Skip to content

docs: organization rollout guide for Claude Code managed settings#161

Draft
GuyMoses wants to merge 3 commits into
mainfrom
docs/enterprise-managed-settings
Draft

docs: organization rollout guide for Claude Code managed settings#161
GuyMoses wants to merge 3 commits into
mainfrom
docs/enterprise-managed-settings

Conversation

@GuyMoses

@GuyMoses GuyMoses commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

What

Adds an Organization rollout (Team / Enterprise admins) section to the Claude Code plugin README covering how to distribute and configure the plugin org-wide with minimal per-developer work.

Why

Today the plugin requires manual per-user install + configuration. Claude Code's managed-settings mechanisms let admins automate both. This documents the paths.

Contents

  • Auto-install — Organization plugins page → Required / Installed by default (this is what installs the binary; enabledPlugins alone only enables).
  • Push config — server-managed settings via Admin Settings → Claude Code → Managed settings, with enabledPlugins + pluginConfigs example. Notes plan/role requirements, hourly refresh, in-memory cache.
  • MDM / on-disk alternativemanaged-settings.json paths per OS, plus the server-vs-endpoint non-merge precedence caveat.
  • Auth token — recommends the per-user OS keychain (/plugin → Configure), since sensitive values are keychain-encrypted and never written to settings.json. Advises against inlining the token into managed pluginConfigs.options / the env block, which are plaintext at rest.
  • Verify/status, session banner, data in Dash0.

Status / open item

Draft. One behavior is not yet verified: whether Claude Code honors a sensitive value delivered via managed settings, and if so how it's stored. An internal test plan exists to validate this before we ever recommend a centralized-token path; the README currently steers admins to the keychain regardless.

Document how Team/Enterprise admins distribute and configure the plugin
org-wide: auto-install via the Organization plugins page, push non-secret
config through server-managed settings (or MDM/on-disk managed-settings.json),
and keep the auth token in the per-user OS keychain rather than inlining it in
plaintext policy.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

GuyMoses and others added 2 commits July 9, 2026 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant