Claude Code
Claude Code emits OpenTelemetry logs, metrics, and (beta) traces for every session, tool call, and model request. Arrakis recommends MDM-managed settings so policy is fail-closed and survives user-shell changes — environment variables set in a developer’s ~/.zshrc cannot weaken or remove an MDM-managed value. The OTLP endpoint, header secret, and egress allowlist values come from the Arrakis console — see OTel Collector & Arrakis Endpoint.
When to use this
Use this page if your fleet runs Claude Code on developer endpoints. Covers Anthropic Enterprise and the Bedrock variant. Customers who use Claude Cowork desktop with the Claude Code footprint also use this page.
3-step Quickstart
- In the Arrakis platform, paste your Anthropic Admin API key under Settings → Integrations → Anthropic.
- Download the tenant-specific Claude Code MDM payload from Settings → Integrations → Deployment → Claude Code.
- Import the payload into your MDM (Jamf, Intune, Iru, or other), scope to your developer fleet, and confirm
claude /doctorshows the managed-settings provenance.
Where tenant-specific values come from
Sign in to the Arrakis platform → Settings → Integrations → Deployment. The OTLP endpoint, header secret, vendor admin API keys, and per-tool MDM payload templates for your tenant live there.
Reference: full configuration walkthrough
Anthropic Console (Enterprise) walkthrough
Text-only walkthrough; UI labels match the Anthropic Console at the time of writing.
- Sign in to the Anthropic Console as an org admin.
- Settings → API Keys → Admin keys → Create new key. Name:
arrakis-admin-readonly. Scope: read. Store it in your secret manager and paste into Arrakis platform Settings → Integrations → Anthropic. - Settings → Authentication → enable SSO/SCIM (SAML or OIDC).
- Settings → Organization → enforce Claude Code login via the managed-settings keys
forceLoginMethod: "claudeai"andforceLoginOrgUUID: "<your-org-uuid>"so that developer machines cannot sign in to a personal account. - Settings → Announcements → optional
companyAnnouncementsfor rollout messaging shown at startup.
Live admin pages: docs.anthropic.com and code.claude.com/docs .
Anthropic over Bedrock variant
Customers running Claude Code against Amazon Bedrock have a different control plane: AWS IAM + CloudTrail + Bedrock Model Invocation Logging.
| Surface | Requirement |
|---|---|
| Model access | IAM policy granting bedrock:InvokeModel on the chosen Claude model IDs |
| Audit | CloudTrail enabled with read access for the Arrakis ingest role |
| Reasoning capture | Bedrock Model Invocation Logging enabled with S3 or CloudWatch destination |
Even on Bedrock, keep Claude Code OTel enabled — Bedrock invocation logs do not contain client-side prompt, tool, or session telemetry (no Bash command arguments, no MCP tool names, no hook events, no session resource attributes). The OTel exporter is the only source for those.
Deep-link: AWS Bedrock model invocation logging .
Managed settings file
Managed settings are JSON files read by Claude Code at startup. Per-OS paths:
| Platform | Single-file path | Drop-in directory |
|---|---|---|
| macOS | /Library/Application Support/ClaudeCode/managed-settings.json | /Library/Application Support/ClaudeCode/managed-settings.d/ |
| Windows | C:\Program Files\ClaudeCode\managed-settings.json | C:\Program Files\ClaudeCode\managed-settings.d\ |
| Windows (legacy, deprecated v2.1.75+) | C:\ProgramData\ClaudeCode\managed-settings.json | — |
| Linux / WSL | /etc/claude-code/managed-settings.json | /etc/claude-code/managed-settings.d/ |
Precedence
Settings precedence, high to low:
- Managed (MDM-delivered)
- CLI flags
- Local (
~/.claude/settings.local.json) - Project (
.claude/settings.json) - User (
~/.claude/settings.json)
permissions.allow and permissions.deny arrays merge across scopes — a managed deny cannot be removed by a project- or user-level setting.
