Enterprise Integration and Security

Your security team just approved Claude Code for 200 developers. Now you need to ensure nobody bypasses the code review process, API keys are never committed, and every developer’s Claude Code installation follows corporate coding standards. Doing this through Slack messages and wiki pages guarantees inconsistency. Managed settings do it deterministically.

What You Will Walk Away With

How to deploy organization-wide settings that developers cannot override
Permission configurations that enforce security policies
Team-wide hook configurations for compliance and quality
Managed CLAUDE.md for corporate coding standards
Strategies for rolling out Claude Code incrementally across teams

Managed Settings

Managed settings are the highest-priority configuration in Claude Code. They live in system directories that require admin privileges and cannot be overridden by any user or project setting.

Managed Settings Locations

Platform	Path
macOS	`/Library/Application Support/ClaudeCode/managed-settings.json`
Linux/WSL	`/etc/claude-code/managed-settings.json`
Windows	`C:\Program Files\ClaudeCode\managed-settings.json`

Example Managed Settings

{
  "$schema": "https://json.schemastore.org/claude-code-settings.json",
  "permissions": {
    "deny": [
      "Bash(curl *)",
      "Bash(wget *)",
      "Read(./.env)",
      "Read(./.env.*)",
      "Read(./secrets/**)",
      "Write(./.env)",
      "Write(./.env.*)"
    ]
  },
  "env": {
    "CLAUDE_CODE_ENABLE_TELEMETRY": "1",
    "OTEL_METRICS_EXPORTER": "otlp",
    "OTEL_LOGS_EXPORTER": "otlp",
    "OTEL_EXPORTER_OTLP_ENDPOINT": "http://collector.company.com:4317"
  },
  "companyAnnouncements": [
    "All code changes must be reviewed before merging. Use /project:review before creating PRs.",
    "Security policy update: API keys must be stored in Vault, not .env files."
  ],
  "allowManagedHooksOnly": true,
  "allowManagedPermissionRulesOnly": false
}

Copy-paste managed settings for a security-focused enterprise deployment:

{
  "permissions": {
    "deny": [
      "Bash(curl *)",
      "Bash(wget *)",
      "Bash(ssh *)",
      "Bash(scp *)",
      "Bash(docker run *)",
      "Read(./.env*)",
      "Read(./secrets/**)",
      "Read(**/*.pem)",
      "Read(**/*.key)",
      "Write(./.env*)",
      "Write(./secrets/**)"
    ]
  },
  "allowManagedHooksOnly": true,
  "env": {
    "CLAUDE_CODE_ENABLE_TELEMETRY": "1"
  },
  "companyAnnouncements": [
    "Claude Code usage is monitored. Do not share proprietary code patterns outside the organization."
  ]
}

Key Managed-Only Settings

Setting	Effect
`allowManagedHooksOnly`	Blocks user, project, and plugin hooks. Only hooks in managed settings run.
`allowManagedPermissionRulesOnly`	Prevents user and project settings from defining allow/deny permission rules.
`companyAnnouncements`	Messages displayed to all users at startup. Rotated randomly if multiple.

Managed CLAUDE.md

The managed CLAUDE.md is loaded with the highest priority for all users on the machine:

Platform	Path
macOS	`/Library/Application Support/ClaudeCode/CLAUDE.md`
Linux	`/etc/claude-code/CLAUDE.md`

# Corporate Development Standards

## Required Practices
- All code must pass the company linter before committing
- Database migrations require review from the DBA team
- API endpoints must include OpenAPI documentation
- Security-sensitive code requires two reviewers

## Prohibited Patterns
- Do not use eval() in any language
- Do not disable TypeScript strict mode
- Do not commit secrets, tokens, or API keys
- Do not use deprecated authentication methods

## Architecture Requirements
- All new services must use the company service template
- Inter-service communication uses gRPC, not REST
- Database access must go through the data access layer

Permission Configuration

The Permission Hierarchy

Managed deny  > CLI flags  > Local settings  > Project settings  > User settings

A permission denied at the managed level cannot be allowed anywhere else.

Permission Rule Syntax

Permission rules support glob patterns for flexible matching:

{
  "permissions": {
    "allow": [
      "Bash(npm run test *)",
      "Bash(npm run lint)",
      "Bash(git log *)",
      "Bash(git diff *)",
      "Read(~/.zshrc)"
    ],
    "deny": [
      "Bash(rm -rf *)",
      "Bash(git push --force *)",
      "Read(./.env*)",
      "Edit(*/migrations/*)"
    ]
  }
}

Copy-paste permission config for a typical development team:

Add to .claude/settings.json and commit to your repo:

{
  "permissions": {
    "allow": [
      "Bash(npm run *)",
      "Bash(npx jest *)",
      "Bash(npx prettier *)",
      "Bash(git log *)",
      "Bash(git diff *)",
      "Bash(git status)",
      "Bash(git branch *)",
      "Bash(ls *)",
      "Bash(cat *)"
    ],
    "deny": [
      "Bash(git push --force *)",
      "Bash(rm -rf *)",
      "Bash(docker rm *)",
      "Edit(*/migrations/*)",
      "Read(.env*)"
    ]
  }
}

Team Deployment Strategy

Rolling Out Claude Code Incrementally

Pilot phase (5-10 developers) Start with your most experienced developers. Have them define the project CLAUDE.md and initial permissions. Collect feedback on what works and what breaks.
Team phase (20-50 developers) Deploy managed settings with telemetry enabled. Create shared commands in .claude/commands/ that encode team practices. Monitor token usage and costs via OpenTelemetry.
Organization phase (100+ developers) Lock down with allowManagedHooksOnly and comprehensive deny rules. Set up automated onboarding that includes Claude Code configuration. Establish cost alerts and per-team budgets.

Monitoring Adoption

With OpenTelemetry enabled, you can track:

Session count per developer, per team
Token usage and cost per developer
Tool usage patterns — which tools are used most, which are denied
Lines of code modified by Claude per session

Sandbox Configuration

Claude Code runs commands in a sandbox by default. For enterprise deployments, configure the sandbox to match your security requirements:

{
  "sandbox": {
    "allowNetworkAccess": false,
    "additionalDirectories": ["/opt/company-tools", "/shared/libs"]
  }
}

When This Breaks

Managed settings not picked up: The files must be in the system-level directories, not user home directories. On macOS, it is /Library/Application Support/ClaudeCode/, not ~/Library/Application Support/ClaudeCode/. Admin privileges are required.

Developers circumvent deny rules: The allowManagedPermissionRulesOnly setting prevents user and project settings from adding their own allow rules. Without this, a developer could add "allow": ["Bash(curl *)"] to their local settings.

Company announcements not showing: Announcements are shown at startup. If developers keep long-running sessions, they will not see new announcements until they restart Claude Code.

Telemetry data not arriving: Check the OpenTelemetry endpoint configuration and network access from developer machines to the collector. Common issue: corporate firewalls blocking the gRPC port (4317).

What is Next

Proxy Configuration — Get Claude Code working behind corporate proxies
LLM Gateway Setup — Route traffic through approved gateways
Monitoring and Costs — Set up the telemetry pipeline for your organization