Claude Code for Enterprise: Managed Settings, Admin Policy & Headless CI (India)

If you run Claude Code across more than a handful of developers in an Indian IT organisation, the question stops being "how do I use it" and becomes "how do I govern it." The answer is managed settings — an organisation-controlled configuration layer that sits above every local developer config, is pushed centrally, and cannot be overridden by the person at the keyboard. This guide is the platform-engineering and CISO view: how to lock down tools and MCP servers, pin versions, cap spend, audit usage, and run governed automation in CI through headless mode.

It assumes you already understand Claude Code as a developer tool. For the people-and-process side of a rollout, pair this with our AI Center of Excellence guide and, for the regulatory layer, the RBI/SEBI/IRDAI compliance playbook.

What You'll Learn

• The managed-settings precedence model and exact on-disk paths per OS
• What managed settings can lock down — tools, slash commands, MCP servers, network destinations
• Version pinning and unattended-reliability controls (fallback models, self-healing retry)
• The April-2026 admin wave: groups, spend caps, managed policies, the Compliance API
• Headless mode (--print) as the foundation for CI/CD and overnight batches
• Usage analytics for an AI Center of Excellence
• The India angle: DPDP, RBI/SEBI/IRDAI, data residency, and distributing org-standard Skills

Managed Settings: The Enterprise Control Plane

Claude Code resolves configuration through a strict precedence hierarchy. Managed settings sit at the very top — above command-line flags, project settings, and user settings — and cannot be overridden. This is the single most important fact for a platform team: anything you express as a managed setting is binding on the entire fleet.

There are three delivery mechanisms, and only one managed source is active at a time (sources do not silently merge across tiers):

1. Server-managed settings — pushed from the Claude.ai admin console. This is the lowest-friction path: no file to ship, no MDM profile to author. Clients receive the settings when users authenticate with org credentials. Settings are read at startup and refreshed on an hourly polling cycle, so a console change reaches your developers on their next startup or within the next hourly poll window — no restart required. (Server-managed settings require recent CLI versions — roughly 2.1.30+ for Enterprise, 2.1.38+ for Teams.)
2. MDM / OS-level policy — native device management. On macOS this is the com.anthropic.claudecode managed-preferences domain (a plist whose top-level keys mirror managed-settings.json), deployable via Jamf, Kandji, or similar. On Windows it is the HKLM\SOFTWARE\Policies\ClaudeCode registry policy.
3. On-disk managed-settings.json — a JSON file placed at a system path by your config-management tooling (Ansible, Puppet, an image bake).

Exact On-Disk Paths

| OS | Path | |---|---| | macOS | /Library/Application Support/ClaudeCode/managed-settings.json | | Linux / WSL | /etc/claude-code/managed-settings.json | | Windows | C:\Program Files\ClaudeCode\managed-settings.json |

All platforms also support a managed-settings.d/ drop-in directory in the same system folder: managed-settings.json is the base, then *.json files are merged in alphabetical order — so you can split policy into 10-telemetry.json, 20-security.json, 30-mcp.json and manage each independently in version control.

Indian-fleet note. Most Indian IT services and product firms run a mixed estate — Mac laptops for senior engineers, Windows for the broader org, and Linux CI runners. The cleanest pattern is: server-managed settings as the org-wide baseline (one console, no per-device file), and on-disk managed-settings.json baked into your Linux CI runner image so headless automation inherits the same policy.

What Managed Settings Can Lock Down

Managed settings are not just key-value toggles — they are an allow/deny policy engine over the agent's capabilities.

Tools and slash commands

Permission rules use the "ToolName(pattern)" form in allow, ask, and deny arrays. Deny rules support glob tool-name patterns, and "*" in a deny rule denies all tools (added in CLI 2.1.166, June 2026). A deny rule has the highest safety precedence — it cannot be overridden by a lower-scope allow or ask rule. Practical patterns:

{
  "permissions": {
    "deny": [
      "Bash(curl *)",
      "Bash(wget *)",
      "Read(./.env)",
      "Read(./.env.*)",
      "Read(./secrets/**)"
    ],
    "allow": [
      "Bash(npm run lint)",
      "Bash(npm run test *)"
    ]
  },
  "allowManagedPermissionRulesOnly": true
}

Setting allowManagedPermissionRulesOnly to true blocks user and project allow/ask/deny rules entirely — only managed rules apply. This is the "default-deny, platform-team-owns-the-policy" posture. Slash-command and workflow restrictions are expressed through dedicated managed toggles (for example disableAutoMode blocks /auto).

