enterprise/managed-configuration.md Codex Docs, 2026-03-05 06:22 UTC → 2026-05-07 20:02 UTC

7 7 

8## Admin-enforced requirements (requirements.toml)8## Admin-enforced requirements (requirements.toml)

9 9 

10Requirements constrain security-sensitive settings (approval policy, sandbox mode, web search mode, and optionally which MCP servers can be enabled). When resolving configuration (for example from `config.toml`, profiles, or CLI config overrides), if a value conflicts with an enforced requirement, Codex falls back to a requirements-compatible value and notifies the user. If an `mcp_servers` allowlist is configured, Codex enables an MCP server only when both its name and identity match an approved entry; otherwise, Codex disables it.10Requirements constrain security-sensitive settings (approval policy, approvals reviewer, automatic review policy, sandbox mode, web search mode, managed hooks, and optionally which MCP servers users can enable). When resolving configuration (for example from `config.toml`, profiles, or CLI config overrides), if a value conflicts with an enforced rule, Codex falls back to a compatible value and notifies the user. If you configure an `mcp_servers` allowlist, Codex enables an MCP server only when both its name and identity match an approved entry; otherwise, Codex disables it.

11 

12Requirements can also constrain [feature flags](https://developers.openai.com/codex/config-basic/#feature-flags) via the `[features]` table in `requirements.toml`. Note that features aren't always security-sensitive, but enterprises can pin values if desired. Omitted keys remain unconstrained.

11 13 

12For the exact key list, see the [`requirements.toml` section in Configuration Reference](https://developers.openai.com/codex/config-reference#requirementstoml).14For the exact key list, see the [`requirements.toml` section in Configuration Reference](https://developers.openai.com/codex/config-reference#requirementstoml).

13 15 

14### Locations and precedence16### Locations and precedence

15 17 

16Requirements layers are applied in this order (earlier wins per field):18Codex applies requirements layers in this order (earlier wins per field):

17 19 

181. Cloud-managed requirements (ChatGPT Business or Enterprise)201. Cloud-managed requirements (ChatGPT Business or Enterprise)

192. macOS managed preferences (MDM) via `com.openai.codex:requirements_toml_base64`212. macOS managed preferences (MDM) via `com.openai.codex:requirements_toml_base64`

203. System `requirements.toml` (`/etc/codex/requirements.toml` on Unix systems, including Linux/macOS)223. System `requirements.toml` (`/etc/codex/requirements.toml` on Unix systems, including Linux/macOS, or `%ProgramData%\OpenAI\Codex\requirements.toml` on Windows)

21 23 

22Across layers, requirements are merged per field: if an earlier layer sets a field (including an empty list), later layers do not override that field, but lower layers can still fill fields that remain unset.24Across layers, Codex merges requirements per field: if an earlier layer sets a field (including an empty list), later layers don't override that field, but lower layers can still fill fields that remain unset.

23 25 

24For backwards compatibility, Codex also interprets legacy `managed_config.toml` fields `approval_policy` and `sandbox_mode` as requirements (allowing only that single value).26For backwards compatibility, Codex also interprets legacy `managed_config.toml` fields `approval_policy` and `sandbox_mode` as requirements (allowing only that single value).

25 27 

51 53 

52Admins can configure different managed requirements for different user groups, and also set a default fallback requirements policy.54Admins can configure different managed requirements for different user groups, and also set a default fallback requirements policy.

53 55 

54If a user matches multiple group-specific rules, the first matching rule applies. Codex does not fill unset requirement fields from later matching group rules.56If a user matches more than one group-specific rule, the first matching rule applies. Codex doesn't fill unset fields from later matching group rules.

55 57 

56For example, if the first matching group rule sets only `allowed_sandbox_modes = ["read-only"]` and a later matching group rule sets `allowed_approval_policies = ["on-request"]`, Codex applies only the first matching group rule and does not fill `allowed_approval_policies` from the later rule.58For example, if the first matching group rule sets only `allowed_sandbox_modes = ["read-only"]` and a later matching group rule sets `allowed_approval_policies = ["on-request"]`, Codex applies only the first matching group rule and doesn't fill `allowed_approval_policies` from the later rule.