Enforceable keys
| Key | Purpose |
|---|---|
env | Environment variables injected into every Claude Code session — used to enforce telemetry config |
permissions.allow / permissions.deny | Tool-call allowlist/denylist patterns (for example Read(./.env), Bash(rm:*)) |
apiKeyHelper | Path to a helper script that returns an Anthropic API key |
forceLoginMethod | Pin sign-in method (claudeai, console, etc.) |
forceLoginOrgUUID | Pin sign-in to a specific Anthropic org |
forceRemoteSettingsRefresh | Force re-fetch of remote settings on each launch |
allowedMcpServers / deniedMcpServers | MCP server allow/deny |
claudeMd | Centrally injected CLAUDE.md content |
companyAnnouncements | Startup banner text |
minimumVersion | Block launch if the installed Claude Code is below this version |
otelHeadersHelper | Path to a script that returns OTLP headers — used for short-lived workload-identity tokens |
Sample managed-settings.json shape
A managed-settings file typically contains an env block (with the OTel exporter variables CLAUDE_CODE_ENABLE_TELEMETRY, OTEL_METRICS_EXPORTER, OTEL_LOGS_EXPORTER, OTEL_EXPORTER_OTLP_PROTOCOL, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, and OTEL_RESOURCE_ATTRIBUTES), a permissions block (with allow/deny arrays), and the policy-pin keys (forceLoginMethod, forceLoginOrgUUID, forceRemoteSettingsRefresh, minimumVersion).
The exact JSON body — including the tenant OTLP endpoint hostname, bearer token, recommended
permissions.denypatterns, andforceLoginOrgUUID— is provisioned per-tenant in the Arrakis platform under Settings → Integrations → Deployment, or available from Arrakis support. Download the latest sample from the platform rather than hand-authoring it.
Drop-in directory
The managed-settings.d/ directory lets multiple owners ship config without overwriting each other. Files are read in alphabetical order and merged into the single-file managed-settings.json:
- Objects are deep-merged (later wins on key collision).
- Arrays are concatenated and de-duplicated (so
permissions.denyaccumulates). - Hidden files (leading dot) are ignored.
Arrakis ships its OTel configuration as a sortable-prefixed drop-in fragment with a tenant-specific name, so customer base policies stay untouched and Arrakis updates can be re-applied independently. The exact fragment file name is provisioned per-tenant; download the latest fragment from the Arrakis platform under Settings → Integrations → Deployment.
MDM payloads
Three delivery channels are commonly in use:
| OS | Channel | Storage |
|---|---|---|
| macOS | Managed preferences domain com.anthropic.claudecode (plist) | Read by Claude Code via defaults |
| Windows | HKLM\SOFTWARE\Policies\ClaudeCode (JSON value), via Group Policy or Intune | Read on launch |
| Linux / WSL | File at /etc/claude-code/managed-settings.json. WSL also supports wslInheritsWindowsSettings to read the Windows policy. | File-based |
Jamf Pro (macOS)
Use a Custom Configuration Profile targeting the Anthropic preference domain com.anthropic.claudecode. The profile carries an env dictionary with the OTel exporter variables and the policy-pin keys (forceLoginMethod, forceLoginOrgUUID).
For tighter file-based control, deploy the JSON managed-settings file via a Files & Processes payload to the managed-settings.d/ directory (see Managed settings file) instead of (or in addition to) the preferences-domain plist.
The exact plist body, the tenant OTLP endpoint, the bearer token value, and the drop-in fragment file name are provisioned per-tenant in the Arrakis platform under Settings → Integrations → Deployment, or available from Arrakis support.
Microsoft Intune (Windows)
Use a Settings catalog policy (or a script payload) to write a REG_SZ JSON value under HKLM\SOFTWARE\Policies\ClaudeCode. The JSON value contains the same env block and policy-pin keys as the macOS plist.
For macOS endpoints managed by Intune, deploy a Custom Configuration Profile (.mobileconfig) carrying the equivalent plist payload.
