Admin Control and Enterprise Plugin Management
Enterprise Claude Code deployments require control over which plugins developers can install. The allowedChannelPlugins setting governs Channels-based plugins; broader enterprise plugin management includes internal marketplaces, MDM distribution, and plugin security review processes.
Quick Reference
- →allowedChannelPlugins: org-level allow-list for Channels plugins (Telegram, Discord, etc.)
- →Placed in managed settings (highest precedence) — cannot be overridden by project or user settings
- →Internal plugin marketplace: claude plugin marketplace add <url> for org-internal plugins
- →MDM distribution: push plugins and settings.json via Mobile Device Management for fleet deployment
- →Plugin security review: evaluate tool access, MCP servers, hooks, and settings before enabling
- →Audit capability: claude plugin list across machines via MDM or fleet management tools
- →Signed plugin bundles for verified enterprise distribution
- →Cowork (enterprise) provides per-user provisioning and team plugin management
The Enterprise Control Layers
Claude Code's settings hierarchy gives enterprise admins multiple points of control. Managed settings (highest precedence) can lock specific settings that individual users and projects cannot override. This is the mechanism for enforcing plugin policies across a development fleet.
| Control mechanism | What it enforces | Precedence |
|---|---|---|
| Managed settings (MDM/policy) | Plugin allowlists, blocked channels, enforced hooks | Highest — cannot be overridden |
| Global user settings | Personal defaults and preferences | User-level |
| Project settings (.claude/settings.json) | Project-specific configuration | Project-level |
| Plugin default settings | Plugin-supplied baseline configuration | Lowest — always overridable |
For fleet-wide enforcement, place policies in managed settings distributed via MDM (Jamf, Intune, Munki, etc.) or via a managed settings.json deployed to a user-inaccessible path.