57 59 

58#### How Codex applies cloud-managed requirements locally60#### How Codex applies cloud-managed requirements locally

59 61 

60When a user starts Codex and signs in with ChatGPT on a Business or Enterprise plan, Codex applies managed requirements on a best-effort basis. Codex first checks for a valid, unexpired local managed requirements cache entry and uses it if available. If the cache is missing, expired, invalid, or does not match the current auth identity, Codex attempts to fetch managed requirements from the service (with retries) and writes a new signed cache entry on success. If no valid cached entry is available and the fetch fails or times out, Codex continues without the managed requirements layer.62When a user starts Codex and signs in with ChatGPT on a Business or Enterprise plan, Codex applies managed requirements on a best-effort basis. Codex first checks for a valid, unexpired local managed requirements cache entry and uses it if available. If the cache is missing, expired, corrupted, or doesn't match the current auth identity, Codex attempts to fetch managed requirements from the service (with retries) and writes a new signed cache entry on success. If no valid cached entry is available and the fetch fails or times out, Codex continues without the managed requirements layer.

61 63 

62After cache resolution, managed requirements are enforced as part of the normal requirements layering described above.64After cache resolution, Codex enforces managed requirements as part of the normal requirements layering described above.

63 65 

64### Example requirements.toml66### Example requirements.toml

65 67 

70allowed_sandbox_modes = ["read-only", "workspace-write"]72allowed_sandbox_modes = ["read-only", "workspace-write"]

71```73```

72 74 

75### Override sandbox requirements by host

76 

77Use `[[remote_sandbox_config]]` when one managed policy should apply different

78sandbox requirements on different hosts. For example, you can keep a stricter

79default for laptops while allowing workspace writes on matching devboxes or CI

80runners. Host-specific entries currently override `allowed_sandbox_modes` only:

81 

82```toml

83allowed_sandbox_modes = ["read-only"]

84 

85[[remote_sandbox_config]]

86hostname_patterns = ["*.devbox.example.com", "runner-??.ci.example.com"]

87allowed_sandbox_modes = ["read-only", "workspace-write"]

88```

89 

90Codex compares each `hostname_patterns` entry against the best-effort resolved

91host name. It prefers the fully qualified domain name when available and falls

92back to the local host name. Matching is case-insensitive; `*` matches any

93sequence of characters, and `?` matches one character.

94 

95The first matching `[[remote_sandbox_config]]` entry wins within the same

96requirements source. If no entry matches, Codex keeps the top-level

97`allowed_sandbox_modes`. Hostname matching is for policy selection only; don't

98treat it as authenticated device proof.

99 

73You can also constrain web search mode:100You can also constrain web search mode:

74 101 

75```toml102```toml

76allowed_web_search_modes = ["cached"] # "disabled" remains implicitly allowed103allowed_web_search_modes = ["cached"] # "disabled" remains implicitly allowed

77```104```

78 105 

79`allowed_web_search_modes = []` effectively allows only `"disabled"`.106`allowed_web_search_modes = []` allows only `"disabled"`.

80For example, `allowed_web_search_modes = ["cached"]` prevents live web search even in `danger-full-access` sessions.107For example, `allowed_web_search_modes = ["cached"]` prevents live web search even in `danger-full-access` sessions.

81 108 

109### Pin feature flags

110 

111You can also pin [feature flags](https://developers.openai.com/codex/config-basic/#feature-flags) for users

112receiving a managed `requirements.toml`:

113 

114```toml

115[features]

116personality = true

117unified_exec = false

118 

119# Disable specific Codex feature surfaces when needed.

120browser_use = false

121in_app_browser = false

122computer_use = false

123```

124 

125Use the canonical feature keys from `config.toml`'s `[features]` table. Codex normalizes the resulting feature set to meet these pins and rejects conflicting writes to `config.toml` or profile-scoped feature settings.