For WSL endpoints under the same Intune-managed Windows host, set wslInheritsWindowsSettings: true so Linux-side Claude Code reads the Windows registry policy instead of requiring a separate /etc/claude-code/ file.
The exact registry value contents (including the OTLP endpoint, bearer token, and
forceLoginOrgUUID) and the matching.mobileconfigbody are provisioned per-tenant in the Arrakis platform under Settings → Integrations → Deployment, or available from Arrakis support.
Iru (macOS)
Use a Custom Profile library item carrying the same payload as the Jamf plist. Mark the profile Continuously Enforced so a missing or modified file is re-applied on each Iru (formerly Kandji) check-in. For Windows endpoints managed via Iru EDR-style flows, use a Custom Script library item to set the registry value.
Generic mobileconfig (macOS) and JSON-registry (Windows)
For MDMs not listed above (Workspace ONE, Mosyle, Hexnode, etc.), use vendor-agnostic delivery:
- macOS — a
.mobileconfigwhose payload type is the Anthropiccom.anthropic.claudecodepreference domain. - Windows — a script payload (PowerShell or equivalent) that writes the JSON value under
HKLM\SOFTWARE\Policies\ClaudeCode.
The complete
.mobileconfigbody and the PowerShell registry-write script (including the tenant OTLP endpoint, bearer token, andforceLoginOrgUUID) are provisioned per-tenant in the Arrakis platform under Settings → Integrations → Deployment, or available from Arrakis support.
Egress verification
Cross-link to OTel Collector & Arrakis Endpoint → Verifying connectivity for the TCP/TLS, synthetic OTLP, and failure-mode probes shared across tools.
Claude-Code-specific debug commands:
| Command | What it shows |
|---|---|
claude --debug | Writes OTel exporter status to the debug log; look for OTel exporter started lines and any export errors |
/doctor (in-session) | Reports header-helper script status, exporter errors, and managed-settings provenance |
Content-control flags (privacy vs. fidelity)
Four content-control gates determine how much of the prompt, tool, and API surface is captured. All default to off.
| Env var | What it unlocks | Privacy implication |
|---|---|---|
OTEL_LOG_USER_PROMPTS=1 | Full user prompt text in user_prompt log events and in the claude_code.interaction span attribute | Highest-fidelity governance signal; ensure DLP scanning at ingest |
OTEL_LOG_TOOL_DETAILS=1 | Bash commands, file paths, MCP server/tool names, skill names, custom command names | Required to govern shell and MCP risk |
OTEL_LOG_TOOL_CONTENT=1 | Tool input/output bodies (truncated at 60 KB) — requires the traces beta | Highest detail; may capture file contents |
OTEL_LOG_RAW_API_BODIES=1 | Full Anthropic Messages API request/response JSON | Implies all of the above; use only when full reconstructibility is required |
Recommended Arrakis defaults: OTEL_LOG_USER_PROMPTS=1, OTEL_LOG_TOOL_DETAILS=1, OTEL_LOG_TOOL_CONTENT=0, OTEL_LOG_RAW_API_BODIES=0. Override per-org as governance and DLP review allow.
Distributed tracing (beta)
Set both:
CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1
OTEL_TRACES_EXPORTER=otlpSpan hierarchy emitted:
claude_code.interaction
├── claude_code.llm_request
├── claude_code.tool
└── claude_code.hookTraces reuse the same OTLP endpoint as logs and metrics — see OTel Collector & Arrakis Endpoint for endpoint configuration.
Resource attributes for multi-team
Use OTEL_RESOURCE_ATTRIBUTES to tag every emitted log, metric, and span with team, department, and cost-center metadata so the Arrakis platform can scope dashboards and alerts. Example shape:
OTEL_RESOURCE_ATTRIBUTES="department=<dept>,team.id=<team>,cost_center=<cc>"Format constraints:
- No spaces, no quotes, no commas inside values.
- Encode special characters as percent escapes (
%20for space) or substitute underscores. - The string is parsed as comma-separated
key=valuepairs by the OTel SDK.