MCP servers

MCP (Model Context Protocol) servers are how Claude Code reaches third-party systems — your issue tracker, your internal knowledge base, your cloud. Managed settings give you allowedMcpServers (an allowlist) and deniedMcpServers (a denylist that takes precedence), plus allowManagedMcpServersOnly to block any MCP server not on the managed allowlist. For a regulated Indian BFSI shop, this is the lever that stops a developer from wiring an unapproved MCP connector to customer data.

Network destinations

HTTP-hook restrictions (allowedHttpHookUrls, with * wildcard support, and httpHookAllowedEnvVars) constrain which endpoints hooks may reach and which environment variables they may interpolate. An empty allowedHttpHookUrls array blocks all HTTP hooks; leaving it undefined imposes no restriction — so be deliberate.

Version Pinning and Unattended Reliability

Two newer controls matter specifically when you run Claude Code at scale or unattended.

Version pinning. requiredMinimumVersion and requiredMaximumVersion are managed-only settings that refuse to start Claude Code if its version is outside the allowed range, directing the user to an org-approved version (added in CLI 2.1.163, June 2026). Recovery commands (claude update, claude install, claude doctor) still work outside the range so a stuck machine can self-heal. For a CoE that has validated a specific version against its security and compliance checks, this turns "please update" emails into enforced policy.

Unattended reliability. fallbackModel lets you configure up to three fallback models tried in order when the primary model is overloaded or unavailable, and Claude Code retries a turn once on the fallback model when the API returns an unexpected non-retryable error (both in CLI 2.1.166, June 2026; auth, rate-limit, request-size, and transport errors still surface immediately rather than being silently retried). For an overnight migration batch running on a CI runner in your Pune or Bengaluru data centre at 2 a.m., this single retry is the difference between a completed run and a half-finished one nobody notices until standup.

The April 2026 Admin Wave

Anthropic shipped a significant set of enterprise admin capabilities in April 2026. The headline items:

• User groups with custom roles. Organise users into groups (created manually or synced from your IdP via SCIM) and assign each group a custom role defining which capabilities it can access.
• Per-group spend limits. Configure predictable per-team budget ceilings in the admin console — the practical control for capping AI cost by cost-centre.
• Managed Claude Code policies in the admin console — the server-managed-settings path described above.
• Enterprise Compliance API — real-time usage and content access for audit, DLP, and e-discovery.

Separately — and this is a hard deadline that already passed — the Desktop-app admin toggles for bypass and auto permission modes were retired. Unless an organisation had already disabled those modes, they remained available by default, and admins who wanted them disabled had to set the matching managed policy (for example permissions.disableBypassPermissionsMode) by 5 June 2026. After that, Claude Code Desktop reads the same managed admin policy as the CLI and IDE, using the same precedence rules. If you manage a fleet and have not yet audited this, do it now: a still-enabled bypass mode means agents can run tool calls — including writes to protected paths — without prompts.

Headless Mode: The Foundation for Governed Automation

Interactive Claude Code is for a human at a terminal. Headless mode is for everything else. Invoke it with --print (short form -p): there is no interactive UI, a prompt goes in, the result comes out on stdout, and the process exits. That single-shot, pipe-friendly shape is what makes Claude Code usable in CI/CD, parallel agent fan-out, and overnight batch jobs.

# Single-shot headless run, suitable for a CI step
claude -p "Review the staged diff for security issues and print findings as JSON" \
  --output-format json

The power for an enterprise comes from combining headless mode with managed settings and hooks. The headless process inherits the same managed policy as interactive use — the same deny rules, the same MCP allowlist, the same version pin — so a CI-triggered agent is no less governed than a developer at a laptop. A realistic Indian-IT-team pattern:

• CI code-review gate — a GitHub Actions / GitLab CI step runs claude -p against the diff, with managed settings baked into the runner image so the agent can read the repo and run lint/test but is denied curl/wget and any unapproved MCP server.
• Overnight migration batch — a scheduled job fans out parallel headless agents across modules, with fallbackModel configured so a midnight model overload doesn't kill the run.
• Doc and changelog generation — a post-merge headless run produces release notes, governed by the same policy.

