Enterprise Deployment — Awareness Guide
You won’t configure most of this as an individual dev, but knowing the landscape matters when Claude Code meets a company. Each section links the relevant docs at https://code.claude.com/docs.
Provider Choices
Section titled “Provider Choices”| Route | Auth | Notes |
|---|---|---|
| Anthropic API / claude.ai | Subscription or Console key | All features, first to get new models |
| Amazon Bedrock | AWS IAM / OIDC | Data stays in AWS; models lag slightly (/en/amazon-bedrock) |
| Google Cloud Agent Platform (Vertex) | WIF / service accounts | GCP-native (/en/google-vertex-ai) |
| Microsoft Foundry | Deployment names | Azure route (/en/microsoft-foundry) |
| Claude apps gateway / LLM gateways | Corporate SSO | Self-hosted proxy: central auth, spend limits, logging (/en/gateways) |
Note: some features are Anthropic-API-only: advisor, artifacts, channels, voice dictation, Chrome, computer use. Check /en/feature-availability.
Centralized Control
Section titled “Centralized Control”Settings hierarchy (highest wins): server-managed (claude.ai admin console) / MDM-deployed managed settings file → CLI flags → local → project → user.
What admins typically enforce:
{ "availableModels": ["sonnet", "haiku"], "enforceAvailableModels": true, "sandbox": { "enabled": true, "failIfUnavailable": true, "allowUnsandboxedCommands": false }, "allowManagedHooksOnly": true, "channelsEnabled": false, "disableWorkflows": false}- Server-managed settings (
/en/server-managed-settings): delivered from the admin console with the account’s login — reaches cloud sessions too - Managed MCP (
/en/managed-mcp): allowlist which MCP servers the org can use - Permissions/hooks/plugins can all be pinned org-wide
Visibility & Compliance
Section titled “Visibility & Compliance”- Analytics dashboard (claude.ai/analytics): per-user activity, spend, lines accepted, Code Review usage
- OpenTelemetry (
/en/monitoring-usage): token/cost/latency metrics into your own Grafana/Datadog - Audit: artifact events, Compliance API endpoints for listing/deleting artifacts
- Zero Data Retention (
/en/zero-data-retention): available for qualifying orgs — but disables features that require server-side storage (e.g. Code Review, Fable 5, artifacts) - Network config (
/en/network-config): proxy/firewall allowlist requirements (api.anthropic.com, claude.ai, statsig, sentry,*.claudeusercontent.comfor artifacts)
Rollout Playbook (condensed from /en/admin-setup + champion kit)
Section titled “Rollout Playbook (condensed from /en/admin-setup + champion kit)”- Pilot (2–4 weeks): 5–10 volunteers, Bedrock/API decision made, sandbox + managed settings drafted
- Standardize: shared
CLAUDE.mdconventions, project.claude/settings.jsonin template repos, an internal plugin marketplace for skills/subagents - Automate: GitHub/GitLab CI integration, Code Review on key repos with REVIEW.md
- Scale: analytics review cadence, spend caps per service, champion network (docs ship a ready-made champion kit + comms kit)
Cost Governance
Section titled “Cost Governance”- Spend caps: admin console per-service limits (Code Review, usage credits)
availableModelsto keep expensive models deliberate- OTel per-user token metrics → chargeback dashboards
- Individual users: 41-cost-management.md
🧠 Quick Recall
Section titled “🧠 Quick Recall”- Trick: “Same tool + guardrails: managed settings win, analytics watch, gateways route.”
👨🏫 Teach It
Section titled “👨🏫 Teach It”- Show: the precedence chain ending at managed settings — users can’t override.
- They’ll trip on: assuming device-deployed settings reach cloud sessions — those need server-managed.
Learning path: ⬅ 55-troubleshooting.md · Index · ➡ 57-glossary.md
Written by Fenil Patel