Overview
Advanced Configuration lets security administrators centrally manage how Claude Code behaves for users in your organization. Using a JSON policy file, you can define which AI models users can access, which shell commands Claude can run, which files it can read, and how sandboxed Bash commands interact with the network. This helps enforce consistent security, governance, and cost controls across managed endpoints.
Before You Begin
Make sure you have:
- Permission to manage Claude Code settings for your organization
- A valid
managed-settings.jsonfile - Access to the Claude Admin Console
- A test endpoint with Claude Code installed
Understand How Managed Settings Are Applied
When Claude Code starts, it checks for managed settings that are configured for your organization. These settings have the highest precedence and cannot be overridden by user-level or project-level settings.
The managed configuration file defines the approved Claude Code behavior for users in your environment. This lets you centrally control model access, permissions, file access, sandboxing, environment variables, and announcements.
Review Supported Policy Controls
| Control | Description |
|---|---|
| Models | Define which Claude models users can access |
| Permissions | Control which tools and shell commands Claude Code can run, ask before running, or block |
| File access | Define which files and directories Claude Code can read or modify |
| Sandboxing | Isolate Bash commands at the OS level, restrict filesystem write paths, and control network domains used by sandboxed Bash commands |
| Environment | Configure environment variables for Claude Code |
| Announcements | Display organization-wide messages to Claude Code users |
The sandbox configuration applies to Bash commands and their child processes. Use permission rules to control other Claude Code tools such as Read, Write, WebFetch, and MCP.
Upload the Configuration File
Advanced Configuration is managed in the Claude Admin Console under Advanced Configuration > Claude Custom Configuration.
To upload the managed settings file:
- Enable the Claude Custom Configuration toggle.
- Paste or upload the contents of your
managed-settings.jsonfile into the editor. - Click Save.
The policy applies the next time Claude Code loads the managed settings on user endpoints.
Review the Configuration File Format
The configuration file uses JSON format. The following example shows the structure of a managed settings file, but does not represent a real-life configuration for your environment. Review and update the values based on your organization’s security, governance, and operational requirements.
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"model": "claude-sonnet-4-6",
"availableModels": [
"claude-sonnet-4-6"
],
"permissions": {
"allow": [
"Bash(ls:*)",
"Bash(cat:*)",
"Read(/Users/*/projects/**)"
],
"ask": [
"Bash(npm install:*)"
],
"deny": [
"Bash(rm:*)",
"Bash(curl:*)",
"Write(/etc/**)"
],
"disableBypassPermissionsMode": true
},
"sandbox": {
"enabled": true,
"failIfUnavailable": true,
"allowUnsandboxedCommands": false,
"allowedDomains": [
"registry.npmjs.org",
"api.github.com"
],
"allowWrite": [
"/Users/*/projects/**"
]
}
}
In this example:
- Users can access only the example Claude model
- Claude Code can run approved read-only shell commands without prompting
- Claude Code asks before it runs commands such as
npm install - Commands such as
rmandcurlare blocked - Users cannot bypass the configured permission mode
- Sandboxed Bash commands can write only to approved project paths
- Sandboxed Bash commands can access only approved domains
Test the Policy
Before you deploy the policy to all users, validate it on a test machine.
To test the policy:
-
Deploy the managed settings file to a test machine.
-
Run:
claude doctor -
Review any invalid or unrecognized fields.
-
Update the JSON file and test again before deployment.