Usage Analytics for a Center of Excellence

A CoE needs signal, not vibes. The admin surface exposes usage analytics — including metrics such as lines of code accepted and acceptance rate — that let you measure adoption and impact per team. Combined with the Compliance API's real-time usage access, you can answer the questions a CFO and a CISO actually ask: which teams are getting value, what is the cost per accepted change, and is anything anomalous happening that DLP should see. Feed these into the ROI model in our AI ROI measurement guide.

Default Model Context

As of June 2026, Claude Code defaults to Opus 4.8 (model ID claude-opus-4-8) running at high effort. Effort is tunable via /effort with levels low, medium, high, xhigh, and max (max is Opus-tier only; xhigh is the recommended setting for most coding and agentic work and is the default in Claude Code). Note that there is no "Fast Mode" variant for Opus 4.8 — Fast Mode existed as a separate Opus 4.6 variant; if a managed policy or workflow references a -fast model string, verify it against your current model catalogue rather than assuming a 4.8 equivalent. Always confirm current model IDs and effort behaviour against live documentation before pinning them in policy, because these move faster than any guide.

The India Angle: DPDP, BFSI Regulators, and CoE Rollout

For an Indian enterprise, managed settings are where AI governance stops being a slide deck and becomes enforced behaviour.

DPDP Act 2023. India's Digital Personal Data Protection Act puts accountability on the data fiduciary. Managed settings let you enforce data-handling guardrails as policy, not guidance — deny tools and MCP servers that could move personal data to unapproved destinations, restrict network egress, and keep an auditable, centrally-controlled configuration. The Compliance API gives you the real-time content-access trail that an accountability regime expects. See our AI security and data residency guide for the broader DPDP picture.

RBI / SEBI / IRDAI. BFSI firms layer sectoral audit and IT-governance rules on top of DPDP. A banking copilot or a broker's research assistant built on Claude Code needs deny rules that keep customer data inside approved boundaries, an MCP allowlist that maps to vetted internal systems, version pinning to a regulator-defensible release, and the Compliance API as the audit feed. This is the operational complement to the RBI/SEBI/IRDAI compliance playbook.

Data residency. Where data residency matters, pair managed settings (which constrain what the agent can reach) with your provider/region choices and DLP — managed settings govern the client; residency is enforced at the model-access and network layer. Combine both.

Distributing org-standard Skills and plugins as a CoE rollout. The most underused lever: managed settings let a Center of Excellence push a consistent baseline to every developer — the same approved MCP servers, the same permission policy, the same version range, and the org's curated Skills and plugins. Instead of each team reinventing its setup, the CoE ships one governed configuration, every new joiner inherits it on day one, and updates propagate within the hourly poll window. That is how a 2,000-engineer Indian IT services firm turns Claude Code from a per-developer experiment into a standardised, auditable platform capability. For the team structure that owns this, see the AI Center of Excellence guide.

Putting It Together: A 5-Step Rollout Checklist

1. Decide your delivery mechanism — server-managed (admin console) as the org baseline; on-disk managed-settings.json baked into CI runner images for headless governance.
2. Author a default-deny policy — allowManagedPermissionRulesOnly: true, an explicit MCP allowlist, deny curl/wget and secret paths, and HTTP-hook restrictions.
3. Pin a validated version range — set requiredMinimumVersion/requiredMaximumVersion to your CoE-approved release, and configure fallbackModel for unattended reliability.
4. Wire governance — create user groups with custom roles, set per-group spend caps, and connect the Compliance API to your SIEM/DLP.
5. Roll out via the CoE — distribute org-standard Skills and plugins through managed settings, document the policy, and measure adoption with usage analytics.

Managed settings turn Claude Code from a tool individuals adopt into infrastructure a platform team operates — which is exactly the shift an Indian IT organisation needs to use AI coding at scale, under DPDP and sectoral regulators, without losing control of what every agent can touch.