Skip to main content

Claude Code Policy

The Agent Policies page lets you build, store, and deploy Claude Code managed settings — the organization-controlled configuration that governs what Claude Code can do on your developers' machines — directly inside the Willow dashboard. Unlike the public Policy Builder, policies created here are saved to your organization so you can revisit, edit, and re-deploy them at any time.

Find it under Monitor → Agent Policies (/monitor/policies).

Beta feature

Claude Code Policy is a beta feature. Enable it under Settings → Beta Features (ai-agent-policies). Until it's enabled, the Agent Policies page shows a prompt to turn it on.

Permissions

ActionRequired scope
View policies and export/installmonitor:read
Create, edit, or delete policiesmonitor:manage

Users without monitor:manage see the policy list and can export, but the Create policy, Edit, and Delete controls are hidden.

The policies list

Each policy is shown as a card with:

  • Name and a badge showing when it was last updated.
  • Deny rules — a summary of the policy's permissions.deny rules. Recognized rule sets are shown as labeled chips (with a count when only partially matched); any remaining rules are grouped as "custom rules". Expand Show all rules to see the full list.
  • Deploy — an Export & install button (see Export & install below).
  • Edit and Delete controls (with monitor:manage).

A counter at the top shows how many policies you've used out of the limit.

Policy limit

Each organization can store up to 3 Claude Code policies. When you reach the limit, Create policy is disabled until you delete one.

Create a policy

  1. Click Create policy to open the create screen.
  2. Give the policy a name (up to 64 characters) — for example, Engineering — Standard.
  3. The template picker opens automatically. Pick a baseline starting point and tune the optional add-ons, then click Use this policy. This works exactly like the public builder — see Choose a template for the full list of baselines and add-ons.
  4. Refine the result in the Form or JSON editor (see Edit your policy). Use Change template to reopen the picker and start from a different baseline.
  5. Click Create & customize. The policy is saved and you're taken to the edit screen.
Managed MCP servers are filled in for you

When you choose the Small business or Enterprise baseline (or any template that restricts MCP servers), Willow automatically populates the allowed-server list with your organization's managed gateway URLs — so Claude Code can still reach the MCP servers you publish through Willow while blocking everything else.

A policy must have a name, a chosen baseline, and valid JSON before it can be created.

Edit a policy

Open a policy from the list with Edit. The edit screen mirrors the create screen:

  • Change the name at the top.
  • Edit settings in the Form and JSON tabs — they stay in sync, and the JSON is validated live against the official Claude Code settings schema.
  • Reset to defaults replaces the current settings with Willow's recommended baseline for your organization (including your managed MCP gateway URLs).
  • Click Save policy to persist your changes. The button stays disabled until the JSON is valid, the name is non-empty, and there are unsaved changes.

Export & install

Click Export & install on any policy card to open the deployment dialog. It offers the same three deployment paths as the public builder, generated server-side for the stored policy:

  • MDM — download a per-OS profile (.mobileconfig for macOS, .reg for Windows, managed-settings.json for Linux) and push it through your device-management tooling.
  • Claude managed settings — copy or download the raw managed-settings.json to manage in source control or paste into an existing managed-settings file.
  • Install for me — download settings.json for a manual, per-machine install when trying a policy out on your own device.

For the full deployment steps, file locations, and cleanup guidance, see Export & deploy.

Deleting a policy doesn't unprovision machines

Deleting a policy in Willow only removes it from your organization. Machines that already received the policy keep their managed settings until you push a new profile (or remove the existing one) through your MDM. Deletion can't be undone.

On this page