Managed Settings (Fleet Rollout)
For enterprise deployments, the developer wrapper (cordumctl edge claude) is not a sufficient enforcement boundary. Fleet-wide rollout requires managed settings pushed by your MDM provider (e.g., Jamf, Intune) and enforced by signed/notarized binaries.
Cordum stays quiet until governance matters. Managed settings ensure that even if a developer bypasses the wrapper, their agent actions remain governed by your organization's policy.
The Managed Boundary
Managed settings move the configuration authority from the developer's environment to the organization's administration:
- Immutable Configuration: Settings are stored in a root-owned directory (e.g.,
/etc/claude-code/managed-settings.json). - Forced Policy Mode: The
CORDUM_EDGE_MANAGED_POLICY_MODEpins the enforcement level (e.g.,enterprise-strict) regardless of local user flags. - Endpoint Controls: Restricts the agent to specific Gateway URLs and LLM proxies.
- Binary Integrity: Ensures that only trusted, signed versions of
cordum-hookandcordum-agentdcan execute.
CLI Workflow: managed-settings
The cordumctl edge managed-settings subcommand is used by operators and MDM scripts to manage these payloads.
1. Exporting Payloads
Use export to generate the JSON files for your MDM.
cordumctl edge managed-settings export \
--output ./payload/ \
--gateway-url https://gateway.cordum.example \
--mcp-gateway-url https://mcp.cordum.example/mcp \
--llm-proxy-base-url https://llm-proxy.cordum.example
This renders managed-settings.json and managed-mcp.json. It refuses to overwrite existing files without --force and rejects any flag values that look like secrets.
2. Verifying Compliance
Use verify to check if a deployed machine is in compliance.
cordumctl edge managed-settings verify \
--path /etc/claude-code/managed-settings.json
It returns exit code 0 on success and 1 if drift is detected. Use --json for machine-readable drift details.
3. Rollback (Testing Only)
:::danger Rollback Template Warning
The rollback-template command is for synthetic test fixtures only. Do not use it for production rollbacks. Production rollback of managed settings should always be orchestrated by your MDM provider.
:::
Deployment Checklist
- Signed Binaries: Deploy
cordum-hookandcordum-agentdto a read-only path (e.g.,/opt/cordum/bin). - Managed Directory: Create
/etc/claude-code/with restricted permissions. - Payload Push: Use your MDM to push the
managed-settings.jsonexported in Step 1. - Verification: Run
cordumctl edge doctorormanaged-settings verifyas part of your post-install or periodic audit.
Related
- Architecture — the enforcement layers and trust boundaries.
- CLI Reference — subcommand details.
- Configuration — managed policy environment variables.