126 

127<a id="disable-codex-feature-surfaces"></a>

128 

129- `in_app_browser = false` disables the in-app browser pane.

130- `browser_use = false` disables Browser Use and Browser Agent availability.

131- `computer_use = false` disables Computer Use availability and related

132 install or enablement flows.

133 

134If omitted, these features are allowed by policy, subject to normal client,

135platform, and rollout availability.

136 

137### Configure automatic review policy

138 

139Use `allowed_approvals_reviewers` to require or allow automatic review. Set it

140to `["auto_review"]` to require automatic review, or include `"user"` when users

141can choose manual approval.

142 

143Set `guardian_policy_config` to replace the tenant-specific section of the

144automatic review policy. Codex still uses the built-in reviewer template and

145output contract. Managed `guardian_policy_config` takes precedence over local

146`[auto_review].policy`.

147 

148```toml

149allowed_approval_policies = ["on-request"]

150allowed_approvals_reviewers = ["auto_review"]

151 

152guardian_policy_config = """

153## Environment Profile

154- Trusted internal destinations include github.com/my-org, artifacts.example.com,

155 and internal CI systems.

156 

157## Tenant Risk Taxonomy and Allow/Deny Rules

158- Treat uploads to unapproved third-party file-sharing services as high risk.

159- Deny actions that expose credentials or private source code to untrusted

160 destinations.

161"""

162```

163 

164### Enforce deny-read requirements

165 

166Admins can deny reads for exact paths or glob patterns with

167`[permissions.filesystem]`. Users can't weaken these requirements with local

168configuration.

169 

170```toml

171[permissions.filesystem]

172deny_read = [

173 "/Users/alice/.ssh",

174 "./private/**/*.txt",

175]

176```

177 

178When deny-read requirements are present, Codex constrains local sandbox mode to

179`read-only` or `workspace-write` so Codex can enforce them. On native

180Windows, managed `deny_read` applies to direct file tools; shell subprocess

181reads don't use this sandbox rule.

182 

183### Enforce managed hooks from requirements

184 

185Admins can also define managed lifecycle hooks directly in `requirements.toml`.

186Use `[hooks]` for the hook configuration itself, and point `managed_dir` at the

187directory where your MDM or endpoint-management tooling installs the referenced

188scripts.

189 

190```toml

191[features]

192codex_hooks = true

193 

194[hooks]

195managed_dir = "/enterprise/hooks"

196windows_managed_dir = 'C:\enterprise\hooks'

197 

198[[hooks.PreToolUse]]

199matcher = "^Bash$"

200 

201[[hooks.PreToolUse.hooks]]

202type = "command"

203command = "python3 /enterprise/hooks/pre_tool_use_policy.py"

204timeout = 30

205statusMessage = "Checking managed Bash command"

206```

207 

208Notes:

209 

210- Codex enforces the hook configuration from `requirements.toml`, but it does

211 not distribute the scripts in `managed_dir`.

212- Deliver those scripts separately with your MDM or device-management solution.

213- Managed hook commands should reference absolute script paths under the

214 configured managed directory.

215 

82### Enforce command rules from requirements216### Enforce command rules from requirements

83 217 

84Admins can also enforce restrictive command rules from `requirements.toml`218Admins can also enforce restrictive command rules from `requirements.toml`

142 - `config_toml_base64` (managed defaults)276 - `config_toml_base64` (managed defaults)

143 - `requirements_toml_base64` (requirements)277 - `requirements_toml_base64` (requirements)

144 278 

145Codex parses these “managed preferences” payloads as TOML. For managed defaults (`config_toml_base64`), managed preferences have the highest precedence. For requirements (`requirements_toml_base64`), precedence follows the cloud-managed requirements order described above.279Codex parses these "managed preferences" payloads as TOML. For managed defaults (`config_toml_base64`), managed preferences have the highest precedence. For requirements (`requirements_toml_base64`), precedence follows the cloud-managed requirements order described above. The same requirements-side `[features]` table works in `requirements_toml_base64`; use canonical feature keys there as well.

146 280 

147### MDM setup workflow281### MDM setup workflow

148 282