Set conservative defaults
162approval_policy = "on-request"
163sandbox_mode = "workspace-write"
164
165[sandbox_workspace_write]
166network_access = false # keep network disabled unless explicitly allowed
167
168[otel]
169environment = "prod"
170exporter = "otlp-http" # point at your collector
171log_user_prompt = false # keep prompts redacted
172# exporter details live under exporter tables; see Monitoring and telemetry above
173```
174
175### Recommended guardrails
176
177- Prefer `workspace-write` with approvals for most users; reserve full access for controlled containers.
178- Keep `network_access = false` unless your security review allows a collector or domains required by your workflows.
179- Use managed configuration to pin OTel settings (exporter, environment), but keep `log_user_prompt = false` unless your policy explicitly allows storing prompt contents.
180- Periodically audit diffs between local `config.toml` and managed policy to catch drift; managed layers should win over local flags and files.